Solved

RegSetKeySecurity() do not work

Posted on 1997-06-16
5
816 Views
Last Modified: 2013-12-03
I have problems with using RegSetKeySecurity().
I'm doing following:

1) constructing security decriptor.
   Everyone KEY_READ
   MyGroup KEY_READ | KEY_WRITE
   MyAdmGroup KEY_ALL_ACCESS
   SYSTEM  KEY_ALL_ACCESS
2) call RegOpenKeyEx() with KEY_ALL_ACCESS. Key is
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\+
   Services\serviceName\Parameters
3) Setting only DACL with RegSetKeySecurity()
4) Closing key with RegCloseKey()

The are no errors are returned from these API calls.
But DACL of registry of key is not changed.

I can change DACL of key with regedt32 program.

The question is how to change DACL of registry
key in the way that works.

I'm using NT 4.0 SP3. MS Visual C++ 4.2.
0
Comment
Question by:const
  • 3
  • 2
5 Comments
 

Author Comment

by:const
ID: 1398398
Edited text of question
0
 
LVL 15

Expert Comment

by:NickRepin
ID: 1398399
Can you post your source code?
0
 
LVL 15

Accepted Solution

by:
NickRepin earned 150 total points
ID: 1398400
Make sure you do something like this:

#include <windows.h>
#include <iostream.h>

void main(void)
{
    // Open the key for WRITE_DAC access
    HKEY hKey;
    if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Nick",0,WRITE_DAC,&hKey)
         !=ERROR_SUCCESS) {
       cout<<"Cannot open the key"<<endl;
       return;
    }

    // Make the SIDs
    SID_IDENTIFIER_AUTHORITY sia=SECURITY_NT_AUTHORITY;
    PSID guestSid,admSid;
    if(!AllocateAndInitializeSid(&sia,2,
           SECURITY_BUILTIN_DOMAIN_RID,
           DOMAIN_ALIAS_RID_GUESTS,
           0, 0, 0, 0, 0, 0,
           &guestSid)) {
        cout<<"AllocateAndInitializeSid error"<<endl;
        return;
    }
    if(!AllocateAndInitializeSid(&sia,2,
           SECURITY_BUILTIN_DOMAIN_RID,
           DOMAIN_ALIAS_RID_ADMINS,
           0, 0, 0, 0, 0, 0,
           &admSid)) {
        cout<<"AllocateAndInitializeSid error"<<endl;
        return;
    }

    // Alloc DACL
    DWORD dwDaclSize=sizeof(ACL)+ 2*(sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD))+
        GetLengthSid(guestSid)+GetLengthSid(admSid) ;

    PACL dacl=PACL(malloc(dwDaclSize));
    if(dacl==NULL) {
       cout<<"No memory"<<endl;
       return;
    }
    if(!InitializeAcl(dacl,dwDaclSize,ACL_REVISION)) {
        cout<<"InitializeAcl error"<<endl;
        return;
    }

    // Grant privileges
    if(!AddAccessAllowedAce(dacl,ACL_REVISION,KEY_READ,guestSid)) {
        cout<<"AddAccessAllowedAce failed"<<endl;
        return;
    }
    if(!AddAccessAllowedAce(dacl,ACL_REVISION,KEY_WRITE,admSid)) {
        cout<<"AddAccessAllowedAce failed"<<endl;
        return;
    }

    // Create security descriptor
    SECURITY_DESCRIPTOR sd;
    if(!InitializeSecurityDescriptor(&sd,SECURITY_DESCRIPTOR_REVISION)) {
        cout<<"InitializeSecurityDescriptor failed"<<endl;
        return;
    }

    if(!SetSecurityDescriptorDacl(&sd,TRUE,dacl,FALSE)) {
        cout<<"SetSecurityDescriptor failed"<<endl;
        return;
    }

    // Change key security
    if(RegSetKeySecurity(hKey,(SECURITY_INFORMATION)DACL_SECURITY_INFORMATION,&sd)
          != ERROR_SUCCESS) {
        cout<<"RegSetKeySecurity failed"<<endl;
        return;
    }

    RegCloseKey(hKey);
    RegCloseKey(HKEY_LOCAL_MACHINE);

    free(dacl);
    FreeSid(guestSid);
    FreeSid(admSid);
}


0
 

Author Comment

by:const
ID: 1398401
I found the problem. The problem was misspelling key name :-(.
And it hit key from previous experements and changed security
on it correctly :-). I've found it when comparing you sources with my, so you program helped anyway.

My program is doing exactly what do you recomend.
Except  
a) "RegCloseKey(HKEY_LOCAL_MACHINE);" was not called.
   Why do you call it?
b) I'm getting SID using LookupName().

0
 
LVL 15

Expert Comment

by:NickRepin
ID: 1398402
a) I have seen some microsoft samples, and there are RegCloseKey(<SecurityChangedKey>); RegCloseKey(HKEY_...) statements in their cleanup code.
On the other hand, SDK reference for RegSetKeySecurity says: 'If hKey is one of the predefined keys, the predefined key should be closed with RegCloseKey. That ensures that the new security information is in effect the next time the predefined key is referenced.'
So, I think, may be it's useful. May be, it's useless.
b) no matter how to get SID.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to make a Windows 7 gadget that extends its U/I with a flyout panel -- a window that pops out next to the gadget.  The example gadget shows several additional techniques:  How to automatically resize a gadget or flyout panel t…
In this article, I will show how to use the Ribbon IDs Tool Window to assign the built-in Office icons to a ribbon button.  This tool will help us to find the OfficeImageId that corresponds to our desired built-in Office icon. The tool is part of…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question