how-to block ads
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to redxii
Re: TIP: Add Folder Security tab to XP Home
said by redxii  :
Does this compromise security by using 5 year old code?
I just want to be able to use the Security tab, and it wasn't very nice of MS to leave it out.. I guess I could use Server 2003 Standard's files..
I hear you -- it would have been nice if they had at least provided a way to enable the functionality for power users.
My concern isn't about a security compromise so much as data corruption -- and it's still unsubstantiated. I just found it odd that this package would "work" given that it predates XP. There has to be a reason why it works and short of that (or several reasons), it may only partially work (or worse).
I just tried breaking the Security tab or making it go away and I found that two of the DLLs I referred to earlier -- the wsecedit.dll file and the scedll.dll file both do NOT work on the system. They fail to load, even manually, so that can't be providing the functionality.
What I found is that the rshx32_5.dll file seems to be providing it. If I move that file to the Recycle Bin and bring up a Properties dialog, the tab isn't there.
And it doesn't make sense anyway, since the tab is available without this package in Safe Mode. There has to be something like a dynamic Registry setting or something like that, so I'm looking for references there. So far, what I've found is that there's a file named rshx32.dll in XP Pro that is registered similarly to what I found in XP Home.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org | |
psloss
Premium
join:2002-02-24
Alpharetta, GA
| Security tab Registry entries
OK, I believe this boils down to a series of Registry keys and entries. I need to take a break so for now, I'll just post the details and come back later. Thanks to the restore point functionality, I was able to restore the config back to the "fresh" XP Home and then install InCtrl5 to do a before and after snapshot; here are the Registry changes that I believe to be relevant:
Keys added...
HKEY_CLASSES_ROOT\*\shellex\PropertySheetHandlers\{1F2E5C40-9550-11CE-99D2-00AA006E086 C} "(Default)"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\CLSID\{85BBD920-42A0-1069-A2E4-08002B30309D}\shellex\PropertySheetHa ndlers\{1F2E5C40-9550-11CE-99D2-00AA006E086C} "(Default)"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\Directory\shellex\PropertySheetHandlers\{1F2E5C40-9550-11CE-99D2-00A A006E086C} "(Default)"
Type: REG_SZ
Data:
HKEY_CLASSES_ROOT\Drive\shellex\PropertySheetHandlers\{1F2E5C40-9550-11CE-99D2-00AA006 E086C} "(Default)"
Type: REG_SZ
Data:
Values changed...
HKEY_CLASSES_ROOT\CLSID\{1F2E5C40-9550-11CE-99D2-00AA006E086C}\InProcServer32 "(Default)"
Old type: REG_SZ
New type: REG_SZ
Old data: rshx32.dll
New data: rshx32_5.dll
This last entry -- the change -- could be bad, since it substitutes the XP version of the functionality (rshx32.dll) with the 1998 version of the functionality (rshx32_5.dll).
Anyway, the common link is the GUID "{1F2E5C40-9550-11CE-99D2-00AA006E086C}" and scanning through the setup files from the SCESP4I.EXE package, I found this in the [Strings] section of the setup.inf file:
CLSID_RSHX_NTFS={1f2e5c40-9550-11ce-99d2-00aa006e086c}
Then looking for "CLSID_RSHX_NTFS" in the file, I found this in the [MMCPostSetupCmdSection] section (with a couple of entries snipped):
[MMCreg]
HKCR,Clsid\%CLSID_RSHX_NTFS%,,,%DESCRIPTION%
HKCR,Clsid\%CLSID_RSHX_NTFS%\InProcServer32,,,%MODULENAME%
HKCR,Clsid\%CLSID_RSHX_NTFS%\InProcServer32,"ThreadingModel",,Apartment
HKCR,*\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
HKCR,Drive\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
HKCR,Directory\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
HKCR,Clsid\%CLSID_BRIEFCASE%\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
The first three entries here cover the "Values changed" part of the InCtrl5 report and could probably be skipped, which leaves these entries (I'm repeating them):
HKCR,*\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
HKCR,Drive\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
HKCR,Directory\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
HKCR,Clsid\%CLSID_BRIEFCASE%\%SHEXPS%\%CLSID_RSHX_NTFS%,,,
SHEXPS is from the Strings section:
SHEXPS=shellex\PropertySheetHandlers So the Security tab is registered in Property Sheets for three areas: * or all, Drive, and Directory.
All very interesting, but now my brain hurts (my brain in my head). So I'm not dead sure, but right now I think the bottom line is that people who install this should fix their Registry so that Explorer uses the XP version of the rshx32.dll.
People who want to add the functionality may be able to cobble together a Registry script instead of running this install package. At some point, I'll try to test that.
I still have to do an InCtrl5 compare of the Registry between "normal" mode and Safe Mode, but that's where I am right now.
Hope that helps somebody,
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org | |
Kramer
Premium,Mod
join:2000-08-03
Richmond, VA
clubs:
 ·Verizon FIOS
 ·GoDaddy Hosting
Host:
Microsoft Help
Wireless Security
| Nice work Philip! I just hope everyone understands that this GUI will allow one to set permissions for local access, but because XP Home authenticates all network users as guests, things could get very confusing for network access.
For instance lets say I give Bill, Mary and Spot full control to folder x and all it's subfolders. That's fine as long as they are working on that computer, but regardless of what the share permissions are set for, those people are not going to access those files unless the guest account or everyone is also included in the permissions (Share permissions too!). With XP Home, all network users either have access to a file or don't have access to a file, there is no in-between. You can't be selective among users. Now, I'm ready for Dave to pounce upon me with a silver hammer. | |
psloss
Premium
join:2002-02-24
Alpharetta, GA
| said by Kramer :
Now, I'm ready for Dave to pounce upon me with a silver hammer.
Me, too. Hopefully he can straighten us out. 
Actually, I'm still looking at this and it's looking like I've got something wrong and am about to come full circle on this.
More in a bit,
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org | |
|
