Solved

[Q] Registry Access rights...

Posted on 2002-04-18
14
317 Views
Last Modified: 2013-12-03
Hi..

I want to know how to change registry access rights in Windows XP...

I create some keys in HKEY_LOCAL_MACHINES, my account is administrator.

I Change my account which is not administrator..

So I can't modify some values in HKEY_LOCAL_MACHINES,

because I don't have access rights in HKEY_LOCAL_MACHINES..

If I want to access, I have to run REGEDIT,

and then I append writing access right..

However I don't want to use REGEDIT...

I change access right programmably..

How can I do???

0
Comment
Question by:jaeb
  • 5
  • 4
  • 2
14 Comments
 
LVL 32

Accepted Solution

by:
jhance earned 100 total points
Comment Utility
REGEDIT has no capability to change the settings of registry security, so even if you wanted to use to do that you could not.  REGEDT32.EXE is needed to change security.

To do it programmatically, you use the RegSetKeySecurity() function.

0
 

Author Comment

by:jaeb
Comment Utility
I can change security change using REGEDIT in windows XP.

What I want to know is how to do programmatically...

I already tried to test using RegSetKeySecurity().

But This don't work...

A below is my code.
-------------------
     HKEY hKey;
     SECURITY_DESCRIPTOR SecurityDescriptor;

     if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\DnM Technology\\SV",0,WRITE_DAC ,&hKey) != ERROR_SUCCESS)
          ::MessageBox(NULL, "Error1", "as", MB_OK);
     if(RegSetKeySecurity(hKey,DACL_SECURITY_INFORMATION, &SecurityDescriptor) != ERROR_SUCCESS)
          ::MessageBox(NULL, "Error2", "as", MB_OK);
     RegCloseKey(hKey);    
-------------------------

I saw Error2 messagebox...

How can I use RegSetKeySecurity()?

0
 
LVL 86

Assisted Solution

by:jkr
jkr earned 100 total points
Comment Utility
Well, use the following code:

   #define SD_SIZE (65536 + SECURITY_DESCRIPTOR_MIN_LENGTH)

   BOOL AddAccessRights(HKEY hKey, PSID pSID,      DWORD dwAcessMask)
   {

      //  SD variables.

      UCHAR          ucSDbuf[SD_SIZE];
      PSECURITY_DESCRIPTOR pSD=(PSECURITY_DESCRIPTOR)ucSDbuf;
      DWORD          dwSDLengthNeeded      =      SD_SIZE;

      // ACL variables.

      PACL           pACL;
      BOOL           bDaclPresent;
      BOOL           bDaclDefaulted;
      ACL_SIZE_INFORMATION AclInfo;

      // New ACL variables.

      PACL           pNewACL;
      DWORD          dwNewACLSize;

      // New SD variables.

      UCHAR                NewSD[SECURITY_DESCRIPTOR_MIN_LENGTH];
      PSECURITY_DESCRIPTOR psdNewSD=(PSECURITY_DESCRIPTOR)NewSD;

      // Temporary ACE.

      PVOID          pTempAce;
      UINT           CurrentAceIndex;

      // STEP 2: Get SID (parameter).

      // STEP 3: Get security descriptor (SD) for key.

      if(ERROR_SUCCESS!=RegGetKeySecurity(hKey,
                    (SECURITY_INFORMATION)(DACL_SECURITY_INFORMATION),
                    pSD,
                    &dwSDLengthNeeded))
      {
         printf("Error %d:RegGetKeySecurity\n",GetLastError());
         return(FALSE);
      }

      // STEP 4: Initialize new SD.

      if(!InitializeSecurityDescriptor
         (psdNewSD,SECURITY_DESCRIPTOR_REVISION))
      {
         printf("Error %d:InitializeSecurityDescriptor\n",GetLastError());
         return(FALSE);
      }

      // STEP 5: Get DACL from SD.

      if (!GetSecurityDescriptorDacl(pSD,
                       &bDaclPresent,
                       &pACL,
                       &bDaclDefaulted))
      {
         printf("Error %d:GetSecurityDescriptorDacl\n",GetLastError());
         return(FALSE);
      }

      // STEP 6: Get key ACL size information.

      if(!GetAclInformation(pACL,&AclInfo,sizeof(ACL_SIZE_INFORMATION),
         AclSizeInformation))
      {
         printf("Error %d:GetAclInformation\n",GetLastError());
         return(FALSE);
      }

      // STEP 7: Compute size needed for the new ACL.

      dwNewACLSize = AclInfo.AclBytesInUse +
                     sizeof(ACCESS_ALLOWED_ACE) +
                     GetLengthSid(pSID) - sizeof(DWORD);

      // STEP 8: Allocate memory for new ACL.

      pNewACL = (PACL)LocalAlloc(LPTR, dwNewACLSize);

      // STEP 9: Initialize the new ACL.

      if(!InitializeAcl(pNewACL, dwNewACLSize, ACL_REVISION2))
      {
         printf("Error %d:InitializeAcl\n",GetLastError());
         LocalFree((HLOCAL) pNewACL);
         return(FALSE);
      }

      // STEP 10: If DACL is present, copy it to a new DACL.

      if(bDaclPresent)  // Only copy if DACL was present.
      {
         // STEP 11: Copy the file's ACEs to our new ACL.

