mdrasted
asked on
Can registry be protected in 95/NT?
Is it possible to prevent users programs
(for example a Delphi program)
from writing to registry in 95 and NT?
Regards,
Morten
(for example a Delphi program)
from writing to registry in 95 and NT?
Regards,
Morten
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
mdrasted
The only way I know is to block users from opening the registry using windows polices... You can not protect the registry(read only) as the registry is constantly updated by windows it's self...
I may be wrong, so I'm following on this one ;-)
Later
BoRiS
The only way I know is to block users from opening the registry using windows polices... You can not protect the registry(read only) as the registry is constantly updated by windows it's self...
I may be wrong, so I'm following on this one ;-)
Later
BoRiS
Only as Boris suggested: by using the Policy Editor that comes as part of the Win9x Resource Kit.
The Policy Editor will let you define (on a per-user basis) who can and who can't access the Registry directly.
Other than that it's impossible. If you need lots of security on the Registry for your users, you should consider using Windows NT Workstation, not Windows 9x.
Alex
The Policy Editor will let you define (on a per-user basis) who can and who can't access the Registry directly.
Other than that it's impossible. If you need lots of security on the Registry for your users, you should consider using Windows NT Workstation, not Windows 9x.
Alex
Err...Hello? I AM TOO QUIET???
If we're talking about win32 API, you can't do anything under win9x (except what PolEdit does, but that's not enough). Under winNT you can call "Set(Named)SecurityInfo(.. ., SE_REGISTRY_KEY, ...)" to set the accesses that specific users have.
If you want a more perfect solution you will have to build little drivers for both NT and win9x. Look at "www.sysinternals.com". There you can download a little utility (with sources) called "RegMon" which monitors all registry actions. With some changes you can extend the functionality to deny registry changes. But this all happens at driver level, so you can't use Delphi for that purpose.
Regards, Madshi.
If you want a more perfect solution you will have to build little drivers for both NT and win9x. Look at "www.sysinternals.com". There you can download a little utility (with sources) called "RegMon" which monitors all registry actions. With some changes you can extend the functionality to deny registry changes. But this all happens at driver level, so you can't use Delphi for that purpose.
Regards, Madshi.
ASKER
Thanks everybody for helping me,
But I think it's Jaymol who helped me the most. So Jaymol, please submit your comment as an answer.
Regards,
Morten
But I think it's Jaymol who helped me the most. So Jaymol, please submit your comment as an answer.
Regards,
Morten
Ahem - The code below will work for NT, but not for 95. Does this help?
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
StdCtrls;
type
TForm1 = class(TForm)
Button1: TButton;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
const SECURITY_NULL_SID_AUTHORIT Y = 0;
SECURITY_WORLD_SID_AUTHORI TY = 1;
SECURITY_LOCAL_SID_AUTHORI TY = 2;
SECURITY_CREATOR_SID_AUTHO RITY = 3;
SECURITY_NT_AUTHORITY = 5;
SECURITY_INTERACTIVE_RID = $00000004;
SECURITY_BUILTIN_DOMAIN_RI D = $00000020;
DOMAIN_ALIAS_RID_ADMINS = $00000220;
ACL_REVISION = 2;
SECURITY_DESCRIPTOR_REVISI ON = 1;
type
PACE_Header = ^TACE_Header;
TACE_Header = record
AceType: BYTE;
AceFlags: BYTE;
AceSize: WORD;
end;
PAccess_Allowed_ACE = ^TAccess_Allowed_ACE;
TAccess_Allowed_ACE = record
Header: TACE_Header;
Mask: ACCESS_MASK;
SidStart: DWORD;
end;
implementation
{$R *.DFM}
function do_it: boolean;
var sia: TSIDIdentifierAuthority;
pInteractiveSid, pAdministratorsSid: PSID;
sd: Windows.TSecurityDescripto r;
pDacl: PACL;
dwAclSize: DWORD;
aHKey: HKEY;
lRetCode: longint;
bSuccess: boolean;
begin
sia.Value[0] := 0;
sia.Value[1] := 0;
sia.Value[2] := 0;
sia.Value[3] := 0;
sia.Value[4] := 0;
sia.Value[5] := SECURITY_NT_AUTHORITY;
