Solved

Problem Enabling Privilege For Call to RegSaveKey()

Posted on 2004-10-08
6
1,124 Views
Last Modified: 2008-01-09
One of the utility programs I am writing modifies a few registry entries, and to be able to roll back, I need to back up the effected (or is that affected - always hated trying to make that distinction) keys. I have been digging through MSDN, and found a few good samples, but no matter how I tweak the code, my call to RegSaveKey () returns a 1314, which is "A required privilege is not held by the client".

I'll post the relevant code, and if anyone can spot where I went wrong, I would REALLY appreciate the help as I have another long weekend ahead.

Thanks so much,
Jeff

BOOL      SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
      TOKEN_PRIVILEGES tp;
      LUID luid;
      HANDLE hToken;

      OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
      if ( !LookupPrivilegeValue(NULL, lpszPrivilege, &luid) )    
            return FALSE;
      
      tp.PrivilegeCount = 1;
      tp.Privileges[0].Luid = luid;
      
      if (bEnablePrivilege)
            tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
      else
          tp.Privileges[0].Attributes = 0;

      AdjustTokenPrivileges(hToken,
                                    FALSE,
                                    &tp,
                                    sizeof (TOKEN_PRIVILEGES),
                                    (PTOKEN_PRIVILEGES) NULL,
                                    (PDWORD) NULL);

      return ( (GetLastError()!=ERROR_SUCCESS)?FALSE:TRUE);
}




bool      SaveRegKey (HKEY &hKey, char lpszFilename[PROFILEBUF])
{
      long            lResult;

      SetPrivilege(SE_BACKUP_NAME,TRUE);
      if (IsFileExist(lpszFilename))
      {
            if (DeleteFile(lpszFilename))
                  lResult = RegSaveKey (hKey, lpszFilename, NULL);
      }
      else
            lResult = RegSaveKey (hKey, lpszFilename, NULL);


      SetPrivilege(SE_BACKUP_NAME,FALSE);
      return ( (GetLastError()!=ERROR_SUCCESS)?FALSE:TRUE);
}
0
Comment
Question by:jpetter
  • 3
  • 3
6 Comments
 
LVL 86

Accepted Solution

by:
jkr earned 500 total points
ID: 12262121
>>"A required privilege is not held by the client".

A privilege that is not *held* cannot be *enabled*. You need to grant the SE_BACKUP_NAME privilege to the account you want to use that code with.  If you want to be able do do that by code, you need to use 'LsaAddAccountRights()'. See http://win32.mvps.org/lsa/lsa_laar.cpp for a sample. But, keep in mind that logging off and back on is needed in order for the change to take effect.
0
 
LVL 86

Expert Comment

by:jkr
ID: 12262245
Oh, BTW, SE_BACKUP_NAME is actually called 'SeBackupPrivilege' and the textual description is "Back up files and directories". You will automatically grant that privilege to any account that is added to the 'Backup Operators' group. NOTE that Administrators aren't members of that group by default.
0
 

Author Comment

by:jpetter
ID: 12262903
jkr,

Awesome! Let me check that out. I have already written a service that will launch this program using CreateProcess(), so I will already have the security context taken care of. Now if I read your comment correctly, I'll just have to read and figure out to implement granting the privilege to the account.

I'll let you know.

Thanks,
Jeff
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:jpetter
ID: 12263406
jkr,

This may be a stupid question, but it's getting late.

I've been testing and debugging these processes in an standard application executable. In the end, this will be executing in the security context of the LSA as it will be launched from a service. That brings two questions to my mind.
1). Should I test this with the service, as the LSA should have the privilege?
2). Since it would be running under the LSA, could I enable it, as I thought the LSA had complete access to anything local to the machine.

Thanks,
Jeff
0
 
LVL 86

Expert Comment

by:jkr
ID: 12264636
You need to apply the privilege to the account your service is running under. If it is LocalSystem by now, you will have to change that to an account you can safely assign this privilege to. You might havr to create a new one.
0
 

Author Comment

by:jpetter
ID: 12270080
jkr,

Thanks again,
Jeff
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
The goal of the tutorial is to teach the user how to use functions in C++. The video will cover how to define functions, how to call functions and how to create functions prototypes. Microsoft Visual C++ 2010 Express will be used as a text editor an…
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now