DaveH wrote:
The first post here is from a Microsoft employee.
http://answers.microsoft.com/en-us/windows/forum/windows_xp-hardware/device-manager-is-blank/51a16b23-d188-4501-91c0-0a257a643e4b
Note that no mention is made of the Admin group.
"System" has an even higher access level than Administrator, How could it possibly be a security risk having less groups with write permission?
The opposite is the truth, the more people able to change something is a larger risk, especially when most users are Administrators when they don't need to be.
Dave
Hi, Dave. The "System" context is a completely different Security context - it is used for interprocess communications for Windows itself. The whole idea behind having a "System" context is to ensure that programs can make alterations to the Registry - even if Users do not have those permissions.
"User" contexts such as "Everyone", "Administrators" and individual "Usernames" are the interactive contexts that allow users to interact with programs. The Device Manager that we use and see is an interactive context. Thus, it is necessary for Enum to have some way to interact with a User to get read/write permissions - which allows that User (or group) to see (modify) the Registry. This is the only way Windows will allow Users to be able to see and modify the items in Device Manager.
Note: If the "System" context did not allow Windows to "talk to itself" - Windows could not even boot.
In the various interactive contexts for Windows XP Pro - a standard "restricted access user" (IOW a user who is not an Administrator) should not be able to modify the Hardware Tree in Device Manager. Thus, the Security Permissions for the "Enum" key and its subkeys for the "Everyone" group is read-only.
In the various interactive contexts for Windows XP Pro - any "Administrator" (IOW, any user who is a member of the "Administrator" group) should be allowed to modify the Hardware Tree in Device Manager. Thus, the Security Permissions for the "Enum" key and its subkeys for the "Administrator" group is read/write.
Further down in the discussion referenced from your previous post - regarding the problem-resolution-technique mentioned by "Jason-H." at answers.microsoft.com - are several mentions of other users who had the "Administrator" group showing in their permissions for the "Enum" Registry Key. Thus, it is correct in some circumstances for the system to be set up in that manner.
I suspect that differences in Registry structure and the Security Permissions of the "System" user - which vary between Home and Pro versions of Windows XP - may explain the discrepancy. The details I mentioned in my previous post on this subject were in regards to Windows XP Pro - which has the option for having multiple active Administrator accounts in Normal mode. Windows XP Home has only one Administrator account - which can only be accessed from Safe Mode.
With the above caveats in mind - it would make sense for the Microsoft Employee's recommendation regarding Enum permissions to be accurate (but incomplete) for Windows XP Pro versions - otherwise it would not be possible for standard Windows Administrator users under XP Pro to be able to see and modify the items in Device Manager. Furthermore, my recommendations regarding Enum permissions are thus accurate for Windows XP Pro versions - where multiple Administrator Accounts are possible while XP is running in Normal mode.
It completely slipped my mind that Windows XP has two different "System" security contexts for Normal Mode - depending upon whether the user has Windows XP Home or Windows XP Pro installed. As noted in further posts in that thread at answers.microsoft.com - there are other security contexts in Windows 7 that make proper security for this key even more complex in the W7 environment and its various "flavours".
I stand by my recommendations for the Security Permissions structure for the "Enum" key and its subkeys - as far as Windows XP Pro is concerned.
If someone using Windows XP Home could verify that the standard set of Security Permissions found in the "Enum" key for Windows XP Home - is as detailed in the post on answers.microsoft.com - that should provide the remaining needed piece of the puzzle. Thus, in future, all of us can give an accurate answer for both sets of Security contexts - at least as far as WXP is concerned.
Hope this helps.