pInteractiveSid := nil;
pAdministratorsSid := nil;
pDacl := nil;
bSuccess := false; // assume this function fails
//
// open the key for WRITE_DAC access
//
lRetCode := RegOpenKeyEx(
HKEY_CURRENT_USER,
'SOFTWARE\Test',
0,
WRITE_DAC,
aHKey
);
if(lRetCode <> ERROR_SUCCESS) then begin
ShowMessage('Error in RegOpenKeyEx');
result := false;
end;
//
// prepare a Sid representing any Interactively logged-on user
//
if( not AllocateAndInitializeSid(
sia,
1,
SECURITY_INTERACTIVE_RID,
0, 0, 0, 0, 0, 0, 0,
pInteractiveSid
)) then begin
ShowMessage('Error in: AllocateAndInitializeSid') ;
//goto cleanup;
end;
//
// prepare a Sid representing the well-known admin group
//
if(not AllocateAndInitializeSid(
sia,
2,
SECURITY_BUILTIN_DOMAIN_RI D,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
pAdministratorsSid
)) then begin
ShowMessage('Error in: AllocateAndInitializeSid') ;
// goto cleanup;
end;
//
// compute size of new acl
//
dwAclSize := sizeof(TACL) +
2 * ( sizeof(TAccess_Allowed_ACE ) - sizeof(DWORD) ) +
GetLengthSid(pInteractiveS id) +
GetLengthSid(pAdministrato rsSid) ;
//
// allocate storage for Acl
//
pDacl := PACL(HeapAlloc(GetProcessH eap(), 0, dwAclSize));
//if(pDacl == nil) goto cleanup;
if( not InitializeAcl(pDacl^, dwAclSize, ACL_REVISION)) then begin
ShowMessage('Error in: InitializeAcl');
//goto cleanup;
end;
//
// grant the Interactive Sid KEY_READ access to the perf key
//
if(not AddAccessAllowedAce(
pDacl^,
ACL_REVISION,
KEY_READ,
pInteractiveSid
)) then begin
ShowMessage('Error in: AddAccessAllowedAce');
//goto cleanup;
end;
//
// grant the Administrators Sid KEY_ALL_ACCESS access to the perf key
//
if(not AddAccessAllowedAce(
pDacl^,
ACL_REVISION,
KEY_ALL_ACCESS,
pAdministratorsSid
)) then begin
ShowMessage('Error in: AddAccessAllowedAce');
//goto cleanup;
end;
if(not InitializeSecurityDescript or(@sd, SECURITY_DESCRIPTOR_REVISI ON)) then begin
ShowMessage('Error in: InitializeSecurityDescript or');
//goto cleanup;
end;
if(not SetSecurityDescriptorDacl( @sd, TRUE, pDacl, FALSE)) then begin
ShowMessage('Error in: SetSecurityDescriptorDacl' );
//goto cleanup;
end;
//
// apply the security descriptor to the registry key
//
lRetCode := RegSetKeySecurity(
aHKey,
SECURITY_INFORMATION(DACL_ SECURITY_I NFORMATION ),
@sd
);
if(lRetCode <> ERROR_SUCCESS) then begin
ShowMessage('Error in: RegSetKeySecurity');
//goto cleanup;
end;
bSuccess := TRUE; // indicate success
end;
procedure TForm1.Button1Click(Sender : TObject);
begin
do_it;
end;
end.
(credit to freter)
Cheers,
Raymond.
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
StdCtrls;
type
TForm1 = class(TForm)
Button1: TButton;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
const SECURITY_NULL_SID_AUTHORIT
SECURITY_WORLD_SID_AUTHORI
SECURITY_LOCAL_SID_AUTHORI
SECURITY_CREATOR_SID_AUTHO
SECURITY_NT_AUTHORITY = 5;
SECURITY_INTERACTIVE_RID = $00000004;
SECURITY_BUILTIN_DOMAIN_RI
DOMAIN_ALIAS_RID_ADMINS = $00000220;
ACL_REVISION = 2;
SECURITY_DESCRIPTOR_REVISI
type
PACE_Header = ^TACE_Header;
TACE_Header = record
AceType: BYTE;
AceFlags: BYTE;
AceSize: WORD;
end;
PAccess_Allowed_ACE = ^TAccess_Allowed_ACE;
TAccess_Allowed_ACE = record
Header: TACE_Header;
Mask: ACCESS_MASK;
SidStart: DWORD;
end;
implementation
{$R *.DFM}
function do_it: boolean;
var sia: TSIDIdentifierAuthority;
pInteractiveSid, pAdministratorsSid: PSID;
sd: Windows.TSecurityDescripto
pDacl: PACL;
dwAclSize: DWORD;
aHKey: HKEY;
lRetCode: longint;
bSuccess: boolean;
begin
sia.Value[0] := 0;
sia.Value[1] := 0;
sia.Value[2] := 0;
sia.Value[3] := 0;
sia.Value[4] := 0;
sia.Value[5] := SECURITY_NT_AUTHORITY;
pInteractiveSid := nil;
pAdministratorsSid := nil;
pDacl := nil;
bSuccess := false; // assume this function fails
//
// open the key for WRITE_DAC access
//
lRetCode := RegOpenKeyEx(
HKEY_CURRENT_USER,
'SOFTWARE\Test',
0,
WRITE_DAC,
aHKey
);
if(lRetCode <> ERROR_SUCCESS) then begin
ShowMessage('Error in RegOpenKeyEx');
result := false;
end;
//
// prepare a Sid representing any Interactively logged-on user
//
if( not AllocateAndInitializeSid(
