Permissions Mode Behavior Under Terminal Services (298372)

MORE INFORMATION

1. LSA adds TsUserSID to user's token when the user logs on. The TsUserSID settings, because they were initially set during the operating system installation from the Defltsv.inf file, allow the access that is noted in the following list.
   
   Note: The following format is known as SDDL, which is documented in MSDN. Only the TsUserSID entry (the S-1-5-13 string) from that file is documented in the following list.

   [Registry Keys] 
   "MACHINE\Software",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
   "MACHINE\SOFTWARE\Microsoft\Tracing",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;S-1-5-13)"
   ;The following keys need to be writable by TERMINAL_SERVER_USER for App-Compat
   "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
   "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
   "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
   "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
   "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
   ;---------------------------------------------------------------------------------------------
   ;ProgramFiles
   ;---------------------------------------------------------------------------------------------
   "%SceInfProgramFiles%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;S-1-5-13)"
   ;Directories with a legacy history being changed for security reasons
   "%SystemRoot%\help",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGX;;;S-1-5-13)"
    
   

2. When a user starts program that is non-Terminal Services-aware in a user context, the user receives an "access denied" error when the user attempts to open a restricted registry key. The reg-code attempts to open the same key again, with the maximum permissions that the user can have (which is typically read-only), and returns that handle to the program. Most legacy programs open a key with write/create privileges, but they only perform read actions, so legacy programs still run correctly.
   
   There is a global setting to enable or disable this behavior. The default is to provide this behavior when in the Relaxed Security mode. This behavior is controlled through the following key:

   HKLM ,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server"
   "RegistryExtensionFlags", 0x1 [bit mask, 1st bit]

3. When a non-Terminal Services-aware program, which is running in the user context, attempts to change or write a value under HKCR and HKLM\Software\Classes, the change is redirected to its own HKCU\Software\Classes; therefore, when necessary, a whole sub-branch is created under HKCU\Software\Classes.
   
   There is a global setting to enable or disable this behavior. The default setting is available primarily for Relaxed Security mode. You can control this behavior through the following key:

   HKLM ,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server"
   "RegistryExtensionFlags", 0x2 [bit mask, 2nd bit]