LoneRhino
asked on
Creating a registry key where EVERYONE has FULL CONTROL
Hi,
I looked at a solution for the exact same question from "belgianbasman". The solution provided by "ronit" referred to a website that is no longer available:
http://developers.href.com/ARTICLE:947351496:waArticle.450277
To fill you in, I'm writing a C++ program that needs to set the permissions on a registry key so that members of the well known trustee WinWorldSid (i.e. the "Everyone" group ) have "Full Control" over this key & it's children.
The following is an excerpt from my code:
// Get the Security Descriptor.
if (!::GetKernelObjectSecurit y(reg.getK ey(), DACL_SECURITY_INFORMATION, pOldSecurityDescriptor, dwSize, &dwBytesNeeded))
{
dwLastError = ::GetLastError();
}
// Then get the DACL from the descriptor.
else if (!::GetSecurityDescriptorD acl(pOldSe curityDesc riptor, &bIsDaclPresent, &pOldDacl, &bIsDaclDefaulted) || !bIsDaclPresent || NULL == pOldDacl)
{
dwLastError = ::GetLastError();
}
else if(!CreateWellKnownSid(Win WorldSid, NULL, pWellKnownSIDForEveryone, &nSidSize))
{
dwLastError = ::GetLastError();
}
else
{
/*
* Build an EA structure with a single ACE that allows members of the
* well known trustee group WinWorldSid full access permission to the registry key.
*/
::ZeroMemory(&newSecurityD escriptor, sizeof(SECURITY_DESCRIPTOR ));
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = KEY_ALL_ACCESS | DELETE | GENERIC_ALL;
ea.grfAccessMode = SET_ACCESS;
ea.grfInheritance = NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROU P;
ea.Trustee.ptstrName = (LPTSTR) pWellKnownSIDForEveryone;
/* Add/Merge the required ACE (see above) for the registry key
* with the current existing one & produce a new DACL.
*/
if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &ea, pOldDacl, &pNewDacl))
{
dwLastError = ::GetLastError();
}
// Initialize a new security descriptor for the the key.
else if (!::InitializeSecurityDesc riptor(&ne wSecurityD escriptor, SECURITY_DESCRIPTOR_REVISI ON))
{
dwLastError = ::GetLastError();
}
// Set the DACL in this new security descriptor.
else if (!::SetSecurityDescriptorD acl(&newSe curityDesc riptor, TRUE, pNewDacl, FALSE))
{
dwLastError = ::GetLastError();
}
// Finally, set the new security descriptor for the registry key.
else if (!::SetKernelObjectSecurit y(reg.getK ey(), DACL_SECURITY_INFORMATION, &newSecurityDescriptor))
{
dwLastError = ::GetLastError();
}
else
{
dwLastError = ERROR_SUCCESS;
bOK = true;
}
}
The line setting the permissions doesn't work (i.e. not sufficient)
ea.grfAccessPermissions = KEY_ALL_ACCESS | DELETE | GENERIC_ALL; // Wrong!
Looking at the permissions on the key after running my code I see that the "Special Permissions" checkbox is ticked, but the "Full Control" checkbox & the "Read" checkbox remain unticked.
What is the correct value for ea.grfAccessPermissions so as to obtain "Full Control" permissions on the key & its children (values & sub-keys) for members of the group "Everyone"?
Thanks in advance...
I looked at a solution for the exact same question from "belgianbasman". The solution provided by "ronit" referred to a website that is no longer available:
http://developers.href.com/ARTICLE:947351496:waArticle.450277
To fill you in, I'm writing a C++ program that needs to set the permissions on a registry key so that members of the well known trustee WinWorldSid (i.e. the "Everyone" group ) have "Full Control" over this key & it's children.
The following is an excerpt from my code:
// Get the Security Descriptor.
if (!::GetKernelObjectSecurit
{
dwLastError = ::GetLastError();
}
// Then get the DACL from the descriptor.
else if (!::GetSecurityDescriptorD
{
dwLastError = ::GetLastError();
}
else if(!CreateWellKnownSid(Win
{
dwLastError = ::GetLastError();
}
else
{
/*
* Build an EA structure with a single ACE that allows members of the
* well known trustee group WinWorldSid full access permission to the registry key.
*/
::ZeroMemory(&newSecurityD
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = KEY_ALL_ACCESS | DELETE | GENERIC_ALL;
ea.grfAccessMode = SET_ACCESS;
ea.grfInheritance = NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROU
ea.Trustee.ptstrName = (LPTSTR) pWellKnownSIDForEveryone;
/* Add/Merge the required ACE (see above) for the registry key
* with the current existing one & produce a new DACL.
*/
if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &ea, pOldDacl, &pNewDacl))
{
dwLastError = ::GetLastError();
}
// Initialize a new security descriptor for the the key.
else if (!::InitializeSecurityDesc
{
dwLastError = ::GetLastError();
}
// Set the DACL in this new security descriptor.
else if (!::SetSecurityDescriptorD
{
dwLastError = ::GetLastError();
}
// Finally, set the new security descriptor for the registry key.
else if (!::SetKernelObjectSecurit
{
dwLastError = ::GetLastError();
}
else
{
dwLastError = ERROR_SUCCESS;
bOK = true;
}
}
The line setting the permissions doesn't work (i.e. not sufficient)
ea.grfAccessPermissions = KEY_ALL_ACCESS | DELETE | GENERIC_ALL; // Wrong!
Looking at the permissions on the key after running my code I see that the "Special Permissions" checkbox is ticked, but the "Full Control" checkbox & the "Read" checkbox remain unticked.
What is the correct value for ea.grfAccessPermissions so as to obtain "Full Control" permissions on the key & its children (values & sub-keys) for members of the group "Everyone"?
Thanks in advance...
You can achieve the same by setting a NULL DACL to that key, see http://msdn.microsoft.com/en-us/library/aa379286(VS.85).aspx ("Null DACLs and Empty DACLs")
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi jkr,
Sorry to be so tardy with my response. I've been under the gun (& still am) for a couple of weeks trying to get a release out. I haven't had time to test either solution you outlined, but both of them look like they will work so full credit to you.
Thankyou once again,
The LoneRhino
Sorry to be so tardy with my response. I've been under the gun (& still am) for a couple of weeks trying to get a release out. I haven't had time to test either solution you outlined, but both of them look like they will work so full credit to you.
Thankyou once again,
The LoneRhino
ASKER
Hi jkr,
Sorry to be so tardy with my response. I've been under the gun (& still am) for a couple of weeks trying to get a release out. I haven't had time to test either solution you outlined, but both of them look like they will work so full credit to you.
Thankyou once again,
The LoneRhino
Sorry to be so tardy with my response. I've been under the gun (& still am) for a couple of weeks trying to get a release out. I haven't had time to test either solution you outlined, but both of them look like they will work so full credit to you.
Thankyou once again,
The LoneRhino
No problem, hope it's gonna work for you ;o)