We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

RegSetKeySecurity() do not work

const
const asked
on
Medium Priority
1,091 Views
Last Modified: 2013-12-03
I have problems with using RegSetKeySecurity().
I'm doing following:

1) constructing security decriptor.
   Everyone KEY_READ
   MyGroup KEY_READ | KEY_WRITE
   MyAdmGroup KEY_ALL_ACCESS
   SYSTEM  KEY_ALL_ACCESS
2) call RegOpenKeyEx() with KEY_ALL_ACCESS. Key is
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\+
   Services\serviceName\Parameters
3) Setting only DACL with RegSetKeySecurity()
4) Closing key with RegCloseKey()

The are no errors are returned from these API calls.
But DACL of registry of key is not changed.

I can change DACL of key with regedt32 program.

The question is how to change DACL of registry
key in the way that works.

I'm using NT 4.0 SP3. MS Visual C++ 4.2.
Comment
Watch Question

Author

Commented:
Edited text of question
Can you post your source code?
Make sure you do something like this:

#include <windows.h>
#include <iostream.h>

void main(void)
{
    // Open the key for WRITE_DAC access
    HKEY hKey;
    if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Nick",0,WRITE_DAC,&hKey)
         !=ERROR_SUCCESS) {
       cout<<"Cannot open the key"<<endl;
       return;
    }

    // Make the SIDs
    SID_IDENTIFIER_AUTHORITY sia=SECURITY_NT_AUTHORITY;
    PSID guestSid,admSid;
    if(!AllocateAndInitializeSid(&sia,2,
           SECURITY_BUILTIN_DOMAIN_RID,
           DOMAIN_ALIAS_RID_GUESTS,
           0, 0, 0, 0, 0, 0,
           &guestSid)) {
        cout<<"AllocateAndInitializeSid error"<<endl;
        return;
    }
    if(!AllocateAndInitializeSid(&sia,2,
           SECURITY_BUILTIN_DOMAIN_RID,
           DOMAIN_ALIAS_RID_ADMINS,
           0, 0, 0, 0, 0, 0,
           &admSid)) {
        cout<<"AllocateAndInitializeSid error"<<endl;
        return;
    }

    // Alloc DACL
    DWORD dwDaclSize=sizeof(ACL)+ 2*(sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD))+
        GetLengthSid(guestSid)+GetLengthSid(admSid) ;

    PACL dacl=PACL(malloc(dwDaclSize));
    if(dacl==NULL) {
       cout<<"No memory"<<endl;
       return;
    }
    if(!InitializeAcl(dacl,dwDaclSize,ACL_REVISION)) {
        cout<<"InitializeAcl error"<<endl;
        return;
    }

    // Grant privileges
    if(!AddAccessAllowedAce(dacl,ACL_REVISION,KEY_READ,guestSid)) {
        cout<<"AddAccessAllowedAce failed"<<endl;
        return;
    }
    if(!AddAccessAllowedAce(dacl,ACL_REVISION,KEY_WRITE,admSid)) {
        cout<<"AddAccessAllowedAce failed"<<endl;
        return;
    }

    // Create security descriptor
    SECURITY_DESCRIPTOR sd;
    if(!InitializeSecurityDescriptor(&sd,SECURITY_DESCRIPTOR_REVISION)) {
        cout<<"InitializeSecurityDescriptor failed"<<endl;
        return;
    }

    if(!SetSecurityDescriptorDacl(&sd,TRUE,dacl,FALSE)) {
        cout<<"SetSecurityDescriptor failed"<<endl;
        return;
    }

    // Change key security
    if(RegSetKeySecurity(hKey,(SECURITY_INFORMATION)DACL_SECURITY_INFORMATION,&sd)
          != ERROR_SUCCESS) {
        cout<<"RegSetKeySecurity failed"<<endl;
        return;
    }

    RegCloseKey(hKey);
    RegCloseKey(HKEY_LOCAL_MACHINE);

    free(dacl);
    FreeSid(guestSid);
    FreeSid(admSid);
}


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
I found the problem. The problem was misspelling key name :-(.
And it hit key from previous experements and changed security
on it correctly :-). I've found it when comparing you sources with my, so you program helped anyway.

My program is doing exactly what do you recomend.
Except  
a) "RegCloseKey(HKEY_LOCAL_MACHINE);" was not called.
   Why do you call it?
b) I'm getting SID using LookupName().

a) I have seen some microsoft samples, and there are RegCloseKey(<SecurityChangedKey>); RegCloseKey(HKEY_...) statements in their cleanup code.
On the other hand, SDK reference for RegSetKeySecurity says: 'If hKey is one of the predefined keys, the predefined key should be closed with RegCloseKey. That ensures that the new security information is in effect the next time the predefined key is referenced.'
So, I think, may be it's useful. May be, it's useless.
b) no matter how to get SID.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.