Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 332
  • Last Modified:

[Q] Registry Access rights...

Hi..

I want to know how to change registry access rights in Windows XP...

I create some keys in HKEY_LOCAL_MACHINES, my account is administrator.

I Change my account which is not administrator..

So I can't modify some values in HKEY_LOCAL_MACHINES,

because I don't have access rights in HKEY_LOCAL_MACHINES..

If I want to access, I have to run REGEDIT,

and then I append writing access right..

However I don't want to use REGEDIT...

I change access right programmably..

How can I do???

0
jaeb
Asked:
jaeb
  • 5
  • 4
  • 2
2 Solutions
 
jhanceCommented:
REGEDIT has no capability to change the settings of registry security, so even if you wanted to use to do that you could not.  REGEDT32.EXE is needed to change security.

To do it programmatically, you use the RegSetKeySecurity() function.

0
 
jaebAuthor Commented:
I can change security change using REGEDIT in windows XP.

What I want to know is how to do programmatically...

I already tried to test using RegSetKeySecurity().

But This don't work...

A below is my code.
-------------------
     HKEY hKey;
     SECURITY_DESCRIPTOR SecurityDescriptor;

     if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\DnM Technology\\SV",0,WRITE_DAC ,&hKey) != ERROR_SUCCESS)
          ::MessageBox(NULL, "Error1", "as", MB_OK);
     if(RegSetKeySecurity(hKey,DACL_SECURITY_INFORMATION, &SecurityDescriptor) != ERROR_SUCCESS)
          ::MessageBox(NULL, "Error2", "as", MB_OK);
     RegCloseKey(hKey);    
-------------------------

I saw Error2 messagebox...

How can I use RegSetKeySecurity()?

0
 
jkrCommented:
Well, use the following code:

   #define SD_SIZE (65536 + SECURITY_DESCRIPTOR_MIN_LENGTH)

   BOOL AddAccessRights(HKEY hKey, PSID pSID,      DWORD dwAcessMask)
   {

      //  SD variables.

      UCHAR          ucSDbuf[SD_SIZE];
      PSECURITY_DESCRIPTOR pSD=(PSECURITY_DESCRIPTOR)ucSDbuf;
      DWORD          dwSDLengthNeeded      =      SD_SIZE;

      // ACL variables.

      PACL           pACL;
      BOOL           bDaclPresent;
      BOOL           bDaclDefaulted;
      ACL_SIZE_INFORMATION AclInfo;

      // New ACL variables.

      PACL           pNewACL;
      DWORD          dwNewACLSize;

      // New SD variables.

      UCHAR                NewSD[SECURITY_DESCRIPTOR_MIN_LENGTH];
      PSECURITY_DESCRIPTOR psdNewSD=(PSECURITY_DESCRIPTOR)NewSD;

      // Temporary ACE.

      PVOID          pTempAce;
      UINT           CurrentAceIndex;

      // STEP 2: Get SID (parameter).

      // STEP 3: Get security descriptor (SD) for key.

      if(ERROR_SUCCESS!=RegGetKeySecurity(hKey,
                    (SECURITY_INFORMATION)(DACL_SECURITY_INFORMATION),
                    pSD,
                    &dwSDLengthNeeded))
      {
         printf("Error %d:RegGetKeySecurity\n",GetLastError());
         return(FALSE);
      }

      // STEP 4: Initialize new SD.

      if(!InitializeSecurityDescriptor
         (psdNewSD,SECURITY_DESCRIPTOR_REVISION))
      {
         printf("Error %d:InitializeSecurityDescriptor\n",GetLastError());
         return(FALSE);
      }

      // STEP 5: Get DACL from SD.

      if (!GetSecurityDescriptorDacl(pSD,
                       &bDaclPresent,
                       &pACL,
                       &bDaclDefaulted))
      {
         printf("Error %d:GetSecurityDescriptorDacl\n",GetLastError());
         return(FALSE);
      }

      // STEP 6: Get key ACL size information.

      if(!GetAclInformation(pACL,&AclInfo,sizeof(ACL_SIZE_INFORMATION),
         AclSizeInformation))
      {
         printf("Error %d:GetAclInformation\n",GetLastError());
         return(FALSE);
      }

      // STEP 7: Compute size needed for the new ACL.

      dwNewACLSize = AclInfo.AclBytesInUse +
                     sizeof(ACCESS_ALLOWED_ACE) +
                     GetLengthSid(pSID) - sizeof(DWORD);

      // STEP 8: Allocate memory for new ACL.

      pNewACL = (PACL)LocalAlloc(LPTR, dwNewACLSize);

      // STEP 9: Initialize the new ACL.

      if(!InitializeAcl(pNewACL, dwNewACLSize, ACL_REVISION2))
      {
         printf("Error %d:InitializeAcl\n",GetLastError());
         LocalFree((HLOCAL) pNewACL);
         return(FALSE);
      }

      // STEP 10: If DACL is present, copy it to a new DACL.

