Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1179
  • Last Modified:

Problem Enabling Privilege For Call to RegSaveKey()

One of the utility programs I am writing modifies a few registry entries, and to be able to roll back, I need to back up the effected (or is that affected - always hated trying to make that distinction) keys. I have been digging through MSDN, and found a few good samples, but no matter how I tweak the code, my call to RegSaveKey () returns a 1314, which is "A required privilege is not held by the client".

I'll post the relevant code, and if anyone can spot where I went wrong, I would REALLY appreciate the help as I have another long weekend ahead.

Thanks so much,
Jeff

BOOL      SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
      TOKEN_PRIVILEGES tp;
      LUID luid;
      HANDLE hToken;

      OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
      if ( !LookupPrivilegeValue(NULL, lpszPrivilege, &luid) )    
            return FALSE;
      
      tp.PrivilegeCount = 1;
      tp.Privileges[0].Luid = luid;
      
      if (bEnablePrivilege)
            tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
      else
          tp.Privileges[0].Attributes = 0;

      AdjustTokenPrivileges(hToken,
                                    FALSE,
                                    &tp,
                                    sizeof (TOKEN_PRIVILEGES),
                                    (PTOKEN_PRIVILEGES) NULL,
                                    (PDWORD) NULL);

      return ( (GetLastError()!=ERROR_SUCCESS)?FALSE:TRUE);
}




bool      SaveRegKey (HKEY &hKey, char lpszFilename[PROFILEBUF])
{
      long            lResult;

      SetPrivilege(SE_BACKUP_NAME,TRUE);
      if (IsFileExist(lpszFilename))
      {
            if (DeleteFile(lpszFilename))
                  lResult = RegSaveKey (hKey, lpszFilename, NULL);
      }
      else
            lResult = RegSaveKey (hKey, lpszFilename, NULL);


      SetPrivilege(SE_BACKUP_NAME,FALSE);
      return ( (GetLastError()!=ERROR_SUCCESS)?FALSE:TRUE);
}
0
jpetter
Asked:
jpetter
  • 3
  • 3
1 Solution
 
jkrCommented:
>>"A required privilege is not held by the client".

A privilege that is not *held* cannot be *enabled*. You need to grant the SE_BACKUP_NAME privilege to the account you want to use that code with.  If you want to be able do do that by code, you need to use 'LsaAddAccountRights()'. See http://win32.mvps.org/lsa/lsa_laar.cpp for a sample. But, keep in mind that logging off and back on is needed in order for the change to take effect.
0
 
jkrCommented:
Oh, BTW, SE_BACKUP_NAME is actually called 'SeBackupPrivilege' and the textual description is "Back up files and directories". You will automatically grant that privilege to any account that is added to the 'Backup Operators' group. NOTE that Administrators aren't members of that group by default.
0
 
jpetterAuthor Commented:
jkr,

Awesome! Let me check that out. I have already written a service that will launch this program using CreateProcess(), so I will already have the security context taken care of. Now if I read your comment correctly, I'll just have to read and figure out to implement granting the privilege to the account.

I'll let you know.

Thanks,
Jeff
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
jpetterAuthor Commented:
jkr,

This may be a stupid question, but it's getting late.

I've been testing and debugging these processes in an standard application executable. In the end, this will be executing in the security context of the LSA as it will be launched from a service. That brings two questions to my mind.
1). Should I test this with the service, as the LSA should have the privilege?
2). Since it would be running under the LSA, could I enable it, as I thought the LSA had complete access to anything local to the machine.

Thanks,
Jeff
0
 
jkrCommented:
You need to apply the privilege to the account your service is running under. If it is LocalSystem by now, you will have to change that to an account you can safely assign this privilege to. You might havr to create a new one.
0
 
jpetterAuthor Commented:
jkr,

Thanks again,
Jeff
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now