Re: HKEY_LOCAL_MACHINE Registry Access

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

I turned on the "Audit logon events" in "Local Securtiy Settings" for
successes and failures. My W2K box tells me I tried to logon as "ANONYMOUS
LOGON" from my W2K3 SP1 box. I actually register as the W2K adminstrator
from my W2K3 noSP box. Here is the event log:
Successful Network Logon:
User Name: Administrator
Domain: SONOMA-2000S
Logon ID: (0x0,0x5070C)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: CARMEL-2003

"Willy Denoyette [MVP]" wrote:

> Mind to explain how you authenticate as a W2K 'local' administrator when
> accessing the remote registry while impersonating a W2K3 "local"
> administrator?
> Did you turn on Logon auditing on W2K and check who is failed to
> authenticate and what privileges are requested during logon.
>
> Willy.
>
>
>
> "Neil Do" <NeilDo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:69B6F413-B9A0-4DA5-A038-FC3AD5EB1365@xxxxxxxxxxxxxxxx
> >I have a similar problem with accessing the remote registry on W2K SP4 from
> > W2K3 SP1. My problem strictly exist only with W2K3 SP1. I don't get this
> > problem with no service pack or when I access WXP. I always get "Access
> > Denied" when I try to open a registry key on W2K from W2K3 SP1. I run as
> > a
> > web service on IIS under the IWAM account. I impersonate the local
> > administrator on the W2K3 box and authenticate as the local administrator
> > on
> > the W2K box. I connect to the remote registry with no problems. I just
> > can't open any keys as the local administrator on the W2K box. I have
> > full
> > permissions to the registry. I'm not sure why this only happens with W2K3
> > SP1. I haven't solved my problem, yet. I found this knowledgebase pretty
> > helpful. Appearly, Exchange Server 2003 also has a similar problem with a
> > fix: http://support.microsoft.com/?id=841561. Unfortunately, the fix is
> > application specific for Exchange Server 2003. I wish I can find more
> > details on what they did to fix this problem.
> >
> >
> >
> > "Kevin Swanson" wrote:
> >
> >> I'm attempting some remote registry manipulation via C#. I've written a
> >> test
> >> app to simply grab a specified key from a specified hive on a specified
> >> machine. The call to OpenSubKey is throwing System.SecurityException.
> >>
> >> Also of note: Sitting at my local box, I can open regedit and connect to
> >> the
> >> remote registry. I see three hives: _CLASSES_ROOT, _LOCAL_MACHINE, and
> >> _USERS. I can open all but HKEY_LOCAL_MACHINE. When I try to expand that
> >> one,
> >> I get a simple error message that tells me almost nothing.
> >>
> >> So I'm fairly certain I'm running up against some kind of permissions
> >> issue.
> >> This is a dev server, but I still don't want to go mucking around too
> >> much
> >> without knowing what I'm doing. Via Terminal Services, I added LOCAL
> >> SERVICE
> >> to HKEY_LOCAL_MACHINE and a few sub keys. That didn't help. I also found
> >> two
> >> interesting entries in the Local Security Polcy: Remotely accessible
> >> registry
> >> paths and Remotely accesible registry paths and sub-paths. I didn't mess
> >> around with those much, but I did notice that there's no hive on any of
> >> the
> >> entries, and it doesn't LOOK like all of the paths I can see connecting
> >> remotely via regedit are in those lists (but I could be wrong).
> >>
> >> So what's the magic formula for accessing these keys remotely? And are
> >> some
> >> of them tied down by default? I don't think anyone here specifically
> >> decided
> >> to make the local_machine hive inaccessible remotely...
> >>
> >> Here's some details:
> >> My Machine: Windows 2000 Professional
> >> Remote Machine: Windows 2003 Server
> >> I'm an admin on both machines...
> >>
> >> Just for fun, here's a code sample:
> >>
> >> public static RegistryKey GetKey(RegistryHive hive, string key, string
> >> server)
> >> {
> >> RegistryKey parentKey;
> >> RegistryKey returnKey = null;
> >>
> >> if (server == null || server.Length == 0)
> >> {
> >> server = string.Empty;
> >> }
> >>
> >> parentKey = RegistryKey.OpenRemoteBaseKey(hive, server);
> >>
> >>
> >> if (parentKey != null)
> >> {
> >> try
> >> {
> >> // THE LINE BELOW THROWS
> >> //
> >> System.SecurityException
> >>
> >> returnKey = parentKey.OpenSubKey(key, true);
> >> }
> >> catch(Exception exception)
> >> {
> >> // handle the exception!
> >> returnKey = null;
> >> }
> >>
> >> }
> >>
> >> return returnKey;
> >> }
> >>
>
>
>
.

Relevant Pages

  • Re: Renaming Administrator account
    ... > A remote attacker with no local account CAN'T authenticate to the domain ... and so CAN'T determine a username from a well-known SID. ... > can, however, try to crack the administrator password by brute force. ...
    (microsoft.public.windows.server.sbs)
  • Re: Vote for new Ubuntu Feature---Lets try it again --- and without getting
    ... He's opened a file in gedit or Writer or something else and made a ... shared Windows drives/partitions, ... *option* to authenticate as administrator and continue the logical ...
    (Ubuntu)
  • Re: HKEY_LOCAL_MACHINE Registry Access
    ... didn't turn on the logon auditing. ... I connect to the remote registry with no problems. ... >> application specific for Exchange Server 2003. ...
    (microsoft.public.dotnet.languages.csharp)
  • Profilprobleme nach der Installation von W2K3
    ... wir haben 5 Lizenzen von W2K3 Standard Edition samt CAL's ... als Administrator und Ausführen der ersten Updates und ... Ich habe dann testweise die Maschinen wieder neu ... installiert, dieses Mal aber von W2K3 CD, der mit MSDN ...
    (microsoft.public.de.german.windows.server.general)
  • Re: ADMT access denied error
    ... > Check out the post NT 4 Emulation in this same news group, ... >> and the new domain that belongs to w2k3 choices. ... >> What I need to know is what is the best way to get the current user info ... Administrator is a member of Domain admin ...
    (microsoft.public.windows.server.migration)