Welcome to MSDN Blogs Sign in | Join | Help
Applying TCP/IP Settings for Non-Administrator Users in Windows® XP Embedded

Introduction
A non-administrator user logs in to a system built with Windows XP Embedded runtime will not be able to successfully change the TCP/IP settings (such as IP address, subnet mask, etc.) even if that particular user belongs to the ‘Network Configuration Operators’ group.  The system will require a reboot after changing the TCP/IP settings; however the new settings will be discarded after the reboot.  This problem does not occur in Windows XP Pro environment.

This document provides some guidance to resolve the particular issue above.

Steps to resolve the issue
The cause of the issue is primarily due to permission settings as part of the access control list (or ACL) that are handled differently in Windows XP Embedded platform than Windows XP Pro.  We propose to use a security editor tool (SubInAcl.exe) to run a script as a workaround to this issue.  SubInAcl.exe is available to the public and it can be downloaded from Microsoft Download Center.Below are suggested steps to create a script file and then execute it to resolve the issue.

 1. Creating a script file to assign proper permission in ACL

Below is a list of script commands that you should create to assign proper permission in ACL.

subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ /grant="Network Configuration Operators"=QCEYA

subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage\ /grant="Network Configuration Operators"=QSCEYA

subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ /grant="Network Configuration Operators"=QSCEYA

subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ /grant="Network Configuration Operators"=QSCEYA

subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\ /grant="Network Configuration Operators"=QSCEYA

subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ /grant="Network Configuration Operators"=QSCEYA

subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes\ /grant="Network Configuration Operators"=QSCEYA

subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Winsock\ /grant="Network Configuration Operators"=QCEYA

subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Performance\ /grant="Network Configuration Operators"=QCEYA

subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider\ /grant="Network Configuration Operators"=QCEYA

subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Enum\ /grant="Network Configuration Operators"=QCEYA

subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Security\ /grant="Network Configuration Operators"=QCEYA

subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP\Configurations\ /grant="Network Configuration Operators"=QSCEYAD

subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP\Parameters\ /grant="Network Configuration Operators"=QEYA

subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{GUID_OF_NIC}\Parameters\Tcpip\ /grant="Network Configuration Operators"=QSCEYAD

subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\ /grant="Network Configuration Operators"=QCEYA

subinacl /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\ /grant="Network Configuration Operators"=QSCEYA 

Please note that you need to replace {GUID_OF_NIC} in one of the commands above with the actual GUID of the network adapter in your device.  You can find such GUID under the TCP/IP service registry key. 

For example: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{AEA17CDF-5551-4DF7-90EE-73E0E595BC31}

2. Executing the script file to assign proper permission in ACL

 You can copy the commands in step 1 above and store them in a batch file (i.e. a text file with an extension .bat) on your development machine.  In addition, you need to download the SubInAcl.exe tool from Microsoft Download Center  to your development machine.  The downloaded file is a MSI package.  Install the MSI package, the SubInAcl.exe tool will be located in the installation path that you specify during the installation (the default path is C:\Program Files\Windows Resource Kits\Tools).
After logging in your Windows XP Embedded runtime system as an administrator, copy the batch file and SubInAcl.exe into a temporary folder.  Open a command prompt, navigate to the temporary folder, and run the batch file.  After successfully executing the batch file, a non-administrator user may log in to the same runtime and change any TCP/IP settings as long as he/she belongs to the ‘Network Configuration Operators’ group.

- Thomas 

* Updated 8/2/07 to include more generic info on NIC settings in script command.

Posted: Tuesday, July 31, 2007 9:00 AM by Embedded
Filed under:

Comments

Masakazu Watari said:

Thank you for a nice information.

I am very glad to know this because I was looking for the solution like this.

Immediately, I applied this method to my XPe system.

However, the following script commands failed.

>> subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Security\ /grant="Network Configuration Operators"=QCEYA

>> subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AEA17CDF-5551-4DF7-90EE-73E0E595BC31}\Parameters\Tcpip\ /grant="Network Configuration Operators"=QSCEYAD

May I disregard this failure?

Or, what components should I add to mine to solve them?

Please give me your advice!!

# July 31, 2007 8:48 PM

Thomas said:

Are you able to successfully change the TCP/IP settings after running the batch file?  If so, you may ignore the failure.  If not, we can investigage.

# August 1, 2007 2:59 AM

Andi Hemetsberger said:

Thank you very much for this solution, you posted it at a perfekt moment :)

It's works nearly perfekt for me, only one think is the same as before - after changing between dhcp and static ip address, the system asks me for a reboot " ... before the new settings will take effect".

Is it possible to fix this problem ?

# August 1, 2007 8:32 AM

Masakazu Watari said:

Hello Thomas,

Thank you for your comment.

There is no problem for me after applying this solution.

Therefore, I will ignore the failure.

Thank you very much!!

Masakazu Watari

# August 1, 2007 8:40 AM

Thomas said:

Regarding the rebooting issue, perhaps it is due to NIC GUID that may be different from the sample scripts provided above.  Please try the following:

Replace the line:

subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AEA17CDF-5551-4DF7-90EE-73E0E595BC31}\Parameters\Tcpip\ /grant="Network Configuration Operators"=QSCEYAD

with:

subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GUID_OF_NIC\Parameters\Tcpip\ /grant="Network Configuration Operators"=QSCEYAD

where GUID_OF_NIC is the actual GUID for the NIC card on their system, which you'll see it listed in many places in the registry. For example you'll see it under

HKLM\System\currentcontrolset\services\tcpip\parameters\adapters\GUID_OF_NIC)

# August 1, 2007 5:47 PM

Andi Hemetsberger said:

That's it, works perfekt now ..

Thank you very much.

Best regards, Andi

# August 2, 2007 1:30 AM

Armando said:

Is it possible to configure ACLs including service ACLs in the target designer?

We would like to avoid as many manual steps as possible.

Thanks

# August 17, 2007 2:23 PM
Leave a Comment

(required) 

(required) 

(optional)

(required) 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Page view tracker