Solved

Problem Enabling Privilege For Call to RegSaveKey()

Posted on 2004-10-08
6
1,129 Views
Last Modified: 2008-01-09
One of the utility programs I am writing modifies a few registry entries, and to be able to roll back, I need to back up the effected (or is that affected - always hated trying to make that distinction) keys. I have been digging through MSDN, and found a few good samples, but no matter how I tweak the code, my call to RegSaveKey () returns a 1314, which is "A required privilege is not held by the client".

I'll post the relevant code, and if anyone can spot where I went wrong, I would REALLY appreciate the help as I have another long weekend ahead.

Thanks so much,
Jeff

BOOL      SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
      TOKEN_PRIVILEGES tp;
      LUID luid;
      HANDLE hToken;

      OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
      if ( !LookupPrivilegeValue(NULL, lpszPrivilege, &luid) )    
            return FALSE;
      
      tp.PrivilegeCount = 1;
      tp.Privileges[0].Luid = luid;
      
      if (bEnablePrivilege)
            tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
      else
          tp.Privileges[0].Attributes = 0;

      AdjustTokenPrivileges(hToken,
                                    FALSE,
                                    &tp,
                                    sizeof (TOKEN_PRIVILEGES),
                                    (PTOKEN_PRIVILEGES) NULL,
                                    (PDWORD) NULL);

      return ( (GetLastError()!=ERROR_SUCCESS)?FALSE:TRUE);
}




bool      SaveRegKey (HKEY &hKey, char lpszFilename[PROFILEBUF])
{
      long            lResult;

      SetPrivilege(SE_BACKUP_NAME,TRUE);
      if (IsFileExist(lpszFilename))
      {
            if (DeleteFile(lpszFilename))
                  lResult = RegSaveKey (hKey, lpszFilename, NULL);
      }
      else
            lResult = RegSaveKey (hKey, lpszFilename, NULL);


      SetPrivilege(SE_BACKUP_NAME,FALSE);
      return ( (GetLastError()!=ERROR_SUCCESS)?FALSE:TRUE);
}
0
Comment
Question by:jpetter
  • 3
  • 3
6 Comments
 
LVL 86

Accepted Solution

by:
jkr earned 500 total points
ID: 12262121
>>"A required privilege is not held by the client".

A privilege that is not *held* cannot be *enabled*. You need to grant the SE_BACKUP_NAME privilege to the account you want to use that code with.  If you want to be able do do that by code, you need to use 'LsaAddAccountRights()'. See http://win32.mvps.org/lsa/lsa_laar.cpp for a sample. But, keep in mind that logging off and back on is needed in order for the change to take effect.
0
 
LVL 86

Expert Comment

by:jkr
ID: 12262245
Oh, BTW, SE_BACKUP_NAME is actually called 'SeBackupPrivilege' and the textual description is "Back up files and directories". You will automatically grant that privilege to any account that is added to the 'Backup Operators' group. NOTE that Administrators aren't members of that group by default.
0
 

Author Comment

by:jpetter
ID: 12262903
jkr,

Awesome! Let me check that out. I have already written a service that will launch this program using CreateProcess(), so I will already have the security context taken care of. Now if I read your comment correctly, I'll just have to read and figure out to implement granting the privilege to the account.

I'll let you know.

Thanks,
Jeff
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:jpetter
ID: 12263406
jkr,

This may be a stupid question, but it's getting late.

I've been testing and debugging these processes in an standard application executable. In the end, this will be executing in the security context of the LSA as it will be launched from a service. That brings two questions to my mind.
1). Should I test this with the service, as the LSA should have the privilege?
2). Since it would be running under the LSA, could I enable it, as I thought the LSA had complete access to anything local to the machine.

Thanks,
Jeff
0
 
LVL 86

Expert Comment

by:jkr
ID: 12264636
You need to apply the privilege to the account your service is running under. If it is LocalSystem by now, you will have to change that to an account you can safely assign this privilege to. You might havr to create a new one.
0
 

Author Comment

by:jpetter
ID: 12270080
jkr,

Thanks again,
Jeff
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is C++ STL?: STL stands for Standard Template Library and is a part of standard C++ libraries. It contains many useful data structures (containers) and algorithms, which can spare you a lot of the time. Today we will look at the STL Vector. …
  Included as part of the C++ Standard Template Library (STL) is a collection of generic containers. Each of these containers serves a different purpose and has different pros and cons. It is often difficult to decide which container to use and …
The goal of the tutorial is to teach the user how to use functions in C++. The video will cover how to define functions, how to call functions and how to create functions prototypes. Microsoft Visual C++ 2010 Express will be used as a text editor an…
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now