Re: Getting registry key access rights

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: Jack <jack@xxxxxx>
• Date: Mon, 17 Apr 2006 11:36:03 -0500

---

"Jack" <jack@xxxxxx> wrote in message
news:2ab7421t2r261cujkr2m9c002lcjl37lsq@xxxxxxxxxx

I want to be able to determine all of the access rights to a registry
key. I need to know, for example, if a key can be opened with the
KEY_QUERY_VALUE or the KEY_ENUMERATE_SUB_KEYS access right or both.

If I call RegOpenKeyEx() with both of the above flags and the key has
only has one of them, will the call succeed?

If I use RegGetKeySecurity(), can I use the returned
SECURITY_DESCRIPTOR to check for access rights? How?

Thanks,
Jack

On Mon, 17 Apr 2006 11:25:11 -0400, "Skywing" <skywing_NO_SPAM_@xxxxxxxxxxxxxxxxxxx> wrote:

You could use AccessCheck() to perform the check given the security
descriptor. (Or you could manually walk the ACE list in the security
descriptor and do the access check computations yourself.)

However, the best option is to just try the operation and see if it succeeds
or not. Otherwise, you are subject to a race condition where someone could
change the security descriptor on the registry key in question between the
time where you queried it via RegGetKeySecurity() and did the access check
via AccessCheck().

I'm trying to use the AccessCheck() function but it always returns
ERROR_INVALID_SECURITY_DESCR. I'm lost when it comes to Windows
security. I don't even know what "walk the ACE" means. :-( Btw, I'm
not worried about race conditions right now.

How can I use a SECURITY_DESCRIPTOR to get access rights?

Thanks,
Jack
.

---

• Follow-Ups:
  • Re: Getting registry key access rights
    • From: Scherbina Vladimir

• References:
  • Getting registry key access rights
    • From: Jack
  • Re: Getting registry key access rights
    • From: Skywing

• Prev by Date: Re: Detours Sample Instrumentation Program
• Next by Date: Re: Mutex Help Please
• Previous by thread: Re: Getting registry key access rights
• Next by thread: Re: Getting registry key access rights
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Getting registry key access rights ... descriptor and do the access check computations yourself.) ... you are subject to a race condition where someone ... change the security descriptor on the registry key in question between the ... How can I use a SECURITY_DESCRIPTOR to get access rights? ... (microsoft.public.win32.programmer.kernel) Re: Win32 Service App for Terminal services ... Documentation on CreateProcessAsUser(): ... the process gets a default security descriptor ... of the user referenced in the hToken parameter. ... full access rights. ... (microsoft.public.win32.programmer.kernel) Re: QueueUserAPC and thread secuirty, a problem. ... is that we pass a security descriptor with a NULL DACL into CreateThread when the "receiver" creates the thread. ... My understanding is that a security descriptor with a NULL DACL pretty much grants all access to everyone, not a great idea but true nevertheless. ... I suspect that thread access rights may be related to process access rights somehow. ... (microsoft.public.win32.programmer.kernel) service permissions ... broken service security descriptor only has access rights for guests. ... (microsoft.public.platformsdk.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Development  > microsoft.public.win32.programmer.kernel  > 2006-04