Re: Granting write access to HKLM

From: Roy Fine (rlfine_at_twt.obfuscate.net)
Date: 03/09/04 

Date: Tue, 9 Mar 2004 01:04:48 -0500

Cathy,

If you know the user account then use RegLoadKey() to load the NTUSER.DAT
hive into a registry key under HKEY_USER, then make your modifications.
Use RegSaveKey to put the data back in the file.

regards
roy fine

"Cathy Milan" <cathymilan@excite.com> wrote in message
news:epEEHfXBEHA.1380@TK2MSFTNGP10.phx.gbl...
> Hi Roy,
>
> I have a similar question. I want to change the permissions of a registry
> key but it is under
> HKCU. The problem is that each user has his/her own HKCU. How can a make
a
> change
> of this sort that will be reflected on everone's HKCU?
>
> Please let me know.
>
> Cathy
>
>
> "Roy Fine" <rlfine@twt.obfuscate.net> wrote in message
> news:uBjVeV7AEHA.2804@tk2msftngp13.phx.gbl...
> > Steve --
> >
> > Here is a starter setfor setting the securiy permissions on a key in the
> > registry.
> >
> > It is right trivial, in that we don't set the DACL to a specific set of
> > permissions for a specific principal, rather we initialize the security
> > descriptor, and then set the DACL to null - this gives Everyone full
> > control - i.e. it has a DACL, but restricts no one (that's the
definition
> > for full control to everyone). For specifics, we would create the
DACL -
> an
> > ACL (header) and an array of ACCESS_ALLOWED_ACE elements -- see the docs
> on
> > AddAccessAllowedAce / AddAccessDeniedAce for details.
> >
> > Note - the system docs specifically state that denied ACE entries ALWAYS
> > occur before allowed ACE entries -- that's just not true, rather is but
a
> > feature of the permissions GUI tool. Some really interesting situations
> can
> > be constructed when rolling your own. Specifically, place an allowed
ACE
> > for user RoyFine on an object, then place a denied for NETWORK group,
then
> > place an allowed for EVERYONE. RoyFine can then access the object from
> > anywhere (locally or the network), everyone else must make their way to
an
> > interactive session at the desktop. The system scanns the ordered list
> head
> > to tail, stopping on the first denied or allowed for the principal in
> > question. That's just one example.
> >
> > For details on setting specific permissions for specific security
> > principals, see the MSDN docs, starting with SetSecurityDescriptorDacl
> > (remembering that SACL is for controlling auditing on system level
events
> > and DACL is for controlling access to an object) -- if you have access
to
> > it, Keith Brown has an EXCELLENT book on the subject - Programming
Windows
> > Security.
> >
> > regards
> > roy fine
> >
> >
> > /* ***************************************************** */
> > int _tmain(int argc, _TCHAR* argv[]){
> > HKEY myKey;
> > unsigned char *p = new unsigned char[9000];
> > PSECURITY_DESCRIPTOR psecdesc = (PSECURITY_DESCRIPTOR)p;
> > DWORD sts =
> >
::RegOpenKeyEx(HKEY_LOCAL_MACHINE,"System\\CurrentControlSet\\Services\\MY
> > NEWKEY\\MY SUBKEY",0,KEY_ALL_ACCESS,&myKey);
> > if(sts == ERROR_SUCCESS){
> > sts =
> > ::InitializeSecurityDescriptor(psecdesc,SECURITY_DESCRIPTOR_REVISION);
> > sts = ::SetSecurityDescriptorDacl(psecdesc,TRUE,NULL,TRUE);
> > sts = ::RegSetKeySecurity
(myKey,DACL_SECURITY_INFORMATION,psecdesc);
> > sts = ::RegCloseKey(myKey);
> > }
> > if(p) delete [] p;
> > return 0;
> > }
> > "Steve Shurber" <steveshurber@canada.com> wrote in message
> > news:ea4P5SwAEHA.1604@TK2MSFTNGP11.phx.gbl...
> > > I am writing a program that is to be run in Administrator mode.
> > >
> > > Generally, users do not have write access to HKLM. I want to
> > > be able grant all users read and write access to certain keys.
> > >
> > > Any ideas of this can be done programmatically?
> > >
> > >
> > > Steve
> > >
> > >
> >
> >
>
>

Relevant Pages

  • [NT] Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissions
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Management Console snap in, the System Attendant makes ... changes to the permissions on the Windows Registry to allow Exchange ... There is a flaw in how the System Attendant makes these Registry ...
    (Securiteam)
  • Re: Certificate store access permissions
    ... - configuring every clients' CAS ... e.g. this "Run Once" registry key scanner: ... With default permissions given to ... the ActiveX throws a security error exception. ...
    (microsoft.public.dotnet.security)
  • Re: Registry ACL Modification
    ... You need to set up the permissions in the installation program, ... it doesn't "hack" around the security. ... > I wrote an app that needs to add a few small strings in the registry. ... > can download. ...
    (microsoft.public.vb.winapi)
  • Re: Permissions
    ... >> the server machine I get an error. ... >> permissions to read the registry. ... because frankly M$ has been monkeying around with security over the last ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Granting write access to HKLM
    ... have a basic understanding of programming Windows security. ... > Here is a starter setfor setting the securiy permissions on a key in the ... > principals, see the MSDN docs, starting with SetSecurityDescriptorDacl ... Keith Brown has an EXCELLENT book on the subject - Programming Windows ...
    (microsoft.public.vc.mfc)