Solved

RegSetKeySecurity() do not work

Posted on 1997-06-16
5
770 Views
Last Modified: 2013-12-03
I have problems with using RegSetKeySecurity().
I'm doing following:

1) constructing security decriptor.
   Everyone KEY_READ
   MyGroup KEY_READ | KEY_WRITE
   MyAdmGroup KEY_ALL_ACCESS
   SYSTEM  KEY_ALL_ACCESS
2) call RegOpenKeyEx() with KEY_ALL_ACCESS. Key is
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\+
   Services\serviceName\Parameters
3) Setting only DACL with RegSetKeySecurity()
4) Closing key with RegCloseKey()

The are no errors are returned from these API calls.
But DACL of registry of key is not changed.

I can change DACL of key with regedt32 program.

The question is how to change DACL of registry
key in the way that works.

I'm using NT 4.0 SP3. MS Visual C++ 4.2.
0
Comment
Question by:const
  • 3
  • 2
5 Comments
 

Author Comment

by:const
ID: 1398398
Edited text of question
0
 
LVL 15

Expert Comment

by:NickRepin
ID: 1398399
Can you post your source code?
0
 
LVL 15

Accepted Solution

by:
NickRepin earned 150 total points
ID: 1398400
Make sure you do something like this:

#include <windows.h>
#include <iostream.h>

void main(void)
{
    // Open the key for WRITE_DAC access
    HKEY hKey;
    if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Nick",0,WRITE_DAC,&hKey)
         !=ERROR_SUCCESS) {
       cout<<"Cannot open the key"<<endl;
       return;
    }

    // Make the SIDs
    SID_IDENTIFIER_AUTHORITY sia=SECURITY_NT_AUTHORITY;
    PSID guestSid,admSid;
    if(!AllocateAndInitializeSid(&sia,2,
           SECURITY_BUILTIN_DOMAIN_RID,
           DOMAIN_ALIAS_RID_GUESTS,
           0, 0, 0, 0, 0, 0,
           &guestSid)) {
        cout<<"AllocateAndInitializeSid error"<<endl;
        return;
    }
    if(!AllocateAndInitializeSid(&sia,2,
           SECURITY_BUILTIN_DOMAIN_RID,
           DOMAIN_ALIAS_RID_ADMINS,
           0, 0, 0, 0, 0, 0,
           &admSid)) {
        cout<<"AllocateAndInitializeSid error"<<endl;
        return;
    }

    // Alloc DACL
    DWORD dwDaclSize=sizeof(ACL)+ 2*(sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD))+
        GetLengthSid(guestSid)+GetLengthSid(admSid) ;

    PACL dacl=PACL(malloc(dwDaclSize));
    if(dacl==NULL) {
       cout<<"No memory"<<endl;
       return;
    }
    if(!InitializeAcl(dacl,dwDaclSize,ACL_REVISION)) {
        cout<<"InitializeAcl error"<<endl;
        return;
    }

    // Grant privileges
    if(!AddAccessAllowedAce(dacl,ACL_REVISION,KEY_READ,guestSid)) {
        cout<<"AddAccessAllowedAce failed"<<endl;
        return;
    }
    if(!AddAccessAllowedAce(dacl,ACL_REVISION,KEY_WRITE,admSid)) {
        cout<<"AddAccessAllowedAce failed"<<endl;
        return;
    }

    // Create security descriptor
    SECURITY_DESCRIPTOR sd;
    if(!InitializeSecurityDescriptor(&sd,SECURITY_DESCRIPTOR_REVISION)) {
        cout<<"InitializeSecurityDescriptor failed"<<endl;
        return;
    }

    if(!SetSecurityDescriptorDacl(&sd,TRUE,dacl,FALSE)) {
        cout<<"SetSecurityDescriptor failed"<<endl;
        return;
    }

    // Change key security
    if(RegSetKeySecurity(hKey,(SECURITY_INFORMATION)DACL_SECURITY_INFORMATION,&sd)
          != ERROR_SUCCESS) {
        cout<<"RegSetKeySecurity failed"<<endl;
        return;
    }

    RegCloseKey(hKey);
    RegCloseKey(HKEY_LOCAL_MACHINE);

    free(dacl);
    FreeSid(guestSid);
    FreeSid(admSid);
}


0
 

Author Comment

by:const
ID: 1398401
I found the problem. The problem was misspelling key name :-(.
And it hit key from previous experements and changed security
on it correctly :-). I've found it when comparing you sources with my, so you program helped anyway.

My program is doing exactly what do you recomend.
Except  
a) "RegCloseKey(HKEY_LOCAL_MACHINE);" was not called.
   Why do you call it?
b) I'm getting SID using LookupName().

0
 
LVL 15

Expert Comment

by:NickRepin
ID: 1398402
a) I have seen some microsoft samples, and there are RegCloseKey(<SecurityChangedKey>); RegCloseKey(HKEY_...) statements in their cleanup code.
On the other hand, SDK reference for RegSetKeySecurity says: 'If hKey is one of the predefined keys, the predefined key should be closed with RegCloseKey. That ensures that the new security information is in effect the next time the predefined key is referenced.'
So, I think, may be it's useful. May be, it's useless.
b) no matter how to get SID.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article shows a few slightly more advanced techniques for Windows 7 gadget programming, including how to save and restore user settings for your gadget and how to populate the "details" panel that is displayed in the Windows 7 gadget gallery.  …
This article surveys and compares options for encoding and decoding base64 data.  It includes source code in C++ as well as examples of how to use standard Windows API functions for these tasks. We'll look at the algorithms — how encoding and decodi…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now