Re: Granting write access to HKLM
From: Steve Shurber (steveshurber_at_canada.com)
Date: 03/08/04
- Next message: Vicent Soler: "CStrings and memory"
- Previous message: Aleksandar Vukelja: "Re: Remove task bar icon"
- In reply to: Roy Fine: "Re: Granting write access to HKLM"
- Next in thread: Cathy Milan: "Re: Granting write access to HKLM"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 8 Mar 2004 11:11:31 -0500
Roy,
Thank you very much for that excellent response. You were right is assuming
that I do not
have a basic understanding of programming Windows security. The info you
provided was
very helpful and I have already taken you advice and ordered the book you
suggested. It looks
like exactly what I need.
Thanks again.
"Roy Fine" <rlfine@twt.obfuscate.net> wrote in message
news:uBjVeV7AEHA.2804@tk2msftngp13.phx.gbl...
> Steve --
>
> Here is a starter setfor setting the securiy permissions on a key in the
> registry.
>
> It is right trivial, in that we don't set the DACL to a specific set of
> permissions for a specific principal, rather we initialize the security
> descriptor, and then set the DACL to null - this gives Everyone full
> control - i.e. it has a DACL, but restricts no one (that's the definition
> for full control to everyone). For specifics, we would create the DACL -
an
> ACL (header) and an array of ACCESS_ALLOWED_ACE elements -- see the docs
on
> AddAccessAllowedAce / AddAccessDeniedAce for details.
>
> Note - the system docs specifically state that denied ACE entries ALWAYS
> occur before allowed ACE entries -- that's just not true, rather is but a
> feature of the permissions GUI tool. Some really interesting situations
can
> be constructed when rolling your own. Specifically, place an allowed ACE
> for user RoyFine on an object, then place a denied for NETWORK group, then
> place an allowed for EVERYONE. RoyFine can then access the object from
> anywhere (locally or the network), everyone else must make their way to an
> interactive session at the desktop. The system scanns the ordered list
head
> to tail, stopping on the first denied or allowed for the principal in
> question. That's just one example.
>
> For details on setting specific permissions for specific security
> principals, see the MSDN docs, starting with SetSecurityDescriptorDacl
> (remembering that SACL is for controlling auditing on system level events
> and DACL is for controlling access to an object) -- if you have access to
> it, Keith Brown has an EXCELLENT book on the subject - Programming Windows
> Security.
>
> regards
> roy fine
>
>
> /* ***************************************************** */
> int _tmain(int argc, _TCHAR* argv[]){
> HKEY myKey;
> unsigned char *p = new unsigned char[9000];
> PSECURITY_DESCRIPTOR psecdesc = (PSECURITY_DESCRIPTOR)p;
> DWORD sts =
> ::RegOpenKeyEx(HKEY_LOCAL_MACHINE,"System\\CurrentControlSet\\Services\\MY
> NEWKEY\\MY SUBKEY",0,KEY_ALL_ACCESS,&myKey);
> if(sts == ERROR_SUCCESS){
> sts =
> ::InitializeSecurityDescriptor(psecdesc,SECURITY_DESCRIPTOR_REVISION);
> sts = ::SetSecurityDescriptorDacl(psecdesc,TRUE,NULL,TRUE);
> sts = ::RegSetKeySecurity (myKey,DACL_SECURITY_INFORMATION,psecdesc);
> sts = ::RegCloseKey(myKey);
> }
> if(p) delete [] p;
> return 0;
> }
> "Steve Shurber" <steveshurber@canada.com> wrote in message
> news:ea4P5SwAEHA.1604@TK2MSFTNGP11.phx.gbl...
> > I am writing a program that is to be run in Administrator mode.
> >
> > Generally, users do not have write access to HKLM. I want to
> > be able grant all users read and write access to certain keys.
> >
> > Any ideas of this can be done programmatically?
> >
> >
> > Steve
> >
> >
>
>
- Next message: Vicent Soler: "CStrings and memory"
- Previous message: Aleksandar Vukelja: "Re: Remove task bar icon"
- In reply to: Roy Fine: "Re: Granting write access to HKLM"
- Next in thread: Cathy Milan: "Re: Granting write access to HKLM"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
