Re: writing to registry in vista from guest account

On Jan 27, 8:33 pm, "Mr. Arnold" <Arn...@xxxxxxxxxx> wrote:
alexiawrote:
On Jan 27, 6:28 pm, "Cowboy \(Gregory A. Beamer\)"
<NoSpamMgbwo...@xxxxxxxxxxxxxxxxxx> wrote:
The option I know is to reduce security on this particular hive so a user
can alter it. I am not sure this is wise. Better to put the configuration in
a config file, even if you have to encrypt it.

Another option is releasing the app as a web site or a click once
deployment, where it does not require registry access.

--
Gregory A. Beamer
MVP; MCP: +I, Se, SD, DBA

Blog:http://feeds.feedburner.com/GregoryBeamer

*************************************************
|  Think outside the box!                          |
*************************************************"alexia" <alexia....@xxxxxxxxx> wrote in message

news:e5b4c34b-2a9b-4b97-9baa-8c9cf3b2bb4b@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi,
My application fails to write into registry key. When it runs in user/
guest account.
When I install my application in administrator, the installing process
creates reg key in HKLM.
I compile my application using manifest.
After the installation I create new user/guest account and runs the
application from that account.
The failure is when my application tries to write to the registry I
get the following error:
"Requested registry access is not allowed". I use the following code:
Note that I can read with no problem. My application doesn't fail in
administrator account.
try
{
   // I get "Requested registry access is not allowed" error here....
   RegistryPermission rm = new RegistryPermission
(RegistryPermissionAccess.AllAccess, TCPRoot);
   rm.Demand();
}
catch (Exception e)
{
   throw new Exception(e.Message);
}
RegistryKey myRegKey = Registry.LocalMachine;
myRegKey = myRegKey.OpenSubKey("SOFTWARE\\Giant Steps\\SLIP\\TCP",
RegistryKeyPermissionCheck.ReadWriteSubTree,
System.Security.AccessControl.RegistryRights.FullControl);
try
{
   myRegKey.SetValue("Subnet", subnet);
}
catch (Exception e)
{
   throw new Exception(e.Message);
}
Is there a way to write to a HKLM key which was created in admin
account from user/guest account?
Thanks.- Hide quoted text -
- Show quoted text -

Hi Cowboy,

So what you are saying is that CE application can't modify registry
settings in HKLM
even if it has been elevated?

That's correct. The Standard user can have its rights elevated to admin
level by giving a admin user-id a psw, which is only at the moment of
escalation and is not maintained for the user.

By escalating rights of a user that is a Standard user does not make the
user have admin rights at the moment of privileged escalation. If the
user account is a non-admin account, then it's not going to have admin
rights as an designated user admin account, and the access is denied.

Even an admin user account, the one out of the box or subsequent new
user admin accounts created, are not user-admin accounts with UAC
enabled. They are Standard users accounts as user admin on Vista, which
has two access tokens assigned to the user-admin account.

One token is for Standard user and the other one is for full admin
rights token.  The admin user with UAC enabled must have its rights
escalated to use the full admin rights token to perform the admin tasks,
and then the user admin is returned to being a Standard user.

Can I write the settings in CURRENT_USER? Will each user has his own
entry which will be set to his account?

You need to find out how UAC is working from a programmer's view point
and how Virtualization works on Vista with UAC.

http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx
<http://www.symantec.com/community/article/2665/folder-virtualization-...>

I think you're going to have to use this account to give you the power,
which is not that user-admin account out of the box.

<http://www.howtogeek.com/howto/windows-vista/enable-the-hidden-admini...>

I do recall something about how to get settings set by user-account, but
it had to with Virtualization and you'll have to follow that path and
look it up using Google, becuase you're not going to be able to do too
much with Vista and user admin concerning the registry, becuase Vista is
not XP or any other previous versions of the NT based O/S.

You can't even get away with certain things on Vista, even if you use
the hidden account, that has full admin rights at all times, as Vista
will protect itself from even a user using that account with UAC enabled
or disabled.- Hide quoted text -

- Show quoted text -

Hello Arnold,

Thanks for the reply, though I'm a little confused (English is not my
mother's tongue).
I have few questions if I may:
1. My application needs to be able to run in any user type. It should
save user settings as he selected. Should I save it in
HKEY_CURRENT_USER (will this mean that each user will save it settings
in his own HKCU?)
or in xml file at "Application Data" folder?
2. Even though I used manifest when building the application, I still
get the UAC prompt and need to enter admin password when running the
application. My assembly hasn't been digitally signed yet.
3. My C# calls C++ dlls. Do I need to build the Dlls with manifest
also?
4. I noticed that if UAC is disabled, I can't write to HKLM registry
while if UAC is enabled I can write.

I hope the programming in Windows 7 will be mush easier than
programming in VISTA. It seems that all the advantages programming in
C# is reduced if doing it in VISTA.
Thanks for the help.
.

Relevant Pages

  • Re: whats the difference between account NAMED administror and a account with admin privilegious?
    ... The link has a lot of information and directions on sharing in Vista. ... Using the Vista Administrator account does give you greater access while ... I was hoping that being the 'administrator' would cure that problem. ... When logging in....I should select 'admin' ...
    (microsoft.public.windows.vista.general)
  • Re: Validation of XP
    ... except to mention that UAC caused me to reboot to WinXP ... there shouldn't be any reason you need to run as admin to play a game. ... Windows doesn't do this or that natively, and one of those things is ... As for the default admin account, ...
    (microsoft.public.windowsxp.general)
  • Re: I turned off UAC
    ... I would rather have it enabled so that I am not on the Internet with full admin rights, like the previous versions of the NT based O/Swhich are open by default O/Sand wide-open to attack/compromise by default. ... The out of the box admin account on Vista that is given to a user or any subsequent admin account that is created on Vista with UAC enabled is NOT a full-rights-admin account. ... It's only a Standard user account, which must be escalated to a use the full-adminrights token to do anything requiring admin-full-rights as an administrator. ...
    (microsoft.public.windows.vista.general)
  • Re: VIsta IE5 / IE7 problem...
    ... There is no \D and S in Vista - it is ... A few things to try - run the install at an elevated administrative ... This account is equal to the 2-token admin in XP. ...
    (microsoft.public.windows.vista.general)
  • Re: MFC App unable to run in Vista with UAC enabled
    ... That'll tell Vista that your app doesn't regard ... "Power User") and apart from occasional trips to the Admin account to ... *Some* of the implementation of UAC works OK, but some of the things it ... corporate environment where there are windows-savvy sysadmins to do the ...
    (microsoft.public.vc.mfc)