Accessing Remote Registry (Read only)

Hello,

I am encountering an error: "Attempted to perform an unauthorized operation." when trying to read, (well any access actually) the registry on a remote machine.  I am using impersonation with a Domain Administrator for that machine, so it should have access to the registry (I cannot log out the machine to log in the domain admin and be sure).  I know I cannot access the RegistryHive.CurrentUser remotely, so I am using RegistryHive.Users and then the SID of the user in question to get access the path, but even that does not allow me access.

If I run the application without impersonation, I am able to access the RegistryHive.Users, but cannot go any further due to the error "Requested registry access is not allowed.".  This makes sense, since my account does not have access to the registry on that machine.

There are several remote machines that this code will eventually access (once I can get it working for one!), and they are either Windows XP Pro, or Windows 2003 server.

I've attached a snippit of the code, hopefully it helps.  The error is occuring on the line:
rkRegistry = RegistryKey.OpenRemoteBaseKey(RegistryHive.Users, strIPAddress).OpenSubKey(strSID)


Thank you
'Code to Do impersonate and connect to remote registry
	   strSID = GetSIDUsingADSearch(strRemoteUser)
 	   'The Windows NT user token.
            Dim token1 As Integer
            Dim loggedOn As Boolean = LogonUser(strUserName, strDomain, strPassword, 3, 0, token1)
            'Starting impersonation here:
            Dim mWI1 As WindowsIdentity = WindowsIdentity.GetCurrent()
            Dim token2 As IntPtr = New IntPtr(token1)
            Dim mWI2 As WindowsIdentity = New WindowsIdentity(token2)
            'Impersonate the user.
            mWIC = mWI2.Impersonate()
            Dim rkRegistry As RegistryKey
            rkRegistry = RegistryKey.OpenRemoteBaseKey(RegistryHive.Users, strIPAddress).OpenSubKey(strSID)
            mWIC.Undo()
            
            
'LogonUser
    <DllImport("C:\Windows\System32\advapi32.dll")> _
    Public Shared Function LogonUser(ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, ByRef phToken As Integer) As Boolean
    End Function

Open in new window

lasenzaitAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CodeCruiserCommented:
Have you checked that the impersonation is working properly?

http://weblogs.asp.net/ralfw/archive/2003/11/24/39479.aspx
0
lasenzaitAuthor Commented:
I'm sorry I should have mentioned that yes, I have verified that after the .Impersonate, the WindowsIdentity.GetCurrent() does in fact return the domain admin that I want it to be impersonating.
0
Russell_VenableCommented:
The current user you are using is not authorized to read the registry. Use SubInACL from the resource kit to give permissions in the remote registry key to the user your trying to use. http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23510

cd /d "%programfiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_CURRENT_USER /grant=<youruser>=f /grant=system=f /grant=administrators=f

This will add <youruser>,system,and administrators to that main key access permissions.
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

lasenzaitAuthor Commented:
I checked the permissions, and the account should have access?  The "Administrators" group of the machine contains the Domain Admin, which is the account I am using for this.  I can't actually just run SubInACL for it (not allowed, I'm not the System Admin, just the programmer tasked with writing an application to verify the keys) to see if that changes anything before after, but I don't understand why, if the Administrators Group has access to it, and the account i'm using is under the administrators group, that I would get a not authorized error?

Can you think of any other reasons I would get an unauthorized?  Could it just be the wrong error message is being returned?
0
Russell_VenableCommented:
So your telling me that you checked the "administrators" group To check if domain admin was added? This is not the place to check. You need to open up regedit and browse to the key you intend to change and check the security permissions for each key you want ti have permission. To explain your last question. The reason is Microsoft does not want anyone to explicitly have remote access without knowing how it works and anything like worms will not being able to automate this task without knowing the security infrastructure. This helps stop some malware developers and is a security feature. Administrators are not in allowed by default to access this remotely and that is why I suggest you change the ACL for that key. If you can do this programically that's fine too. You can use .net's remote registry API or the native remoteregistry.

Native example:
Enable file sharing to open port 135, Connect using IPC, then
lRetVal = RegConnectRegistry(ServerName, HKEY_LOCAL_MACHINE, &lHKeyhandle);

      lRetVal = RegOpenKeyEx(lHKeyhandle, "SOFTWARE\\somekey", 0, KEY_ALL_ACCESS, &lhkey);
      // give it proper length and a type of dword.
      dwTemp = (DWORD)255;
      strcpy(vValue,PathName);
      strcat(vValue,"");
      
      lRetVal = RegSetValueEx(lhkey,"Setvaluehere",NULL,REG_SZ,(LPBYTE)vValue, dwTemp);lRetVal = RegConnectRegistry(ServerName, HKEY_LOCAL_MACHINE, &lHKeyhandle);

      lRetVal = RegOpenKeyEx(lHKeyhandle, "SOFTWARE\\Somekey", 0, KEY_ALL_ACCESS, &lhkey);
      
      dwTemp = (DWORD)255;
      strcpy(vValue,PathName);
      strcat(vValue," 1 1");
      
      lRetVal = RegSetValueEx(lhkey,"Setkeyhere",NULL,REG_SZ,(LPBYTE)vValue, dwTemp);

