?
Solved

windows api, registry setting permissions

Posted on 2010-08-26
11
Medium Priority
?
851 Views
Last Modified: 2012-05-10
I've been hounding google for ways to set permissions in the registry (xp based systems and above), and I have come across many solutions, many that are similar to the article here at EE (http://www.experts-exchange.com/Programming/Languages/CPP/Q_20485542.html).

However, this method does not seem to work for registry keys that have had all permissions removed, and set to a random owner (an owner other than administrators).
I have created a test key + subkey in my local registry and have tried the methods (and a combination of what I figured might work) but it really only works when my user has access explicitly granted in the permissions of that key.

Of course, my account on XP is administrator, so I dont see why there is a problem, but there is.

With my current setting (removed all users from the permissions list, made Guest the owner), GrantAccess fails, and so does TakeOwnership.

And yes, I've tried the microsoft article (which I've found so many references to, which the only one i have saved) - http://web.archive.org/web/20021021215311/http://msdn.microsoft.com/library/en-us/security/security/taking_object_ownership.asp

which also seems to fail in the manner mentioned above.


Would love to have some code snipit (no error checking if you write it yourself - lots of them have std::cout << bla bla or printf's, and if fails bail from further attempting the function)


Oh, one last part of the challenge; I'm trying to code this using good ol C and WinAPI calls (just like both of the urls displayed) and am compiling with MINGW (and will compile it with MINGWx64 after I get the 32bit code working).


My ultimate goal is to take ownership of the key, give it permissions for the current (administrative) user to access all, and to give it permissions from it's containing key.
From what I have discovered, there is no easy way to inherit permissions nor a quick dirty way to pass permissions to all child objects.
0
Comment
Question by:vanillasprinkles
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 33543241
http://technet.microsoft.com/en-us/library/cc786173(WS.10).aspx says ...

"You can take ownership of a registry key if you are logged on as an administrator or if you have been specifically assigned the permission to take ownership of the registry key by the current owner.".

Can you try manually?

Who is the current owner?

Can you log in as them?


1 - Picking a key (HKLM) at random.
2 - Right click and choose Permissions.
3 - See the Security tab with all the users.
4 - Do you see Administrators as a group?
5 - If not, can you add the local administrator's group and grant full control?
6 - Press the Advanced button.
7 - Select the Owner tab.
8 - Who is the current owner?
9 - What owners can you change the owner to?

I'm not sure if changing the owner on all subcontainers and objects is a good idea. Apps MAY check the owner to see if they have been buggered around with.
0
 
LVL 40

Accepted Solution

by:
Richard Quadling earned 1000 total points
ID: 33543268
http://support.microsoft.com/default.aspx?scid=kb;en-us;111546 says ...

To take ownership of a registry key it is necessary to have a handle to the key. A handle to the key can be obtained by opening the key with a registry API (application programming interface) such as RegOpenKeyEx(). If the user does not have access to the registry key, the open operation will fail and this will in turn prevent ownership being taken (because a handle to the key is required to change the key's security).

The solution to this problem is to first enable the TakeOwnership privilege and then to open the registry key with WRITE_OWNER access as shown below:

RegOpenKeyEx(HKEY_CLASSES_ROOT,"Testkey",0,WRITE_OWNER,&hKey);

                        
This function call will provide a handle to the registry, which can be used in the following call to take ownership:

RegSetKeySecurity(hKey,OWNER_SECURITY_INFORMATION, &SecurityDescriptor);

                        
Please note that you will need to initialize the security descriptor being passed to RegSetKeySecurity() and set the owner field to the new owner SID.

Taking ownership of a registry key is not a common operation. It is typically an operation that an administrator would use as a last resort to gain access to a registry key.
0
 
LVL 3

Author Comment

by:vanillasprinkles
ID: 33547827
Thanks for the reply and help - this has been very challenging;

Yes, I can set the owner and permissions manually; i'm using my Administrator (included with the unaltered user class in Administrators)
I've literally setup a test key:  HKEY_CURRENT_USER\Test\agaon
where "agaon", a nice smashage of fingers to my keyboard, is my key that i removed all permissions, and changed the owner to Guest, giving me no read access to any part of it.
Via regedit, i'm able to gain ownership to any user/group i want, and then add in permissions.. just don't have the concept down via C yet.

I have referenced the EE link above, and copied that and made it a header file, making the functions take parameters, but was unable to make it work; and i've referenced the EE link and made the MS code work for the registry, but it still fails via removing all permissions and setting the owner to guest as I have done.


I'm currently starting a test app/project to try to make this work, trying to integrate both page's codes the best i can..
so far i have coded:
allocated an SID for 'everyone' 'administrators' and 'current user' (current user using the code from the EE page)
Set read access for Everyone, and full control for both Administrators and CurUser
"set the owner in the object's security descriptor" (from the MS page)

then just now realized both pages reference a 'TakeOwnership' function, which I am fine with, but am wondering which model i should truly follow before i call RegOpenKeyEx( .... WRITE_OWNER .. )


I will continue with what i have before I post it, in case i have anything way out of order (which is what i think is going on but not quite too sure)

i'm also quite uncertain what this SetPrivilege command does, seeing as it's not an api call - i've found somebody's code that is supposed to get the job done, but not quite certain on it as i still dont have mine working as i want.

0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 3

Author Comment

by:vanillasprinkles
ID: 33547998
ok, i'm stumped once again, is where i was last night even

current code tries to set "Everyone" as owner, [ and when setting Everyone as owner in the reg key, and removing all users from permissions list, it doesnt error on clicking the restricted key  - via regedit ]

here's my lousy attempt at this code, dunno where i'm going wrong at this
regPermission.cpp
setPriv.h
0
 
LVL 3

Author Comment

by:vanillasprinkles
ID: 33550679
just attempted another re-write from the MS page's Takeownership function.
(and found the non-cached page in one of my browser tabs: http://msdn.microsoft.com/en-us/library/aa379620(VS.85).aspx)

something must have went wrong as i see the difference between what i thought i copied in last night and what works this morning is enormous; lots of the same code in a different order...


0
 
LVL 3

Author Closing Comment

by:vanillasprinkles
ID: 33555017
code went well after finding the current MS example page on the subject and starting my code over from scratch.
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 33556922
Glad you got it sorted.

Could you post your code so others can learn from you?
0
 
LVL 3

Author Comment

by:vanillasprinkles
ID: 33562694
added in some header comments; the code works on both x86_32 and x86_64, although compiling in x64 i get many warnings (string operations are obsolete or some BS cuz i declare them as non-constants); windows - ruining the dynamics of programming


setPriv.h
0
 
LVL 3

Author Comment

by:vanillasprinkles
ID: 33562706
damni, i hit enter and it submitted it, take two:


setPriv.h
msTakeOwn.h
0
 
LVL 3

Author Comment

by:vanillasprinkles
ID: 33562824
found 1 typeo:
replace: ea[2].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
with: ea[2].Trustee.TrusteeType = TRUSTEE_IS_USER;

funny it worked as group.. posted corrected file



can an admin clean up these posts?
=> merge and remove unnecessary threads of the last 2 and this i just created?
[an edit button would be nice too as i practice my typo's on a regular basis]
setPriv.h
msTakeOwn.h
0
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 33565705
Thanks for that. I am sure others will find it useful.

Well done on getting the solution.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no backā€¦
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use while-loops in the C programming language.
The goal of this video is to provide viewers with basic examples to understand opening and reading files in the C programming language.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question