
Install Program via HKLM RunOnce, but I get access denied to add registry key

I'm trying to push out a software package where the installer has to be ran as the user who will be using the program. I found an article on this site about installing software via scripting and have it set up the installer to run an install script on the next login. Here is the article I'm taking about: http://www.kace.com/support/resources/kb/article/how-do-i-execute-a-command

When I follow those steps I seem to have a problem with the script not having sufficient privileges to add the registry key to HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce. Even if I log in as a domain user and manually run the command in that example I get an access denied error. However, if I run a command prompt as Administrator and run the command, the key is created as expected, and the software installs on the next reboot.

So, what am I doing wrong that the script doesn't have privileges to add that registry key? I have tried it with both Online and Offline KScript, and the Run As is "Run As Local System".

Thank you all in advance!

0 Comments   [ + ] Show comments

Answers (5)

Posted by: SMal.tmcc 11 years ago
Red Belt

an offline script runs as system should have worked just fine, but an offline does not have any run as options.  And the others not being able to modify the HKLM would be true if they are not local admins they cannot change the hklm keys

Posted by: jagadeish 11 years ago
Red Belt

Write a VBScript which will run the installer in System Context using PSEXEC.EXE

Call this VBScript through RunOnce

Posted by: jaybee96 11 years ago
Red Belt

Why does the application needs to be installed as the logged-on user?

Most cases because of Userprofile / HKCU settings...

So why not use ActiveSetup if this is the case?

Posted by: MisterVertigo 11 years ago
Senior White Belt

The program is very unusual. It is an .MSI installer, but for some reason the default install path for the application is inside the current user's profile directory.

When I first tried to push it out like a normal .MSI all the files got installed in the Default user profile instead of the logged in user's profile. So, I started investigating how to make the install run as the logged in user and I found the article I linked above. However, I can't seem to get that to work because I can't add the registry key for RunOnce. On my test machine I'm logged in as a Domain Admin, and I have admin privileges on the local computer. I still get access denied.

I'm not familiar with PSEXEC.EXE or ActiveSetup, do you have any links to get me started on those? Thank you!

  • John has the best way if you need to run this as a local admin. You can create a txt file and call all the machines you need to run with that file and run as local admin using pstools "psexec"
    http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx - SMal.tmcc 11 years ago
  • Hello, best way is to push your software like the usual System Context or with admin privileges because they have the necessary permission to do the installs completely.

    Set an Active Setup inside your MSI (just do a quick search on how to do this - you can use "msiexec /fup {PRODUCTCODE} /QN" in StubPath afterwards ) You can also set a pop up message to your users to do a log off or reboot as a measure for this. Once your users have logged in, your software will repair and put all the necessary files and registries needed for them to use.

    Active Setup - http://www.itninja.com/blog/view/appdeploy-articles-activesetup

    Hope this help. - dj_xest 11 years ago
  • i'd prefer active setup in this case. - jaybee96 11 years ago
Posted by: MisterVertigo 11 years ago
Senior White Belt

OK, I played around a bit with PsExec, but I keep getting access denied. I'm not understanding at all how I'm getting access denied in the first place. I explicitly put my domain account in the local Administrators group just to test, but I'm still getting access denied with all my scripts. Is it because I have UAC on? If I run cmd as an Administrator I'm asked by UAC to allow it to run, and then the script will work. When I launch regedit.exe, I'm also asked by UAC. Is this why I'm getting access denied?

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