Re: writing to registry in vista from guest account

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

alexia wrote:
On Jan 27, 6:28 pm, "Cowboy \(Gregory A. Beamer\)"
<NoSpamMgbwo...@xxxxxxxxxxxxxxxxxx> wrote:
The option I know is to reduce security on this particular hive so a user
can alter it. I am not sure this is wise. Better to put the configuration in
a config file, even if you have to encrypt it.

Another option is releasing the app as a web site or a click once
deployment, where it does not require registry access.

--
Gregory A. Beamer
MVP; MCP: +I, Se, SD, DBA

Blog:http://feeds.feedburner.com/GregoryBeamer

*************************************************
| Think outside the box! |
*************************************************"alexia" <alexia....@xxxxxxxxx> wrote in message

news:e5b4c34b-2a9b-4b97-9baa-8c9cf3b2bb4b@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



Hi,
My application fails to write into registry key. When it runs in user/
guest account.
When I install my application in administrator, the installing process
creates reg key in HKLM.
I compile my application using manifest.
After the installation I create new user/guest account and runs the
application from that account.
The failure is when my application tries to write to the registry I
get the following error:
"Requested registry access is not allowed". I use the following code:
Note that I can read with no problem. My application doesn't fail in
administrator account.
try
{
// I get "Requested registry access is not allowed" error here...
RegistryPermission rm = new RegistryPermission
(RegistryPermissionAccess.AllAccess, TCPRoot);
rm.Demand();
}
catch (Exception e)
{
throw new Exception(e.Message);
}
RegistryKey myRegKey = Registry.LocalMachine;
myRegKey = myRegKey.OpenSubKey("SOFTWARE\\Giant Steps\\SLIP\\TCP",
RegistryKeyPermissionCheck.ReadWriteSubTree,
System.Security.AccessControl.RegistryRights.FullControl);
try
{
myRegKey.SetValue("Subnet", subnet);
}
catch (Exception e)
{
throw new Exception(e.Message);
}
Is there a way to write to a HKLM key which was created in admin
account from user/guest account?
Thanks.- Hide quoted text -
- Show quoted text -

Hi Cowboy,

So what you are saying is that CE application can't modify registry
settings in HKLM
even if it has been elevated?

That's correct. The Standard user can have its rights elevated to admin level by giving a admin user-id a psw, which is only at the moment of escalation and is not maintained for the user.

By escalating rights of a user that is a Standard user does not make the user have admin rights at the moment of privileged escalation. If the user account is a non-admin account, then it's not going to have admin rights as an designated user admin account, and the access is denied.

Even an admin user account, the one out of the box or subsequent new user admin accounts created, are not user-admin accounts with UAC enabled. They are Standard users accounts as user admin on Vista, which has two access tokens assigned to the user-admin account.

One token is for Standard user and the other one is for full admin rights token. The admin user with UAC enabled must have its rights escalated to use the full admin rights token to perform the admin tasks, and then the user admin is returned to being a Standard user.


Can I write the settings in CURRENT_USER? Will each user has his own
entry which will be set to his account?

You need to find out how UAC is working from a programmer's view point and how Virtualization works on Vista with UAC.

http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx
<http://www.symantec.com/community/article/2665/folder-virtualization-concepts-windows-vista>


I think you're going to have to use this account to give you the power, which is not that user-admin account out of the box.

<http://www.howtogeek.com/howto/windows-vista/enable-the-hidden-administrator-account-on-windows-vista/>

I do recall something about how to get settings set by user-account, but it had to with Virtualization and you'll have to follow that path and look it up using Google, becuase you're not going to be able to do too much with Vista and user admin concerning the registry, becuase Vista is not XP or any other previous versions of the NT based O/S.

You can't even get away with certain things on Vista, even if you use the hidden account, that has full admin rights at all times, as Vista will protect itself from even a user using that account with UAC enabled or disabled.
.

Relevant Pages

  • Re: Client Installation Issues: SMS 2.0 SP5
    ... Lets say the account I use for> the SMS Services is SMSAdmin. ... I setup the Client> Installation Account as what was listed above being our local admin ... password on some> of those, but any other idea's why prior to this, the client didn't want to> install? ... Grant the>> service account admin rights on every box, ...
    (microsoft.public.sms.setup)
  • Re: Limiting an account
    ... I have given the account admin rights and changed the registry setting so ...
    (microsoft.public.windowsxp.customize)
  • Re: Incoming E-Mail - cant create contact in OU
    ... central admin pool different than the web app. ... that account a little (if the web app is compromised or something, ... So I started with giving the app pool account domain admins permissions then ...
    (microsoft.public.sharepoint.windowsservices)
  • Printer will only work in Admin Account
    ... > will only work in the Admin account. ... I rebooted and changed the accounts to limited users and it ... I then gave a user account Admin rights and it worked, ...
    (microsoft.public.windowsxp.print_fax)
  • Re: Assigning applications to clients with USER GROUP privilege
    ... > installed when a computer account belongs to the "user group" ... quite happily when users have no admin rights whatsoever (which is annoying ... rather than assigning applications, honestly. ...
    (microsoft.public.windows.server.sbs)