Link to home
Start Free TrialLog in
Avatar of lasenzait
lasenzait

asked on

Accessing Remote Registry (Read only)

Hello,

I am encountering an error: "Attempted to perform an unauthorized operation." when trying to read, (well any access actually) the registry on a remote machine.  I am using impersonation with a Domain Administrator for that machine, so it should have access to the registry (I cannot log out the machine to log in the domain admin and be sure).  I know I cannot access the RegistryHive.CurrentUser remotely, so I am using RegistryHive.Users and then the SID of the user in question to get access the path, but even that does not allow me access.

If I run the application without impersonation, I am able to access the RegistryHive.Users, but cannot go any further due to the error "Requested registry access is not allowed.".  This makes sense, since my account does not have access to the registry on that machine.

There are several remote machines that this code will eventually access (once I can get it working for one!), and they are either Windows XP Pro, or Windows 2003 server.

I've attached a snippit of the code, hopefully it helps.  The error is occuring on the line:
rkRegistry = RegistryKey.OpenRemoteBaseKey(RegistryHive.Users, strIPAddress).OpenSubKey(strSID)


Thank you
'Code to Do impersonate and connect to remote registry
	   strSID = GetSIDUsingADSearch(strRemoteUser)
 	   'The Windows NT user token.
            Dim token1 As Integer
            Dim loggedOn As Boolean = LogonUser(strUserName, strDomain, strPassword, 3, 0, token1)
            'Starting impersonation here:
            Dim mWI1 As WindowsIdentity = WindowsIdentity.GetCurrent()
            Dim token2 As IntPtr = New IntPtr(token1)
            Dim mWI2 As WindowsIdentity = New WindowsIdentity(token2)
            'Impersonate the user.
            mWIC = mWI2.Impersonate()
            Dim rkRegistry As RegistryKey
            rkRegistry = RegistryKey.OpenRemoteBaseKey(RegistryHive.Users, strIPAddress).OpenSubKey(strSID)
            mWIC.Undo()
            
            
'LogonUser
    <DllImport("C:\Windows\System32\advapi32.dll")> _
    Public Shared Function LogonUser(ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, ByRef phToken As Integer) As Boolean
    End Function

Open in new window

Avatar of Nasir Razzaq
Nasir Razzaq
Flag of United Kingdom of Great Britain and Northern Ireland image

Have you checked that the impersonation is working properly?

http://weblogs.asp.net/ralfw/archive/2003/11/24/39479.aspx
Avatar of lasenzait
lasenzait

ASKER

I'm sorry I should have mentioned that yes, I have verified that after the .Impersonate, the WindowsIdentity.GetCurrent() does in fact return the domain admin that I want it to be impersonating.
The current user you are using is not authorized to read the registry. Use SubInACL from the resource kit to give permissions in the remote registry key to the user your trying to use. http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23510

cd /d "%programfiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_CURRENT_USER /grant=<youruser>=f /grant=system=f /grant=administrators=f

This will add <youruser>,system,and administrators to that main key access permissions.
I checked the permissions, and the account should have access?  The "Administrators" group of the machine contains the Domain Admin, which is the account I am using for this.  I can't actually just run SubInACL for it (not allowed, I'm not the System Admin, just the programmer tasked with writing an application to verify the keys) to see if that changes anything before after, but I don't understand why, if the Administrators Group has access to it, and the account i'm using is under the administrators group, that I would get a not authorized error?

Can you think of any other reasons I would get an unauthorized?  Could it just be the wrong error message is being returned?
So your telling me that you checked the "administrators" group To check if domain admin was added? This is not the place to check. You need to open up regedit and browse to the key you intend to change and check the security permissions for each key you want ti have permission. To explain your last question. The reason is Microsoft does not want anyone to explicitly have remote access without knowing how it works and anything like worms will not being able to automate this task without knowing the security infrastructure. This helps stop some malware developers and is a security feature. Administrators are not in allowed by default to access this remotely and that is why I suggest you change the ACL for that key. If you can do this programically that's fine too. You can use .net's remote registry API or the native remoteregistry.

