Solved

NT/95 Registry:  I can't read/write to the registry in my code when the NT/95 system is locked down or the user doesn't have admin rights

Posted on 1998-10-01
3
199 Views
Last Modified: 2010-04-01
I am making updates to the system registry but when the 95/NT system I am testing on is locked down or the user I am logged in as doesn't have adminstrative rights I get a fatal error stating that I cannot access the registry.  Does anyone know of a workaround for this?  Are there areas in the registry that cannot be read or written to if the system is locked down or the user doesn't have administrative rights?
0
Comment
Question by:afalvey
3 Comments
 

Author Comment

by:afalvey
ID: 1174152
Bye the way.  The code is written in VC++ 5.0 and we are using the following APIs for accessing the system registry:

RegOpenKey
RegEnumVal
RegCloseKey
RegQueryValueEx
RegQueryInfoKey
RegSetValueEx
RegFlushKey
0
 
LVL 32

Accepted Solution

by:
jhance earned 100 total points
ID: 1174153
Under NT, each registry key can have protections set.  When you use RegOpenKeyEx, the samDesired parameter to the function specified what type of access to the key you want.  (Under Win9X, this parameter is ignored)  If you don't have rights to this key you will get an error returned from the function.  There is no workaround, this is the way NT is designed.  You either need to relax the security on the keys in question or logon to the system with an account having the correct privileges.
0
 

Expert Comment

by:tsollas
ID: 1174154
jhance is not entirely correct.  You can get around this, but you'll have to use impersonation.  It basically looks like this:

HANDLE hToken;
LogonUser( szUser, szDomain, szPassword, LOGON32_LOGON_BATCH,                  LOGON32_PROVIDER_DEFAULT, &hToken ););
ImpersonateLoggedOnUser( hToken );

// do stuff

CloseHandle( hToken );
RevertToSelf();

What this does is a) log on as a specific user.  You'll want to log in as a user with sufficient rights and then b) tells your current thread to "impersonate" the token of the logged in user.  The user logged in needs to have the SE_TCB_NAME privilege enabled.  This means, of course, you'll have to either prompt the user for an appropriate user account, or you'll have to store that somewhere so you can use it behind the scenes.

Supposedly there's a way to impersonate explorer (if I recall, its security context is the system account), and I think it involves getting Explorer's process token and impersonating that, but I haven't tried it.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IntroductionThis article is the second in a three part article series on the Visual Studio 2008 Debugger.  It provides tips in setting and using breakpoints. If not familiar with this debugger, you can find a basic introduction in the EE article loc…
C++ Properties One feature missing from standard C++ that you will find in many other Object Oriented Programming languages is something called a Property (http://www.experts-exchange.com/Programming/Languages/CPP/A_3912-Object-Properties-in-C.ht…
The goal of the video will be to teach the user the concept of local variables and scope. An example of a locally defined variable will be given as well as an explanation of what scope is in C++. The local variable and concept of scope will be relat…
The viewer will learn how to user default arguments when defining functions. This method of defining functions will be contrasted with the non-default-argument of defining functions.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now