      if(bDaclPresent)  // Only copy if DACL was present.
      {
         // STEP 11: Copy the file's ACEs to our new ACL.

         if(AclInfo.AceCount)
         {

                  for(CurrentAceIndex = 0; CurrentAceIndex < AclInfo.AceCount;
               CurrentAceIndex++)
            {
               // STEP 12: Get an ACE.

               if(!GetAce(pACL,CurrentAceIndex,&pTempAce))
               {
                 printf("Error %d: GetAce\n",GetLastError());
                 LocalFree((HLOCAL) pNewACL);
                 return(FALSE);
               }

                // STEP 13: Add the ACE to the new ACL.

               if(!AddAce(pNewACL, ACL_REVISION, MAXDWORD, pTempAce,
                  ((PACE_HEADER)pTempAce)->AceSize))
               {
                  printf("Error %d:AddAce\n",GetLastError());
                  LocalFree((HLOCAL) pNewACL);
                  return(FALSE);
               }

             }
         }
      }

      // STEP 14: Add the access-allowed ACE to the new DACL.

//      if(!AddAccessAllowedAce(pNewACL,ACL_REVISION2,dwAcessMask, pSID))
      if(!AddAccessAllowedAce(pNewACL,ACL_REVISION,dwAcessMask, pSID))
      {
         printf("Error %d:AddAccessAllowedAce",GetLastError());
         LocalFree((HLOCAL) pNewACL);
         return(FALSE);
      }

      // STEP 15: Set our new DACL to the file SD.

      if (!SetSecurityDescriptorDacl(psdNewSD,
                        TRUE,
                        pNewACL,
                        FALSE))
      {
         printf("Error %d:SetSecurityDescriptorDacl",GetLastError());
         LocalFree((HLOCAL) pNewACL);
         return(FALSE);
      }

      // STEP 16: Set the SD to the File.

      if (ERROR_SUCCESS!=RegSetKeySecurity(hKey, DACL_SECURITY_INFORMATION,psdNewSD))
      {
         printf("Error %d:RegSetKeySecurity\n",GetLastError());
         LocalFree((HLOCAL) pNewACL);
         return(FALSE);
      }

      // STEP 17: Free the memory allocated for the new ACL.

      LocalFree((HLOCAL) pNewACL);
      return(TRUE);
   }

and call it like

    SECURITY_DESCRIPTOR         sd;
    PSID                        psidWorldSid;
    SID_IDENTIFIER_AUTHORITY    siaWorldSidAuthority    =   SECURITY_WORLD_SID_AUTHORITY;

    psidWorldSid    =   ( PSID) LocalAlloc  (   LPTR,
                                                GetSidLengthRequired    (   1)
                                            );

    InitializeSid   (   psidWorldSid,   &siaWorldSidAuthority,  1);

    *(  GetSidSubAuthority  (   psidWorldSid,   0)) =   SECURITY_WORLD_RID;

    AddAccessRights ( hRegKey, psidWorldSid, &sd);
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
jaebAuthor Commented:
jkr, Do above code work well in Windows XP????

I tested your code, but it doesn't work...

Administrator account executes the code,

and then I switch user to limited user account.

And I modified the registry value,

But a error message appears,

the message is I can't change registry value...

I'm using Windows XP professional, VC++ 6.0.
0
 
jkrCommented:
Don't know about XP, but it should work on W2k/NT...
0
 
jhanceCommented:
In this case, Win2000 == WinXP == WinNT.  They all share the same thing w.r.t. registry security.

I think your problem is that you are missing the point that in order to CHANGE SECURITY you must be AUTHORIZED to change it, regardless of whether or not it is from REGEDT32 or from a program.

If your user account lacks rights on a registry object to change that object's security, no amount of trying or programming will change that.

Either give your user account the privilege it needs or change the security on the object (from a privileged account) to permit your user account to modify the object's security.
0
 
jaebAuthor Commented:
I use 2 accounts.

One is miru.

Two is jaeb.

miru and administrator have same privilege...

jae is limited user.

I want to change registry value using two accounts..

firstly using miru, everything is OK.

However using jaeb, I can't change registry value...

so I log on miru then I execute above execute program.

and I switch user from miru to jaeb.

Now My account is jaeb.

If jaeb try to change registry, a error message appears.

If I use REGEDT32 or REGEDIT to change access permission,

miru and jaeb can change registry values..

But using my program(it is execute file of aboce code),

jaeb can't change...

In my opinion, miru is enough privileged account.

So miru may change access rights about registry...

0
 
jaebAuthor Commented:
If I execute REGEDT32 after executin my program,

jaeb can change registry value..

But If I don't execute REGEDT32,

jaeb can't change value....

I don't want to execute REGEDT32.

How can I do that?
0
 
jkrCommented:
I use the above snippet to adjust the registry rights on NT/W2k during an InstallShield setup, and it works for me...
0
 
jaebAuthor Commented:
Can I adjust registry right in InstallShield???

How Can I??

If it is possible, every problem will solve..

0
 
jkrCommented:
This Q is answered
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now