Re: DllRegisterServer and NT security
- From: "Someone" <nobody@xxxxxxx>
- Date: Fri, 16 Sep 2005 00:34:53 -0400
A user must be a member of Administrators in order to have write/delete
access to HKEY_LOCAL_MACHINE. Members of Power Users have limited
write/delete access. It's limited mainly to "HKEY_LOCAL_MACHINE\Software".
Power Users don't have write access to
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\FileRenameOperations", in which the API function MoveFileEx() writes
a file name to be replaced during reboot. For this reason installations fail
if a file has to be replaced, otherwise Power Users can install software.
Here are the registry entries that are created by ActiveX objects:
INFO: Registry Entries Made by an ActiveX Component
http://support.microsoft.com/default.aspx?scid=kb;en-us;183771
Also read this section that explains the difference between Administrators
and Power Users regarding installations. I tried to simplify it above.
http://www.jrsoftware.org/isfaq.php#ntsecur
As for other approaches to solve this, read about these API functions:
CreateProcessWithLogonW, requires Windows 2000+, easy to use.
CreateProcessAsUser, requires Windows NT3.51+
Note that these functions maybe referring to HKEY_CURRENT_USER as the user's
profile. So if it's not loaded for the admin, you are going to have
problems.
It's possible, without programming, to edit shortcuts to run as a different
user. Under XP, I just go to the shortcut tab, click Advanced, and then
select "Run with different credentials". When I open the shortcut, it
prompts me with a username and a password. Windows 2000 has a similar
option. I am not sure about NT4. Also, administrators can use the RUNAS
command line to do the same thing, from a logon script for example, but I am
not sure how the password is handled.
You may want to search google groups for "vb -dotnet <function name>" first,
to see what code or what other things that you or I may have overlooked.
"Andy DF" <nospam@xxxxxxxxxx> wrote in message
news:43292706$0$8484$5fc30a8@xxxxxxxxxxxxxxxxxx
>I have an autoupdate app that I use to deploy updates of my apps to end
> users.
> The application is DllRegisterServer capable in case I need to
> deploy/update
> an ActiveX dll/ocx.
>
> Code found here has been used for dynamic registering/unregistering of COM
> objects:
> http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=46775&lngWId=1
>
> Just recently I've run into the security issue with Win NT and above.
> If the user updating the application doesn't have administrative rights,
> DllRegisterServer will fail, and the whole updating process will end up in
> a
> mess.
>
> Is there a way, thru VB code, to momentarely gain administrative rights to
> perform registration of COM objects?
>
> TIA,
> Andy
>
>
>
.
- References:
- DllRegisterServer and NT security
- From: Andy DF
- DllRegisterServer and NT security
- Prev by Date: Re: Compiler String Efficiency
- Next by Date: Re: DllRegisterServer and NT security
- Previous by thread: Re: DllRegisterServer and NT security
- Next by thread: WaitForSingleObject Problems with RS232
- Index(es):
Relevant Pages
|
