Solved

[Q] Registry Access rights...

Posted on 2002-04-18
14
325 Views
Last Modified: 2013-12-03
Hi..

I want to know how to change registry access rights in Windows XP...

I create some keys in HKEY_LOCAL_MACHINES, my account is administrator.

I Change my account which is not administrator..

So I can't modify some values in HKEY_LOCAL_MACHINES,

because I don't have access rights in HKEY_LOCAL_MACHINES..

If I want to access, I have to run REGEDIT,

and then I append writing access right..

However I don't want to use REGEDIT...

I change access right programmably..

How can I do???

0
Comment
Question by:jaeb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
14 Comments
 
LVL 32

Accepted Solution

by:
jhance earned 100 total points
ID: 6950126
REGEDIT has no capability to change the settings of registry security, so even if you wanted to use to do that you could not.  REGEDT32.EXE is needed to change security.

To do it programmatically, you use the RegSetKeySecurity() function.

0
 

Author Comment

by:jaeb
ID: 6950202
I can change security change using REGEDIT in windows XP.

What I want to know is how to do programmatically...

I already tried to test using RegSetKeySecurity().

But This don't work...

A below is my code.
-------------------
     HKEY hKey;
     SECURITY_DESCRIPTOR SecurityDescriptor;

     if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\DnM Technology\\SV",0,WRITE_DAC ,&hKey) != ERROR_SUCCESS)
          ::MessageBox(NULL, "Error1", "as", MB_OK);
     if(RegSetKeySecurity(hKey,DACL_SECURITY_INFORMATION, &SecurityDescriptor) != ERROR_SUCCESS)
          ::MessageBox(NULL, "Error2", "as", MB_OK);
     RegCloseKey(hKey);    
-------------------------

I saw Error2 messagebox...

How can I use RegSetKeySecurity()?

0
 
LVL 86

Assisted Solution

by:jkr
jkr earned 100 total points
ID: 6950341
Well, use the following code:

   #define SD_SIZE (65536 + SECURITY_DESCRIPTOR_MIN_LENGTH)

   BOOL AddAccessRights(HKEY hKey, PSID pSID,      DWORD dwAcessMask)
   {

      //  SD variables.

      UCHAR          ucSDbuf[SD_SIZE];
      PSECURITY_DESCRIPTOR pSD=(PSECURITY_DESCRIPTOR)ucSDbuf;
      DWORD          dwSDLengthNeeded      =      SD_SIZE;

      // ACL variables.

      PACL           pACL;
      BOOL           bDaclPresent;
      BOOL           bDaclDefaulted;
      ACL_SIZE_INFORMATION AclInfo;

      // New ACL variables.

      PACL           pNewACL;
      DWORD          dwNewACLSize;

      // New SD variables.

      UCHAR                NewSD[SECURITY_DESCRIPTOR_MIN_LENGTH];
      PSECURITY_DESCRIPTOR psdNewSD=(PSECURITY_DESCRIPTOR)NewSD;

      // Temporary ACE.

      PVOID          pTempAce;
      UINT           CurrentAceIndex;

      // STEP 2: Get SID (parameter).

      // STEP 3: Get security descriptor (SD) for key.

      if(ERROR_SUCCESS!=RegGetKeySecurity(hKey,
                    (SECURITY_INFORMATION)(DACL_SECURITY_INFORMATION),
                    pSD,
                    &dwSDLengthNeeded))
      {
         printf("Error %d:RegGetKeySecurity\n",GetLastError());
         return(FALSE);
      }

      // STEP 4: Initialize new SD.

      if(!InitializeSecurityDescriptor
         (psdNewSD,SECURITY_DESCRIPTOR_REVISION))
      {
         printf("Error %d:InitializeSecurityDescriptor\n",GetLastError());
         return(FALSE);
      }

      // STEP 5: Get DACL from SD.

      if (!GetSecurityDescriptorDacl(pSD,
                       &bDaclPresent,
                       &pACL,
                       &bDaclDefaulted))
      {
         printf("Error %d:GetSecurityDescriptorDacl\n",GetLastError());
         return(FALSE);
      }

      // STEP 6: Get key ACL size information.

      if(!GetAclInformation(pACL,&AclInfo,sizeof(ACL_SIZE_INFORMATION),
         AclSizeInformation))
      {
         printf("Error %d:GetAclInformation\n",GetLastError());
         return(FALSE);
      }

      // STEP 7: Compute size needed for the new ACL.

      dwNewACLSize = AclInfo.AclBytesInUse +
                     sizeof(ACCESS_ALLOWED_ACE) +
                     GetLengthSid(pSID) - sizeof(DWORD);

      // STEP 8: Allocate memory for new ACL.

      pNewACL = (PACL)LocalAlloc(LPTR, dwNewACLSize);

      // STEP 9: Initialize the new ACL.

      if(!InitializeAcl(pNewACL, dwNewACLSize, ACL_REVISION2))
      {
         printf("Error %d:InitializeAcl\n",GetLastError());
         LocalFree((HLOCAL) pNewACL);
         return(FALSE);
      }

      // STEP 10: If DACL is present, copy it to a new DACL.

      if(bDaclPresent)  // Only copy if DACL was present.
      {
         // STEP 11: Copy the file's ACEs to our new ACL.

         if(AclInfo.AceCount)
         {

                  for(CurrentAceIndex = 0; CurrentAceIndex < AclInfo.AceCount;
               CurrentAceIndex++)
            {
               // STEP 12: Get an ACE.

               if(!GetAce(pACL,CurrentAceIndex,&pTempAce))
               {
                 printf("Error %d: GetAce\n",GetLastError());
                 LocalFree((HLOCAL) pNewACL);
                 return(FALSE);
               }

                // STEP 13: Add the ACE to the new ACL.

               if(!AddAce(pNewACL, ACL_REVISION, MAXDWORD, pTempAce,
                  ((PACE_HEADER)pTempAce)->AceSize))
               {
                  printf("Error %d:AddAce\n",GetLastError());
                  LocalFree((HLOCAL) pNewACL);
                  return(FALSE);
               }

             }
         }
      }

      // STEP 14: Add the access-allowed ACE to the new DACL.