Or use .net method
RegistryKey.OpenRemoteBaseKey
http://msdn.microsoft.com/en-us/library/8zha3xws(v=vs.71).aspx

Notice how the .net method is requests security attributes? This is what I am trying to get you to understand mainly and yes, they did make it so you can enable access remotely. It's clearly document on msdn, just need to find it to read it. Yes, actually. There is a few other possibilities. DCOM/RPC access permissions. lol, no this is the correct error message. No mistake. Nice try ;) If that was true we would all be in trouble.
0
lasenzaitAuthor Commented:
Hello,

By my first line: "I checked the permissions, and the account should have access?" the permissions I was referring to are those of the key in regedit.  I did confirm that the Administrators Group has permission to access that specific Key, and not just that the domain admin was part of the group.

From the MSDN, (which I had checked prior to posting, as it's my first line of research), it also mentions "In order for a key to be opened remotely, both machines (the service, and client) must be running the remote registry service, and have remote administration enabled."  Which I also confirmed are running on the machines.

So unless i'm missing some other security attribute from the MSDN, then i'm back to square one of not knowing exactly why this issue is occuring.

Here's a checklist of things i've made sure of:
1) Impersonation is working
2) The account being impersonated is part of the administrators group on the remote machine.
3) The administrators group has full control of the registry key in question (verified in regedit)
4) The remote administration and the remote registry services are running on both my machine and the remote machine


The part of your reply i'm not sure about is when you say "Notice how the .net method is requests security attributes?".  Are you referring to the SecurityPermission namespace at the bottom under .Net Security? I'm already impersonating someone who should have access, is there something I need to do specifically with the SecurityPermission to confirm this access?

Thank you for your help.
0
Russell_VenableCommented:
You know. I think I a part about you being in a workgroup. Check this user policy setting to see if its enabled.

Registry key:
HKLM\System\CurrentControlSet\Control\LSA

Open in new window

Value:
ForceGuest

Open in new window

If its enabled.It will force user to be signed in as guest. Disabled it by changing the value to 0. This could be a issue. If not you can check permissions again and check the ownership part and see if administrators are included. If that's not you will need to check DCOM settings and see if the port is enabled and allowed through firewall and check both access and launch permissions using dcomcnfg.exe.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lasenzaitAuthor Commented:
Sorry for the late reply, I've been working on other projects this week as this one got put on pause.  I checked the registry key and ForceGuest is enabled.  I've had to check with our Data Security team to see if I can turn this off as a test to verify that that is what is causing my authentication issues, but they haven't gotten back to me yet.  Once they confirm that I can do it on one machine to test, I will post the results back here.
0
Russell_VenableCommented:
Thanks for the info. I'll be waiting for your reply :)
0
lasenzaitAuthor Commented:
Finally got authorization to try it on one machine and unfortunately, no change.

I guess I will have to check with Data Security to see if they block the ports in the firewall.  Would you happen to know which ports would be accessed by this, or is it on a machine by machine basis?

Thank you for all your help so far.
0
Russell_VenableCommented:
Tcp port 139 is remote registey.
0
lasenzaitAuthor Commented:
I checked with them and there is no firewall between my machine and the remote machine, and also that port 139 is open for connections.

We did however notice that the remote machine is logging the access attempt as anonymous in the event viewer (security tab), rather than the impersonation.  This doesn't seem to change whether I run the application from within the domain, or from a different domain.  As a possible test (and not at all a possible solution), we enabled anonymous access on one of the machines, and were still greeted with the same error?

Do you have any other possible solutions?  

Thank you again
0
Russell_VenableCommented:
There is another one I should have included in te check earlier.

Check the registry using regedit32 and check the key

Go to the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
And see I'f there is a value of "RestrictAnonymous".
 If so check to make sure the value is of

Value Name: RestrictAnonymous
Data Type: REG_DWORD
Value: 0

If this key is missing you can add it and assign the key as a sword and value of 0. This will allow anonymous connections.
0
Russell_VenableCommented:
There is another one I should have included in te check earlier.

Check the registry using regedit32 and check the key

Go to the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
And see I'f there is a value of "RestrictAnonymous".
 If so check to make sure the value is of

Value Name: RestrictAnonymous
Data Type: REG_DWORD
Value: 0

If this key is missing you can add it and assign the key as a sword and value of 0. This will allow anonymous connections. You also need to reboot to make this work
0
lasenzaitAuthor Commented:
In the end, this project was abandoned by management.  

Thank you very much for your helpful suggestions, but there is just too many security restrictions to take them all off in order to make this work.
0
Russell_VenableCommented:
That's very understandable. Better luck next time. Happy new years to you all.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.