Page 1 of 1 1
Topic Options
#202761 - 2011-07-29 07:34 PM Need to modify HKCU on TS servers with elevated privledges
jameehub02 Offline
Just in Town

Registered: 2011-07-27
Posts: 2
Loc: Florida, USA

We need to modify a domain user's HKCU registry keys on two Citrix terminal servers to fix a recent problem Microsoft caused when making changes to their Office File Validation code for Office 2003 and Office 2007.

The problem is referenced by knowledge base article KB2570623. After their updates, any moderately large Excel 2003 file opens very slowly when accessed over the network, or hangs Excel entirely.

The published fix from Microsoft involves adding two keys to an individual users HKCU registry which turns off the validation and thus allows the Excel file to load normally.

The problem is normal domain users do not have write access to the HKCU section of the registry on our Citrix terminal servers which host the Office 2003 Suite.

I have a working KiXtart script segment that applies the appropriate modifications to the HKCU registry but it only works when a user has local admin access to their hive keys. The code is listed below:

Dim $TempCall, $TempKey

$TempKey = "HKEY_CURRENT_USER\Software\Policies\Microsoft\Office"

$TempCall = WriteValue( $TempKey, "", "", "REG_SZ" )
$TempCall = WriteValue( $TempKey + "\11.0", "", "", "REG_SZ" )
$TempCall = WriteValue( $TempKey + "\11.0\Excel", "", "", "REG_SZ" )
$TempCall = WriteValue( $TempKey + "\11.0\Excel\Security", "", "", "REG_SZ" )
$TempCall = WriteValue( $TempKey + "\11.0\Excel\Security\FileValidation", "", "", "REG_SZ" )
$TempCall = WriteValue( $TempKey + "\11.0\Excel\Security\FileValidation", "EnableOnLoad", "0", "REG_DWORD" )
$TempCall = WriteValue( $TempKey + "\11.0\Excel\Security\FileValidation", "PivotOptions", "0", "REG_DWORD" )


I have tried using runnas and JoeWare's CPAU to provide the local permission elevation. However, I am not able to get them to work properly as they want to load the elevated profile, which knocks out the HKCU section. If I don't load the profile, it doesn't acquire the necessary permissions.

Any ideas on how to tackle this HKCU issue. Many thanks in advance !!!

Top
#202762 - 2011-07-29 07:53 PM Re: Need to modify HKCU on TS servers with elevated privledges [Re: jameehub02]
Allen Administrator Online   shocked
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4545
Loc: USA
In all likelihood you are going to have to create a GPO for this. If they don't have permissions to their own HKCU I don't see any other way. I have never managed a Citrix server so hopefully someone will have another solution.
Top
#202763 - 2011-07-29 08:24 PM Re: Need to modify HKCU on TS servers with elevated privledges [Re: Allen]
ShaneEP Moderator Offline
MM club member
*****

Registered: 2002-11-29
Posts: 2125
Loc: Tulsa, OK
I dont have any terminals servers to test on either, but I wonder if the current SID changes when you use runas? If not you could try running something like...

 Code:
$TempKey = "HKEY_USERS\"+@Sid+"\Software\Policies\Microsoft\Office"
$TempCall = WriteValue($TempKey+"\11.0\Excel\Security\FileValidation","EnableOnLoad","0","REG_DWORD" )
$TempCall = WriteValue($TempKey+"\11.0\Excel\Security\FileValidation","PivotOptions","0","REG_DWORD" )

Top
#202764 - 2011-07-29 08:26 PM Re: Need to modify HKCU on TS servers with elevated privledges [Re: ShaneEP]
ShaneEP Moderator Offline
MM club member
*****

Registered: 2002-11-29
Posts: 2125
Loc: Tulsa, OK
Also...did you look into using runnas.exe with the different profile settings? A list of them can be found here.

http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=153620&site_id=1

in particular, maybe the /noprofile or /env switches.