//      if(!AddAccessAllowedAce(pNewACL,ACL_REVISION2,dwAcessMask, pSID))
      if(!AddAccessAllowedAce(pNewACL,ACL_REVISION,dwAcessMask, pSID))
      {
         printf("Error %d:AddAccessAllowedAce",GetLastError());
         LocalFree((HLOCAL) pNewACL);
         return(FALSE);
      }

      // STEP 15: Set our new DACL to the file SD.

      if (!SetSecurityDescriptorDacl(psdNewSD,
                        TRUE,
                        pNewACL,
                        FALSE))
      {
         printf("Error %d:SetSecurityDescriptorDacl",GetLastError());
         LocalFree((HLOCAL) pNewACL);
         return(FALSE);
      }

      // STEP 16: Set the SD to the File.

      if (ERROR_SUCCESS!=RegSetKeySecurity(hKey, DACL_SECURITY_INFORMATION,psdNewSD))
      {
         printf("Error %d:RegSetKeySecurity\n",GetLastError());
         LocalFree((HLOCAL) pNewACL);
         return(FALSE);
      }

      // STEP 17: Free the memory allocated for the new ACL.

      LocalFree((HLOCAL) pNewACL);
      return(TRUE);
   }

and call it like

    SECURITY_DESCRIPTOR         sd;
    PSID                        psidWorldSid;
    SID_IDENTIFIER_AUTHORITY    siaWorldSidAuthority    =   SECURITY_WORLD_SID_AUTHORITY;

    psidWorldSid    =   ( PSID) LocalAlloc  (   LPTR,
                                                GetSidLengthRequired    (   1)
                                            );

    InitializeSid   (   psidWorldSid,   &siaWorldSidAuthority,  1);

    *(  GetSidSubAuthority  (   psidWorldSid,   0)) =   SECURITY_WORLD_RID;

    AddAccessRights ( hRegKey, psidWorldSid, &sd);
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 

Author Comment

by:jaeb
ID: 6952289
jkr, Do above code work well in Windows XP????

I tested your code, but it doesn't work...

Administrator account executes the code,

and then I switch user to limited user account.

And I modified the registry value,

But a error message appears,

the message is I can't change registry value...

I'm using Windows XP professional, VC++ 6.0.
0
 
LVL 86

Expert Comment

by:jkr
ID: 6952294
Don't know about XP, but it should work on W2k/NT...
0
 
LVL 32

Expert Comment

by:jhance
ID: 6953174
In this case, Win2000 == WinXP == WinNT.  They all share the same thing w.r.t. registry security.

I think your problem is that you are missing the point that in order to CHANGE SECURITY you must be AUTHORIZED to change it, regardless of whether or not it is from REGEDT32 or from a program.

If your user account lacks rights on a registry object to change that object's security, no amount of trying or programming will change that.

Either give your user account the privilege it needs or change the security on the object (from a privileged account) to permit your user account to modify the object's security.
0
 

Author Comment

by:jaeb
ID: 6955802
I use 2 accounts.

One is miru.

Two is jaeb.

miru and administrator have same privilege...

jae is limited user.

I want to change registry value using two accounts..

firstly using miru, everything is OK.

However using jaeb, I can't change registry value...

so I log on miru then I execute above execute program.

and I switch user from miru to jaeb.

Now My account is jaeb.

If jaeb try to change registry, a error message appears.

If I use REGEDT32 or REGEDIT to change access permission,

miru and jaeb can change registry values..

But using my program(it is execute file of aboce code),

jaeb can't change...

In my opinion, miru is enough privileged account.

So miru may change access rights about registry...

0
 

Author Comment

by:jaeb
ID: 6958636
If I execute REGEDT32 after executin my program,

jaeb can change registry value..

But If I don't execute REGEDT32,

jaeb can't change value....

I don't want to execute REGEDT32.

How can I do that?
0
 
LVL 86

Expert Comment

by:jkr
ID: 6958640
I use the above snippet to adjust the registry rights on NT/W2k during an InstallShield setup, and it works for me...
0
 

Author Comment

by:jaeb
ID: 6958684
Can I adjust registry right in InstallShield???

How Can I??

If it is possible, every problem will solve..

0
 
LVL 86

Expert Comment

by:jkr
ID: 10668372
This Q is answered
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to add a user-defined command button to the Windows 7 Explorer toolbar.  In the previous article (http://www.experts-exchange.com/A_2172.html), we saw how to put the Delete button back there where it belongs.  "Delete" is …
Whether you've completed a degree in computer sciences or you're a self-taught programmer, writing your first lines of code in the real world is always a challenge. Here are some of the most common pitfalls for new programmers.
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question