Re: howto check for Registry write permission without UAE dialogue?

Tech-Archive recommends: Fix windows errors by optimizing your registry

---

• From: Ray Trent <rat@xxxxxxxxxxxxx>
• Date: Fri, 25 Jul 2008 17:52:14 -0700

---

You can do this, but you will either have to split your functionality into 2 apps, or re-run your app dynamically when you decide you need them with CreateProcess, specifying that it needs admin rights.

Basically, the answer to your question is "non-elevated apps can't write to HKLM in Vista", no matter what privileges the user has. So to write it, you'll need to run elevated. Which necessarily involves a separate process execution.

If you *really* were writing "least privilege" code, BTW, you'd already be dealing with this stuff. The headaches UAC added are entirely due to all user's apps running without admin rights by default, even administrators. It's roughly equivilent to the "sudo" paradigm in Unix/Linux, except that even admins have to use sudo to do privileged stuff.

Mai Kee Reiss wrote:

Hi Ray,

In Vista, the correct way to do this is to *always* use HKCU, even if you have the privileges to write HKLM. The only exception is install programs.

This part, I have understand now. Not really accepted, but understand...

And even if the user is an administrator, you're still going to fail unless the app currently actually has an admin token... so, again, you'll want to manifest your app to require admin privs if you want to write to HKLM.

Sorry, this is only the half answer on my question :-(
May be, I should have asked: "How to see if my app has the privs to write to HKLM?"

I only want to branch inside my app between "only reading HKLM templates + writing back to HKCU is allowed"
and (rare)
"Special functionality of creating HKLM templates is also enabled"

Because this app owns it own setup/config module in the same .exe file. There is no CAB install or setup.exe, since this app is compareable to a setup.exe. It mostly _is_ a config.exe for other programms.

Of course, you can always just go ahead and write to HKLM, and Vista will (generally) virtualize your registry writes to go into HKCU without your app noticing. Doesn't have the same semantics, of course.

Yeah, this - is for shure - _not_ what I want. When beeing in admin mode (and this will be only very rare times, if called by "rise my rights / execute as admin") and seeing the appropriate cmd line params, my programm shall write really into HKLM. In all other cases - and this will be 99% of the calls, it shall read from HKLM and write to HKCU.

Can this be achieved in any way?
Or have I to change the whole design?
Need to split into "NormalUsage.exe" and "MasterConfig.exe"?

And if I have to change, how do I achieve the HKLM writing with my "MasterConfig.exe"? How do I see "MasterConfig.exe" is started under less privileges, resulting in no real access to HKLM?

Finally, I need to detect this case programmatically, because I have to inform the user about his need to raise the rights for MasterConfig.exe (or for asking his Administrator to do it).

Thus, just saying "you may not write such code" is only the half answer for me. Sorry for beeing unappreciative ;-)

Mai Kee Reiss wrote:

Hi again,

before I write some values to HKLM/SOFTWARE, i want to check, if the current user has the appropriate right to do that. (Otherwise, I will only read the values there and use them as a template for HKCU/SOFTWARE and continue writing there)

In the past, I tried to write, got an error and GetLastError() told me, the current user has insufficient permissions. This is - of couse - the quick and dirty way. And now, with VISTA, this is a completely /wrong/ way. So I want to complete my routines with a "ceck permission BEFORE accessing".

I wonder if there is a BCP (best current practice) for doing so.

Any hints?

--
Ray
.

---

• References:
  • howto check for Registry write permission without UAE dialogue?
    • From: Mai Kee Reiss
  • Re: howto check for Registry write permission without UAE dialogue?
    • From: Ray Trent
  • Re: howto check for Registry write permission without UAE dialogue?
    • From: Mai Kee Reiss

• Prev by Date: Re: Howto evaluate if current user is of administrators group?
• Next by Date: Re: INF / HKCU Question
• Previous by thread: Re: howto check for Registry write permission without UAE dialogue?
• Next by thread: Re: KeServiceDescriptorTable issue
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Registry Permission Attributes ... current user is an admin, you don't have all the admin SIDs and privileges ... using the actual privileges of the admin account harder. ... In order for the app to actually run with the administrator privileges, ... Has something changed in WinVista that would be expected to cause this ... (microsoft.public.dotnet.security) Re: Give an app admin privaledges - How? ... Since this app is not certified for Windows (meaning it needs admin ... you will need to identify what registry hives and ... different special domain user account that has local admin privileges. ... (microsoft.public.win2000.group_policy) Re: howto check for Registry write permission without UAE dialogue? ... you have the privileges to write HKLM. ... The only exception is install ... unless the app currently actually has an admin token... ... How do I see "MasterConfig.exe" is started under less privileges, ... (microsoft.public.development.device.drivers) Re: Startup takes forever ... Or, an app being loaded ... by HKLM that is not functioning correctly. ... MSCONFIG will be able to ... > windows updates. ... (microsoft.public.windowsxp.general) Re: XP & W2K server User rights need help ... before did not install the apps as admin. ... >behaved app. ... >> server non of the users had accounts only the computers ... (microsoft.public.windowsxp.security_admin)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Development  > microsoft.public.development.device.drivers  > 2008-07