?
Solved

Creating a registry key where EVERYONE has FULL CONTROL

Posted on 2009-04-08
5
Medium Priority
?
808 Views
Last Modified: 2013-12-04
Hi,

I looked at a solution for the exact same question from "belgianbasman". The solution provided by "ronit" referred to a website that is no longer available:

http://developers.href.com/ARTICLE:947351496:waArticle.450277

To fill you in,  I'm writing a C++ program that needs to set the permissions on a registry key so that members of the well known trustee WinWorldSid (i.e. the "Everyone" group ) have "Full Control" over this key & it's children.

The following is an excerpt from my code:

 // Get the Security Descriptor.
if (!::GetKernelObjectSecurity(reg.getKey(), DACL_SECURITY_INFORMATION, pOldSecurityDescriptor, dwSize, &dwBytesNeeded))
{
  dwLastError = ::GetLastError();
}
// Then get the DACL from the descriptor.
else if (!::GetSecurityDescriptorDacl(pOldSecurityDescriptor, &bIsDaclPresent, &pOldDacl, &bIsDaclDefaulted) || !bIsDaclPresent || NULL == pOldDacl)
{
  dwLastError = ::GetLastError();
}
else if(!CreateWellKnownSid(WinWorldSid, NULL, pWellKnownSIDForEveryone, &nSidSize))
{
  dwLastError = ::GetLastError();
}
else
{
  /*
 *  Build an EA structure with a single ACE that allows members of the
  * well known trustee group WinWorldSid full access permission to the registry key.
  */
  ::ZeroMemory(&newSecurityDescriptor, sizeof(SECURITY_DESCRIPTOR));

  ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
  ea.grfAccessPermissions = KEY_ALL_ACCESS | DELETE | GENERIC_ALL;
  ea.grfAccessMode        = SET_ACCESS;
  ea.grfInheritance       = NO_INHERITANCE;
  ea.Trustee.TrusteeForm  = TRUSTEE_IS_SID;
  ea.Trustee.TrusteeType  = TRUSTEE_IS_WELL_KNOWN_GROUP;
  ea.Trustee.ptstrName    = (LPTSTR) pWellKnownSIDForEveryone;

  /* Add/Merge the required ACE (see above) for the registry key
  * with the current existing one & produce a new DACL.
  */
  if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &ea, pOldDacl, &pNewDacl))
  {
    dwLastError = ::GetLastError();
  }
  // Initialize a new security descriptor for the the key.
  else if (!::InitializeSecurityDescriptor(&newSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))
  {
    dwLastError = ::GetLastError();
  }
  // Set the DACL in this new security descriptor.
  else if (!::SetSecurityDescriptorDacl(&newSecurityDescriptor, TRUE, pNewDacl, FALSE))
  {
    dwLastError = ::GetLastError();
  }
  // Finally, set the new security descriptor for the registry key.
  else if (!::SetKernelObjectSecurity(reg.getKey(), DACL_SECURITY_INFORMATION, &newSecurityDescriptor))
  {
    dwLastError = ::GetLastError();
  }
  else
  {
    dwLastError = ERROR_SUCCESS;
    bOK         = true;
  }
}

The line setting the permissions doesn't work (i.e. not sufficient)

 ea.grfAccessPermissions = KEY_ALL_ACCESS | DELETE | GENERIC_ALL; // Wrong!

Looking at the permissions on the key after running my code I see that the "Special Permissions" checkbox is ticked, but the "Full Control" checkbox & the "Read" checkbox remain unticked.

What is the correct value for  ea.grfAccessPermissions so as to obtain "Full Control" permissions on the key & its children (values & sub-keys) for members of the group "Everyone"?

Thanks in advance...

0
Comment
Question by:LoneRhino
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 24097891
You can achieve the same by setting a NULL DACL to that key, see http://msdn.microsoft.com/en-us/library/aa379286(VS.85).aspx ("Null DACLs and Empty DACLs")
0
 
LVL 86

Accepted Solution

by:
jkr earned 2000 total points
ID: 24099907
Oh, an othre alternative would be to use a "world" SID, e.g.
    PSID                        psidWorldSid    =   NULL;
    SECURITY_DESCRIPTOR         sd;
    SECURITY_ATTRIBUTES         sa;
 
    SID_IDENTIFIER_AUTHORITY    siaWorldSidAuthority    =   SECURITY_WORLD_SID_AUTHORITY;
    DWORD                       dwCreate                =   0;
  
    //  Create a security descriptor that allows
    //  access for "evreyone"
 
    psidWorldSid    =   ( PSID) LocalAlloc  (   LPTR,
                                                GetSidLengthRequired    (   1)
                                            );
 
    InitializeSid   (   psidWorldSid,   &siaWorldSidAuthority,  1);
 
    *(  GetSidSubAuthority  (   psidWorldSid,   0)) =   SECURITY_WORLD_RID;
 
    InitializeSecurityDescriptor    (   &sd,    SECURITY_DESCRIPTOR_REVISION);
 
    SetSecurityDescriptorGroup      (   &sd,    psidWorldSid,   TRUE);
 
    ZeroMemory  (   &sa,    sizeof  (   SECURITY_ATTRIBUTES));
 
    sa.nLength              =   sizeof  (   SECURITY_ATTRIBUTES);
    sa.lpSecurityDescriptor =   &sd;
    sa.bInheritHandle           =   FALSE;

Open in new window

0
 

Author Comment

by:LoneRhino
ID: 24181524
Hi jkr,

Sorry to be so tardy with my response. I've been under the gun (& still am) for a couple of weeks trying to get a release out. I haven't had time to test either solution you outlined, but both of them look like they will work so full credit to you.

Thankyou once again,

The LoneRhino
0
 

Author Closing Comment

by:LoneRhino
ID: 31567906
Hi jkr,

Sorry to be so tardy with my response. I've been under the gun (& still am) for a couple of weeks trying to get a release out. I haven't had time to test either solution you outlined, but both of them look like they will work so full credit to you.

Thankyou once again,

The LoneRhino
0
 
LVL 86

Expert Comment

by:jkr
ID: 24181536
No problem, hope it's gonna work for you ;o)
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
In this post we will learn different types of Android Layout and some basics of an Android App.
The viewer will learn how to user default arguments when defining functions. This method of defining functions will be contrasted with the non-default-argument of defining functions.
The viewer will be introduced to the member functions push_back and pop_back of the vector class. The video will teach the difference between the two as well as how to use each one along with its functionality.
Suggested Courses
Course of the Month8 days, 22 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question