Solved

RegSetKeySecurity() do not work

Posted on 1997-06-16
5
782 Views
Last Modified: 2013-12-03
I have problems with using RegSetKeySecurity().
I'm doing following:

1) constructing security decriptor.
   Everyone KEY_READ
   MyGroup KEY_READ | KEY_WRITE
   MyAdmGroup KEY_ALL_ACCESS
   SYSTEM  KEY_ALL_ACCESS
2) call RegOpenKeyEx() with KEY_ALL_ACCESS. Key is
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\+
   Services\serviceName\Parameters
3) Setting only DACL with RegSetKeySecurity()
4) Closing key with RegCloseKey()

The are no errors are returned from these API calls.
But DACL of registry of key is not changed.

I can change DACL of key with regedt32 program.

The question is how to change DACL of registry
key in the way that works.

I'm using NT 4.0 SP3. MS Visual C++ 4.2.
0
Comment
Question by:const
  • 3
  • 2
5 Comments
 

Author Comment

by:const
ID: 1398398
Edited text of question
0
 
LVL 15

Expert Comment

by:NickRepin
ID: 1398399
Can you post your source code?
0
 
LVL 15

Accepted Solution

by:
NickRepin earned 150 total points
ID: 1398400
Make sure you do something like this:

#include <windows.h>
#include <iostream.h>

void main(void)
{
    // Open the key for WRITE_DAC access
    HKEY hKey;
    if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Nick",0,WRITE_DAC,&hKey)
         !=ERROR_SUCCESS) {
       cout<<"Cannot open the key"<<endl;
       return;
    }

    // Make the SIDs
    SID_IDENTIFIER_AUTHORITY sia=SECURITY_NT_AUTHORITY;
    PSID guestSid,admSid;
    if(!AllocateAndInitializeSid(&sia,2,
           SECURITY_BUILTIN_DOMAIN_RID,
           DOMAIN_ALIAS_RID_GUESTS,
           0, 0, 0, 0, 0, 0,
           &guestSid)) {
        cout<<"AllocateAndInitializeSid error"<<endl;
        return;
    }
    if(!AllocateAndInitializeSid(&sia,2,
           SECURITY_BUILTIN_DOMAIN_RID,
           DOMAIN_ALIAS_RID_ADMINS,
           0, 0, 0, 0, 0, 0,
           &admSid)) {
        cout<<"AllocateAndInitializeSid error"<<endl;
        return;
    }

    // Alloc DACL
    DWORD dwDaclSize=sizeof(ACL)+ 2*(sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD))+
        GetLengthSid(guestSid)+GetLengthSid(admSid) ;

    PACL dacl=PACL(malloc(dwDaclSize));
    if(dacl==NULL) {
       cout<<"No memory"<<endl;
       return;
    }
    if(!InitializeAcl(dacl,dwDaclSize,ACL_REVISION)) {
        cout<<"InitializeAcl error"<<endl;
        return;
    }

    // Grant privileges
    if(!AddAccessAllowedAce(dacl,ACL_REVISION,KEY_READ,guestSid)) {
        cout<<"AddAccessAllowedAce failed"<<endl;
        return;
    }
    if(!AddAccessAllowedAce(dacl,ACL_REVISION,KEY_WRITE,admSid)) {
        cout<<"AddAccessAllowedAce failed"<<endl;
        return;
    }

    // Create security descriptor
    SECURITY_DESCRIPTOR sd;
    if(!InitializeSecurityDescriptor(&sd,SECURITY_DESCRIPTOR_REVISION)) {
        cout<<"InitializeSecurityDescriptor failed"<<endl;
        return;
    }

    if(!SetSecurityDescriptorDacl(&sd,TRUE,dacl,FALSE)) {
        cout<<"SetSecurityDescriptor failed"<<endl;
        return;
    }

    // Change key security
    if(RegSetKeySecurity(hKey,(SECURITY_INFORMATION)DACL_SECURITY_INFORMATION,&sd)
          != ERROR_SUCCESS) {
        cout<<"RegSetKeySecurity failed"<<endl;
        return;
    }

    RegCloseKey(hKey);
    RegCloseKey(HKEY_LOCAL_MACHINE);

    free(dacl);
    FreeSid(guestSid);
    FreeSid(admSid);
}


0
 

Author Comment

by:const
ID: 1398401
I found the problem. The problem was misspelling key name :-(.
And it hit key from previous experements and changed security
on it correctly :-). I've found it when comparing you sources with my, so you program helped anyway.

My program is doing exactly what do you recomend.
Except  
a) "RegCloseKey(HKEY_LOCAL_MACHINE);" was not called.
   Why do you call it?
b) I'm getting SID using LookupName().

0
 
LVL 15

Expert Comment

by:NickRepin
ID: 1398402
a) I have seen some microsoft samples, and there are RegCloseKey(<SecurityChangedKey>); RegCloseKey(HKEY_...) statements in their cleanup code.
On the other hand, SDK reference for RegSetKeySecurity says: 'If hKey is one of the predefined keys, the predefined key should be closed with RegCloseKey. That ensures that the new security information is in effect the next time the predefined key is referenced.'
So, I think, may be it's useful. May be, it's useless.
b) no matter how to get SID.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have ever found yourself doing a repetitive action with the mouse and keyboard, and if you have even a little programming experience, there is a good chance that you can use a text editor to whip together a sort of macro to automate the proce…
In this article, I will show how to use the Ribbon IDs Tool Window to assign the built-in Office icons to a ribbon button.  This tool will help us to find the OfficeImageId that corresponds to our desired built-in Office icon. The tool is part of…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now