         if(AclInfo.AceCount)
         {

                  for(CurrentAceIndex = 0; CurrentAceIndex < AclInfo.AceCount;
               CurrentAceIndex++)
            {
               // STEP 12: Get an ACE.

               if(!GetAce(pACL,CurrentAceIndex,&pTempAce))
               {
                 printf("Error %d: GetAce\n",GetLastError());
                 LocalFree((HLOCAL) pNewACL);
                 return(FALSE);
               }

                // STEP 13: Add the ACE to the new ACL.

               if(!AddAce(pNewACL, ACL_REVISION, MAXDWORD, pTempAce,
                  ((PACE_HEADER)pTempAce)->AceSize))
               {
                  printf("Error %d:AddAce\n",GetLastError());
                  LocalFree((HLOCAL) pNewACL);
                  return(FALSE);
               }

             }
         }
      }

      // STEP 14: Add the access-allowed ACE to the new DACL.

//      if(!AddAccessAllowedAce(pNewACL,ACL_REVISION2,dwAcessMask, pSID))
      if(!AddAccessAllowedAce(pNewACL,ACL_REVISION,dwAcessMask, pSID))
      {
         printf("Error %d:AddAccessAllowedAce",GetLastError());
         LocalFree((HLOCAL) pNewACL);
         return(FALSE);
      }

      // STEP 15: Set our new DACL to the file SD.

      if (!SetSecurityDescriptorDacl(psdNewSD,
                        TRUE,
                        pNewACL,
                        FALSE))
      {
         printf("Error %d:SetSecurityDescriptorDacl",GetLastError());
         LocalFree((HLOCAL) pNewACL);
         return(FALSE);
      }

      // STEP 16: Set the SD to the File.

      if (ERROR_SUCCESS!=RegSetKeySecurity(hKey, DACL_SECURITY_INFORMATION,psdNewSD))
      {
         printf("Error %d:RegSetKeySecurity\n",GetLastError());
         LocalFree((HLOCAL) pNewACL);
         return(FALSE);
      }

      // STEP 17: Free the memory allocated for the new ACL.

      LocalFree((HLOCAL) pNewACL);
      return(TRUE);
   }

and call it like

    SECURITY_DESCRIPTOR         sd;
    PSID                        psidWorldSid;
    SID_IDENTIFIER_AUTHORITY    siaWorldSidAuthority    =   SECURITY_WORLD_SID_AUTHORITY;

    psidWorldSid    =   ( PSID) LocalAlloc  (   LPTR,
                                                GetSidLengthRequired    (   1)
                                            );

    InitializeSid   (   psidWorldSid,   &siaWorldSidAuthority,  1);

    *(  GetSidSubAuthority  (   psidWorldSid,   0)) =   SECURITY_WORLD_RID;

    AddAccessRights ( hRegKey, psidWorldSid, &sd);
0
 

Author Comment

by:jaeb
Comment Utility
jkr, Do above code work well in Windows XP????

I tested your code, but it doesn't work...

Administrator account executes the code,

and then I switch user to limited user account.

And I modified the registry value,

But a error message appears,

the message is I can't change registry value...

I'm using Windows XP professional, VC++ 6.0.
0
 
LVL 86

Expert Comment

by:jkr
Comment Utility
Don't know about XP, but it should work on W2k/NT...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 32

Expert Comment

by:jhance
Comment Utility
In this case, Win2000 == WinXP == WinNT.  They all share the same thing w.r.t. registry security.

I think your problem is that you are missing the point that in order to CHANGE SECURITY you must be AUTHORIZED to change it, regardless of whether or not it is from REGEDT32 or from a program.

If your user account lacks rights on a registry object to change that object's security, no amount of trying or programming will change that.

Either give your user account the privilege it needs or change the security on the object (from a privileged account) to permit your user account to modify the object's security.
0
 

Author Comment

by:jaeb
Comment Utility
I use 2 accounts.

One is miru.

Two is jaeb.

miru and administrator have same privilege...

jae is limited user.

I want to change registry value using two accounts..

firstly using miru, everything is OK.

However using jaeb, I can't change registry value...

so I log on miru then I execute above execute program.

and I switch user from miru to jaeb.

Now My account is jaeb.

If jaeb try to change registry, a error message appears.

If I use REGEDT32 or REGEDIT to change access permission,

miru and jaeb can change registry values..

But using my program(it is execute file of aboce code),

jaeb can't change...

In my opinion, miru is enough privileged account.

So miru may change access rights about registry...

0
 

Author Comment

by:jaeb
Comment Utility
If I execute REGEDT32 after executin my program,

jaeb can change registry value..

But If I don't execute REGEDT32,

jaeb can't change value....

I don't want to execute REGEDT32.

How can I do that?
0
 
LVL 86

Expert Comment

by:jkr
Comment Utility
I use the above snippet to adjust the registry rights on NT/W2k during an InstallShield setup, and it works for me...
0
 

Author Comment

by:jaeb
Comment Utility
Can I adjust registry right in InstallShield???

How Can I??

If it is possible, every problem will solve..

0
 
LVL 86

Expert Comment

by:jkr
Comment Utility
This Q is answered
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

For most people, the WrapPanel seems like a magic when they switch from WinForms to WPF. Most of us will think that the code that is used to write a control like that would be difficult. However, most of the work is done by the WPF engine, and the W…
Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now