Edited by ShaneEP (2011-07-29 08:27 PM)

Top
#202765 - 2011-07-29 11:46 PM Re: Need to modify HKCU on TS servers with elevated privledges [Re: ShaneEP]
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
I had this problem as well, and I can tell you, that specific key you will not get access to. Only if you define permission rights to it. My SharePerms UDF might help you to do that (can be modified to do registry). That aside, sometimes even the reg key does not work. The only real fix for this problem is to uninstall Office File Validation update. Or upgrade to a newer version of Office.
Top
#202766 - 2011-07-30 06:15 PM Re: Need to modify HKCU on TS servers with elevated privledges [Re: Arend_]
jameehub02 Offline
Just in Town

Registered: 2011-07-27
Posts: 2
Loc: Florida, USA
Yes, you are absolutely correct. I banged on this beastie for hours without success. I finally threw in the towel and tried the simple approach by uninstalling the "Microsoft Office File Validation Add-in" AND marked it to "Don't show this update again". What a pain in the rear!!
Thanks to all of you for sharing your suggestions. I have to believe that many others are feeling this pain ...

Top
#202767 - 2011-07-31 01:05 PM Re: Need to modify HKCU on TS servers with elevated privledges [Re: jameehub02]
ChristopheM Offline
Hey THIS is FUN
*****

Registered: 2002-05-13
Posts: 309
Loc: STRASBOURG, France
not completetly agree with you.

i have an other way for you to update all profils in one shot.
this only need an admin account.

if you have roaming profile :
- enumerate all subdir on the shared path,
- for each subdir
. load hive ntuser.dat in a temp key (HKEY_USERS\temp)
. update values in key HKEY_USERS\temp\software\policies\micrsoft\...)
. unload HKEY_USERS\temp
endif

then
- for each citrix server
. for each key in \\server\hkey_users
. update values in \\server\HKEY_USERS\key\software\policies\micrsoft\...)
. next

. for each path in "documents and settings"
. if exist ntuser.dat
. if loadhive( ntuser.dat, "hkey_users\temp" )
. update values in hkey_users\temp\software\policies\microsft\...
. unloadhive "hkey_users\temp"
. else
. hive already updated when scan \\server\hkey_users
. endif
. endif
. next
. next

with this solution, all profils are updated "in the same time" and futurs profiles will be up to date because Default profile has been updated.
_________________________
Christophe

Top
#202768 - 2011-07-31 11:18 PM Re: Need to modify HKCU on TS servers with elevated privledges [Re: ChristopheM]
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
I ran into the issue but was not aware of the fix at the time. A co-worker upgraded them to Office 2007 so I was not able to confirm any of these other fixes myself.

But, if the registry fix does in fact work one certainly can and probably should use a GPO and if not then RunNas would work as well to change the registry key. I've used RunNas to do similar fixes and it works quite well.

Top
#202769 - 2011-08-01 12:35 AM Re: Need to modify HKCU on TS servers with elevated privledges [Re: NTDOC]
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
Registry key does not always work, as I found out at my site.
Besides the user had no privilege to edit the key. Which means GPO's fail, as well as Group Policy Preferences, which allows you to set custom keys, and even under current user privilege. All of them fail to do the job.
Also this bug is only with Office 2003, and only when opening files from the network. Besides we have done many years without the office File Validation Add-In, so the best solution was to remove it.

The crap thing about it is, that WSUS does not allow this update to be uninstalled, so had to be done manually.

Top
#202787 - 2011-08-03 03:05 AM Re: Need to modify HKCU on TS servers with elevated privledges [Re: Arend_]
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
So what are the perms on this key that are preventing it? I don't have it installed on any system I know of at the moment to check on.
Top
#202788 - 2011-08-03 08:39 AM Re: Need to modify HKCU on TS servers with elevated privledges [Re: NTDOC]
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
"HKEY_USERS\"+@Sid+"\Software\Policies\Microsoft" only as 3 accounts per default. And you can check this in your own system as well.
- System
- %COMPUTERNAME%\Administrators
- Restricted

It's the restricted account that makes sure the current user (unless he is a local admin) is not able to edit keys.

Top
Page 1 of 1 1


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
1 registered (Allen) and 382 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.059 seconds in which 0.021 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org