Registry key disappears after a while

0

One of my users has had a problem in the past when printing documents from Office 2012. After attempting to print, she got the message that the printer could not be found. Apparently, the cause of this was Office 2012, which would prevent printing after it detected a problem.

I found a solution in the following link: https://support.microsoft.com/en-us/help/983035/how-to-prevent-office-2010-from-disabling-printers . I added the registry key "DisablePrintFeaturesOnCrash" under HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\General and set it to 0, which seemed to solve the problems she was having.

Flash forward a couple of months, and I got a call from her telling me that the problem had resurfaced. After checking the registry, I found out that the registry key was gone. I added it again, and she could print again.

A few days later however, the registry key has disappeared again! She herself cannot remove the key (she can't access the registry), and none of my colleagues has touched that computer in weeks.

What could possibly remove that key? Is there a way to find out what process removed that key? And is it possible to prevent deletion of the key?

Thanks!

Joe

Posted 2019-04-12T07:31:19.997

Reputation: 49

Answers

0

You must enable auditing to track changes with the registry, though you must specify an object to audit. To do this in the registry, right click a key, select permissions, advanced, auditing -> then add the object in here that you'd like to audit, and the actions that the object has taken that you want to track. You will then see the specified changes to the key made by the object in event viewer under windows logs -> Security.

Because you are trying to track changes for an object you do not know (the cause of the registry key removal), it would be best to check permissions on the key just to see what has access to delete it. If there are no permissions in there that you were not expecting, then I suspect it was the application itself. The registry entries can be updated or regenerated following an application update, depending on how the application update is designed to interact with the registry (in this case I assume regenerate as your custom key is being deleted). I would not recommend amending the permissions on these keys as you could consequently then receive application errors.

Therefore, if you have noticed that the issue has arisen when the user first tries to print on a given day, a logon group policy to import your custom registry key should suffice. However, if you notice that the issue can happen suddenly, i.e. the user can print a number of times, then suddenly it stops working- then you would need to manually intervene unfortunately. I would have suggested to give the user access to import their own registry key (through a .reg file) though if the registry key IS being regenerated then her permissions will also be removed making that suggestion unreliable. These are proposed solely on the symptoms you have stated.

RhysPickett

Posted 2019-04-12T07:31:19.997

Reputation: 102

Asked: 2019-04-12T07:31:19.997

Viewed: 269 times

Active: 2019-04-12T10:55:11.367