Solved

Creating a registry key where EVERYONE has FULL CONTROL

Posted on 2009-04-08
5
777 Views
Last Modified: 2013-12-04
Hi,

I looked at a solution for the exact same question from "belgianbasman". The solution provided by "ronit" referred to a website that is no longer available:

http://developers.href.com/ARTICLE:947351496:waArticle.450277

To fill you in,  I'm writing a C++ program that needs to set the permissions on a registry key so that members of the well known trustee WinWorldSid (i.e. the "Everyone" group ) have "Full Control" over this key & it's children.

The following is an excerpt from my code:

 // Get the Security Descriptor.
if (!::GetKernelObjectSecurity(reg.getKey(), DACL_SECURITY_INFORMATION, pOldSecurityDescriptor, dwSize, &dwBytesNeeded))
{
  dwLastError = ::GetLastError();
}
// Then get the DACL from the descriptor.
else if (!::GetSecurityDescriptorDacl(pOldSecurityDescriptor, &bIsDaclPresent, &pOldDacl, &bIsDaclDefaulted) || !bIsDaclPresent || NULL == pOldDacl)
{
  dwLastError = ::GetLastError();
}
else if(!CreateWellKnownSid(WinWorldSid, NULL, pWellKnownSIDForEveryone, &nSidSize))
{
  dwLastError = ::GetLastError();
}
else
{
  /*
 *  Build an EA structure with a single ACE that allows members of the
  * well known trustee group WinWorldSid full access permission to the registry key.
  */
  ::ZeroMemory(&newSecurityDescriptor, sizeof(SECURITY_DESCRIPTOR));

  ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
  ea.grfAccessPermissions = KEY_ALL_ACCESS | DELETE | GENERIC_ALL;
  ea.grfAccessMode        = SET_ACCESS;
  ea.grfInheritance       = NO_INHERITANCE;
  ea.Trustee.TrusteeForm  = TRUSTEE_IS_SID;
  ea.Trustee.TrusteeType  = TRUSTEE_IS_WELL_KNOWN_GROUP;
  ea.Trustee.ptstrName    = (LPTSTR) pWellKnownSIDForEveryone;

  /* Add/Merge the required ACE (see above) for the registry key
  * with the current existing one & produce a new DACL.
  */
  if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &ea, pOldDacl, &pNewDacl))
  {
    dwLastError = ::GetLastError();
  }
  // Initialize a new security descriptor for the the key.
  else if (!::InitializeSecurityDescriptor(&newSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))
  {
    dwLastError = ::GetLastError();
  }
  // Set the DACL in this new security descriptor.
  else if (!::SetSecurityDescriptorDacl(&newSecurityDescriptor, TRUE, pNewDacl, FALSE))
  {
    dwLastError = ::GetLastError();
  }
  // Finally, set the new security descriptor for the registry key.
  else if (!::SetKernelObjectSecurity(reg.getKey(), DACL_SECURITY_INFORMATION, &newSecurityDescriptor))
  {
    dwLastError = ::GetLastError();
  }
  else
  {
    dwLastError = ERROR_SUCCESS;
    bOK         = true;
  }
}

The line setting the permissions doesn't work (i.e. not sufficient)

 ea.grfAccessPermissions = KEY_ALL_ACCESS | DELETE | GENERIC_ALL; // Wrong!

Looking at the permissions on the key after running my code I see that the "Special Permissions" checkbox is ticked, but the "Full Control" checkbox & the "Read" checkbox remain unticked.

What is the correct value for  ea.grfAccessPermissions so as to obtain "Full Control" permissions on the key & its children (values & sub-keys) for members of the group "Everyone"?

Thanks in advance...

0
Comment
Question by:LoneRhino
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 24097891
You can achieve the same by setting a NULL DACL to that key, see http://msdn.microsoft.com/en-us/library/aa379286(VS.85).aspx ("Null DACLs and Empty DACLs")
0
 
LVL 86

Accepted Solution

by:
jkr earned 500 total points
ID: 24099907
Oh, an othre alternative would be to use a "world" SID, e.g.
    PSID                        psidWorldSid    =   NULL;
    SECURITY_DESCRIPTOR         sd;
    SECURITY_ATTRIBUTES         sa;
 
    SID_IDENTIFIER_AUTHORITY    siaWorldSidAuthority    =   SECURITY_WORLD_SID_AUTHORITY;
    DWORD                       dwCreate                =   0;
  
    //  Create a security descriptor that allows
    //  access for "evreyone"
 
    psidWorldSid    =   ( PSID) LocalAlloc  (   LPTR,
                                                GetSidLengthRequired    (   1)
                                            );
 
    InitializeSid   (   psidWorldSid,   &siaWorldSidAuthority,  1);
 
    *(  GetSidSubAuthority  (   psidWorldSid,   0)) =   SECURITY_WORLD_RID;
 
    InitializeSecurityDescriptor    (   &sd,    SECURITY_DESCRIPTOR_REVISION);
 
    SetSecurityDescriptorGroup      (   &sd,    psidWorldSid,   TRUE);
 
    ZeroMemory  (   &sa,    sizeof  (   SECURITY_ATTRIBUTES));
 
    sa.nLength              =   sizeof  (   SECURITY_ATTRIBUTES);
    sa.lpSecurityDescriptor =   &sd;
    sa.bInheritHandle           =   FALSE;

Open in new window

0
 

Author Comment

by:LoneRhino
ID: 24181524
Hi jkr,

Sorry to be so tardy with my response. I've been under the gun (& still am) for a couple of weeks trying to get a release out. I haven't had time to test either solution you outlined, but both of them look like they will work so full credit to you.

Thankyou once again,

The LoneRhino
0
 

Author Closing Comment

by:LoneRhino
ID: 31567906
Hi jkr,

Sorry to be so tardy with my response. I've been under the gun (& still am) for a couple of weeks trying to get a release out. I haven't had time to test either solution you outlined, but both of them look like they will work so full credit to you.

Thankyou once again,

The LoneRhino
0
 
LVL 86

Expert Comment

by:jkr
ID: 24181536
No problem, hope it's gonna work for you ;o)
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Have you tried to learn about Unicode, UTF-8, and multibyte text encoding and all the articles are just too "academic" or too technical? This article aims to make the whole topic easy for just about anyone to understand.
In this post we will learn different types of Android Layout and some basics of an Android App.
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…
The viewer will learn how to clear a vector as well as how to detect empty vectors in C++.

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question