Discovering Permission Requirements: Technique

Finding Permissions Errors with FileMon and Regmon

The process below may seem complicated, long and involved, but I assure you that after a few times of using it you’ll be able to do it in your sleep. Amaze your co-workers by finding and fixing permission problems in just 3 or 4 minutes! Work out your own technique and tricks so you can do this quickly and easily.

  1. As an administrator, install the software on the machine and reboot.
  2. Login as the unprivileged/restricted user (e.g. “TEST”).
  3. Use the RUNAS command to open a command prompt with an administrator account (e.g. “runas.exe /user:administrator cmd.exe”, then enter the local administrator’s password when prompted).
  4. From the admin command window, launch RegMon and FileMon.
  5. Now launch the target program (as the restricted user) from the Start Menu, and use it until you get error messages suggesting that you don’t have enough privileges.
  6. Stop the monitoring and save the RegMon and FileMon results into log files.
  7. Use Microsoft Excel or the data-munging tool of your choice to open up the log files and search for “ACCESS DENIED” errors when the program tried to “WRITE” to the filesystem or “SET VALUE”s in the registry.
  8. Now (as an admin), open up the permissions on those files or registry keys so that the BUILTIN\Users group has “change” rights (never give out “Full Control”!).
  9. As the shampoo bottle says: Rinse and Repeat. You may have to try this several times until you find all the files or keys which the program tries to write to.

Analyzing the Monitor Logs

Here are a few tips about using MS Excel to analyze the log files created by FileMon and RegMon.

  • Open the .LOG file in Excel either by the “Open with…” context menu (right-click) option, or by opening Excel and browsing to the file with the “All files (*.*)” filter set. In the first method you are not prompted at all, but with the second you’ll see a dialog box for which you simply need to hit the “Finish” button:

  • You’ll probably want to auto-resize the column widths (select all and double-click the line between two of the column headers), but the fifth column “E” (the file or registry key path) will be too wide for easy viewing, you may want to shrink it down by right-clicking the column header and choosing “Column Width…”
  • The column contents are a as follows:

    FileMon:

    A: log item number

    B: timestamp, in clock time

    C: program executable name :process number

    D: request (i.e. what the program wants to do with the file)

    E: file path

    F: result (success, failure, etc.)

    G: additional comments

    RegMon:

    A: log item number

    B: timestamp, in seconds since the capture started

    C: program executable name :process number

    D: request (i.e. what the program wants to do with the key/value)

    E: key or value path

    F: result (success, failure, etc.)

    G: additional comments

  • Excel 97 and higher have a handy feature called the “AutoFilter” which is great for narrowing down your entries to just what you’re looking for. You enable it by creating an empty or header row at the top of the document, highlighting that row, and choosing from the menu Data… | Filter… | AutoFilter, as in the picture below:

    To use AutoFilter, click the drop-down triangle at the top of the column you want to filter on, then choose from the list the entries you want to restrict to. For example, if you only want to see the events which were created by the program you’re testing (say, MS Word), then click the triangle on the third column and choose the process labeled “WINWORD.EXE:###”; now the only columns showing are those from “WINWORD.EXE:###”. If you need a combination of two possibilities, use the “Custom…” option from the AutoFilter drop-down.

    Use filtering to get exactly what you want quickly. Several options you may want to try are restricting the list to:

    • the target program (column “C”)
    • “WRITE” or “SET VALUE” requests (column “D”)
    • “ACCESS DENIED” or “FAILURE” results (column “F”)

    Now your list should be pretty small, and most likely these entries are the ones you need to change the permissions for.

  • When you look over the list of requests and results in series, you’ll note what seems like a lot of failures. But the more you observe what’s going on as you see it logged here, you’ll understand that they are not really failures that you’re seeing. Rather, it’s just how the operating systems works in the background. For example, when the system is trying to open a file for reading or writing, it may first try to open it with the “FAST I/O” option, which usually fails for network drives. Also, as the program is looking for the DLLs or other binary resource files it needs, it will always check in the same directory, then start checking through the paths in the PATH variable one by one-when this happens, you’ll see several failures in different directories until it finds the file it needs. Another false alarm you may encounter is that sometimes the system will try to read so fast (presumably) that the drive(s) can’t keep up, so one in a bunch of reads will fail; as long as there are successful reads afterwards then everything is most likely okay.