Native example:
Enable file sharing to open port 135, Connect using IPC, then
lRetVal = RegConnectRegistry(ServerName, HKEY_LOCAL_MACHINE, &lHKeyhandle);

      lRetVal = RegOpenKeyEx(lHKeyhandle, "SOFTWARE\\somekey", 0, KEY_ALL_ACCESS, &lhkey);
      // give it proper length and a type of dword.
      dwTemp = (DWORD)255;
      strcpy(vValue,PathName);
      strcat(vValue,"");
      
      lRetVal = RegSetValueEx(lhkey,"Setvaluehere",NULL,REG_SZ,(LPBYTE)vValue, dwTemp);lRetVal = RegConnectRegistry(ServerName, HKEY_LOCAL_MACHINE, &lHKeyhandle);

      lRetVal = RegOpenKeyEx(lHKeyhandle, "SOFTWARE\\Somekey", 0, KEY_ALL_ACCESS, &lhkey);
      
      dwTemp = (DWORD)255;
      strcpy(vValue,PathName);
      strcat(vValue," 1 1");
      
      lRetVal = RegSetValueEx(lhkey,"Setkeyhere",NULL,REG_SZ,(LPBYTE)vValue, dwTemp);

Or use .net method
RegistryKey.OpenRemoteBaseKey
http://msdn.microsoft.com/en-us/library/8zha3xws(v=vs.71).aspx

Notice how the .net method is requests security attributes? This is what I am trying to get you to understand mainly and yes, they did make it so you can enable access remotely. It's clearly document on msdn, just need to find it to read it. Yes, actually. There is a few other possibilities. DCOM/RPC access permissions. lol, no this is the correct error message. No mistake. Nice try ;) If that was true we would all be in trouble.
Hello,

By my first line: "I checked the permissions, and the account should have access?" the permissions I was referring to are those of the key in regedit.  I did confirm that the Administrators Group has permission to access that specific Key, and not just that the domain admin was part of the group.

From the MSDN, (which I had checked prior to posting, as it's my first line of research), it also mentions "In order for a key to be opened remotely, both machines (the service, and client) must be running the remote registry service, and have remote administration enabled."  Which I also confirmed are running on the machines.

So unless i'm missing some other security attribute from the MSDN, then i'm back to square one of not knowing exactly why this issue is occuring.

Here's a checklist of things i've made sure of:
1) Impersonation is working
2) The account being impersonated is part of the administrators group on the remote machine.
3) The administrators group has full control of the registry key in question (verified in regedit)
4) The remote administration and the remote registry services are running on both my machine and the remote machine


The part of your reply i'm not sure about is when you say "Notice how the .net method is requests security attributes?".  Are you referring to the SecurityPermission namespace at the bottom under .Net Security? I'm already impersonating someone who should have access, is there something I need to do specifically with the SecurityPermission to confirm this access?

Thank you for your help.
ASKER CERTIFIED SOLUTION
Avatar of Russell_Venable
Russell_Venable
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sorry for the late reply, I've been working on other projects this week as this one got put on pause.  I checked the registry key and ForceGuest is enabled.  I've had to check with our Data Security team to see if I can turn this off as a test to verify that that is what is causing my authentication issues, but they haven't gotten back to me yet.  Once they confirm that I can do it on one machine to test, I will post the results back here.
Thanks for the info. I'll be waiting for your reply :)
Finally got authorization to try it on one machine and unfortunately, no change.

I guess I will have to check with Data Security to see if they block the ports in the firewall.  Would you happen to know which ports would be accessed by this, or is it on a machine by machine basis?

Thank you for all your help so far.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I checked with them and there is no firewall between my machine and the remote machine, and also that port 139 is open for connections.

We did however notice that the remote machine is logging the access attempt as anonymous in the event viewer (security tab), rather than the impersonation.  This doesn't seem to change whether I run the application from within the domain, or from a different domain.  As a possible test (and not at all a possible solution), we enabled anonymous access on one of the machines, and were still greeted with the same error?

Do you have any other possible solutions?  

Thank you again
There is another one I should have included in te check earlier.

Check the registry using regedit32 and check the key

Go to the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
And see I'f there is a value of "RestrictAnonymous".
 If so check to make sure the value is of

Value Name: RestrictAnonymous
Data Type: REG_DWORD
Value: 0

If this key is missing you can add it and assign the key as a sword and value of 0. This will allow anonymous connections.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
In the end, this project was abandoned by management.  

Thank you very much for your helpful suggestions, but there is just too many security restrictions to take them all off in order to make this work.
That's very understandable. Better luck next time. Happy new years to you all.