sia,
1,
SECURITY_INTERACTIVE_RID,
0, 0, 0, 0, 0, 0, 0,
pInteractiveSid
)) then begin
ShowMessage('Error in: AllocateAndInitializeSid')
//goto cleanup;
end;
//
// prepare a Sid representing the well-known admin group
//
if(not AllocateAndInitializeSid(
sia,
2,
SECURITY_BUILTIN_DOMAIN_RI
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
pAdministratorsSid
)) then begin
ShowMessage('Error in: AllocateAndInitializeSid')
// goto cleanup;
end;
//
// compute size of new acl
//
dwAclSize := sizeof(TACL) +
2 * ( sizeof(TAccess_Allowed_ACE
GetLengthSid(pInteractiveS
GetLengthSid(pAdministrato
//
// allocate storage for Acl
//
pDacl := PACL(HeapAlloc(GetProcessH
//if(pDacl == nil) goto cleanup;
if( not InitializeAcl(pDacl^, dwAclSize, ACL_REVISION)) then begin
ShowMessage('Error in: InitializeAcl');
//goto cleanup;
end;
//
// grant the Interactive Sid KEY_READ access to the perf key
//
if(not AddAccessAllowedAce(
pDacl^,
ACL_REVISION,
KEY_READ,
pInteractiveSid
)) then begin
ShowMessage('Error in: AddAccessAllowedAce');
//goto cleanup;
end;
//
// grant the Administrators Sid KEY_ALL_ACCESS access to the perf key
//
if(not AddAccessAllowedAce(
pDacl^,
ACL_REVISION,
KEY_ALL_ACCESS,
pAdministratorsSid
)) then begin
ShowMessage('Error in: AddAccessAllowedAce');
//goto cleanup;
end;
if(not InitializeSecurityDescript
ShowMessage('Error in: InitializeSecurityDescript
//goto cleanup;
end;
if(not SetSecurityDescriptorDacl(
ShowMessage('Error in: SetSecurityDescriptorDacl'
//goto cleanup;
end;
//
// apply the security descriptor to the registry key
//
lRetCode := RegSetKeySecurity(
aHKey,
SECURITY_INFORMATION(DACL_
@sd
);
if(lRetCode <> ERROR_SUCCESS) then begin
ShowMessage('Error in: RegSetKeySecurity');
//goto cleanup;
end;
bSuccess := TRUE; // indicate success
end;
procedure TForm1.Button1Click(Sender
begin
do_it;
end;
end.
(credit to freter)
Cheers,
Raymond.
listen
hi all,
one thing i'd like to add:
it is NOT TRUE (= false), that policies can prevent access to the registry. there is a policy that reads "disable registry editing tools", but this setting is only read by regedit.exe and regedt32.exe! if you write your own tool to write to the registry, you can have FULL access to the registry even if this policy is active!!!
so, the only possibility to prevent applications from writing to the registry is writing a driver, just as madshi stated, or to set the security acls using regedt32 or the code that raymond posted. both options will only work on windows nt. if you choose option #1, you can decide which applications gain write access, whereas option #2 will give you the ability to decide which users will be able to write / read the registry. i recommend using option #2 (it's easier :-) )
just my $0.02
</freter>
one thing i'd like to add:
it is NOT TRUE (= false), that policies can prevent access to the registry. there is a policy that reads "disable registry editing tools", but this setting is only read by regedit.exe and regedt32.exe! if you write your own tool to write to the registry, you can have FULL access to the registry even if this policy is active!!!
so, the only possibility to prevent applications from writing to the registry is writing a driver, just as madshi stated, or to set the security acls using regedt32 or the code that raymond posted. both options will only work on windows nt. if you choose option #1, you can decide which applications gain write access, whereas option #2 will give you the ability to decide which users will be able to write / read the registry. i recommend using option #2 (it's easier :-) )
just my $0.02
</freter>
Hi freter... :-)
You're right, except one thing: Writing a driver that takes care of the registry accesses is also possible for win9x... :-)
Regards, Madshi.
You're right, except one thing: Writing a driver that takes care of the registry accesses is also possible for win9x... :-)
Regards, Madshi.
yep. but writing drivers is no fun.
</freter>
</freter>
Yep, mainly because we can't do it in Delphi... :-) :-(
Cheers,
Raymond.