Link to home
Start Free TrialLog in
Avatar of LoneRhino
LoneRhino

asked on

Creating a registry key where EVERYONE has FULL CONTROL

Hi,

I looked at a solution for the exact same question from "belgianbasman". The solution provided by "ronit" referred to a website that is no longer available:

http://developers.href.com/ARTICLE:947351496:waArticle.450277

To fill you in,  I'm writing a C++ program that needs to set the permissions on a registry key so that members of the well known trustee WinWorldSid (i.e. the "Everyone" group ) have "Full Control" over this key & it's children.

The following is an excerpt from my code:

 // Get the Security Descriptor.
if (!::GetKernelObjectSecurity(reg.getKey(), DACL_SECURITY_INFORMATION, pOldSecurityDescriptor, dwSize, &dwBytesNeeded))
{
  dwLastError = ::GetLastError();
}
// Then get the DACL from the descriptor.
else if (!::GetSecurityDescriptorDacl(pOldSecurityDescriptor, &bIsDaclPresent, &pOldDacl, &bIsDaclDefaulted) || !bIsDaclPresent || NULL == pOldDacl)
{
  dwLastError = ::GetLastError();
}
else if(!CreateWellKnownSid(WinWorldSid, NULL, pWellKnownSIDForEveryone, &nSidSize))
{
  dwLastError = ::GetLastError();
}
else
{
  /*
 *  Build an EA structure with a single ACE that allows members of the
  * well known trustee group WinWorldSid full access permission to the registry key.
  */
  ::ZeroMemory(&newSecurityDescriptor, sizeof(SECURITY_DESCRIPTOR));

  ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
  ea.grfAccessPermissions = KEY_ALL_ACCESS | DELETE | GENERIC_ALL;
  ea.grfAccessMode        = SET_ACCESS;
  ea.grfInheritance       = NO_INHERITANCE;
  ea.Trustee.TrusteeForm  = TRUSTEE_IS_SID;
  ea.Trustee.TrusteeType  = TRUSTEE_IS_WELL_KNOWN_GROUP;
  ea.Trustee.ptstrName    = (LPTSTR) pWellKnownSIDForEveryone;

  /* Add/Merge the required ACE (see above) for the registry key
  * with the current existing one & produce a new DACL.
  */
  if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &ea, pOldDacl, &pNewDacl))
  {
    dwLastError = ::GetLastError();
  }
  // Initialize a new security descriptor for the the key.
  else if (!::InitializeSecurityDescriptor(&newSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))
  {
    dwLastError = ::GetLastError();
  }
  // Set the DACL in this new security descriptor.
  else if (!::SetSecurityDescriptorDacl(&newSecurityDescriptor, TRUE, pNewDacl, FALSE))
  {
    dwLastError = ::GetLastError();
  }
  // Finally, set the new security descriptor for the registry key.
  else if (!::SetKernelObjectSecurity(reg.getKey(), DACL_SECURITY_INFORMATION, &newSecurityDescriptor))
  {
    dwLastError = ::GetLastError();
  }
  else
  {
    dwLastError = ERROR_SUCCESS;
    bOK         = true;
  }
}

The line setting the permissions doesn't work (i.e. not sufficient)

 ea.grfAccessPermissions = KEY_ALL_ACCESS | DELETE | GENERIC_ALL; // Wrong!

Looking at the permissions on the key after running my code I see that the "Special Permissions" checkbox is ticked, but the "Full Control" checkbox & the "Read" checkbox remain unticked.

What is the correct value for  ea.grfAccessPermissions so as to obtain "Full Control" permissions on the key & its children (values & sub-keys) for members of the group "Everyone"?

Thanks in advance...

Avatar of jkr
jkr
Flag of Germany image

You can achieve the same by setting a NULL DACL to that key, see http://msdn.microsoft.com/en-us/library/aa379286(VS.85).aspx ("Null DACLs and Empty DACLs")
ASKER CERTIFIED SOLUTION
Avatar of jkr
jkr
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of LoneRhino
LoneRhino

ASKER

Hi jkr,

Sorry to be so tardy with my response. I've been under the gun (& still am) for a couple of weeks trying to get a release out. I haven't had time to test either solution you outlined, but both of them look like they will work so full credit to you.

Thankyou once again,

The LoneRhino
Hi jkr,

Sorry to be so tardy with my response. I've been under the gun (& still am) for a couple of weeks trying to get a release out. I haven't had time to test either solution you outlined, but both of them look like they will work so full credit to you.

Thankyou once again,

The LoneRhino
No problem, hope it's gonna work for you ;o)