RegistryPermission class fails to set permissions in XP

Discussion:

(too old to reply)

Jan M

2010-02-24 15:50:06 UTC

Hi,

In a setup app, I need to set registry permissions for HKLM\SOFTWARE\MyApp so limited users may write
(it's accessed by a driver so HKCU isn't an option).

Using MSDN example of System::Security::Permissions::RegistryPermission as basis to set AllAccess fails (as do the
MSDN examples themselves). Setting permissions with regedit allows limited users to write.

What am I missing here?

XP SP3. Test code follows.

Thanks,

Jan

// Requires /clr:oldSyntax.

#include <windows.h>

using namespace System::Security::Permissions;

int main() // Run as administrator
{
HKEY hKey = 0;
DWORD dwDisposition = 0;

if(RegCreateKeyEx(HKEY_LOCAL_MACHINE,
L"SOFTWARE\\MyApp",
0,
0,
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS,
NULL,
&hKey,
&dwDisposition))
{
return 1;
}

DWORD dwVal = 1;
long lRet = RegSetValueEx(hKey, L"MyKey", 0, REG_DWORD, (BYTE*) &dwVal, sizeof(DWORD));

RegCloseKey(hKey);

// Set permission to AllAccess as per MSDN example:
// http://msdn.microsoft.com/en-us/library/system.security.permissions.registrypermission(VS.71).aspx
//
// Also tried Prm->Demand() as suggested elsewhere. No joy. Regedit.exe shows no change
// for normal (limited) user and TestPermission() fails when called as limited user.

RegistryPermission* Prm = new RegistryPermission(RegistryPermissionAccess::AllAccess,
L"HKEY_LOCAL_MACHINE\\SOFTWARE\\MyApp");

Prm->AddPathList(RegistryPermissionAccess::AllAccess, // THIS DOESNT SET AllAccess
L"HKEY_LOCAL_MACHINE\\SOFTWARE\\MyApp"); // FOR LIMITED USER AS IMPLIED
return 0; // BY MSDN
EXAMPLE.
}

void TestPermission() // Call as limited user
{
HKEY hKey = 0;

if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SOFTWARE\\MyApp", 0, KEY_ALL_ACCESS, &hKey))
{
DWORD dwVal = 5;
DWORD dwType = REG_DWORD;
DWORD dwSize = sizeof(DWORD);

long lRet = RegSetValueEx(hKey, L"MyKey", 0, REG_DWORD, (BYTE*) &dwVal, sizeof(DWORD));

RegCloseKey(hKey);
}
}

Alexander Grigoriev

2010-02-25 03:29:33 UTC

Permalink

As I understand, this class implement code-based access restrictions for
managed code, in this process context only. It doesn't modify actual
security descriptors. It doesn't add permissions if existing security
descriptors doesn't give it.

Post by Jan M
Hi,
In a setup app, I need to set registry permissions for HKLM\SOFTWARE\MyApp
so limited users may write
(it's accessed by a driver so HKCU isn't an option).
Using MSDN example of System::Security::Permissions::RegistryPermission as
basis to set AllAccess fails (as do the
MSDN examples themselves). Setting permissions with regedit allows limited users to write.
What am I missing here?
XP SP3. Test code follows.
Thanks,
Jan
// Requires /clr:oldSyntax.
#include <windows.h>
using namespace System::Security::Permissions;
int main() // Run as administrator
{
HKEY hKey = 0;
DWORD dwDisposition = 0;
if(RegCreateKeyEx(HKEY_LOCAL_MACHINE,
L"SOFTWARE\\MyApp",
0,
0,
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS,
NULL,
&hKey,
&dwDisposition))
{
return 1;
}
DWORD dwVal = 1;
long lRet = RegSetValueEx(hKey, L"MyKey", 0, REG_DWORD, (BYTE*) &dwVal, sizeof(DWORD));
RegCloseKey(hKey);
//
http://msdn.microsoft.com/en-us/library/system.security.permissions.registrypermission(VS.71).aspx
//
// Also tried Prm->Demand() as suggested elsewhere. No joy. Regedit.exe shows no change
// for normal (limited) user and TestPermission() fails when called as limited user.
RegistryPermission* Prm = new
RegistryPermission(RegistryPermissionAccess::AllAccess,
L"HKEY_LOCAL_MACHINE\\SOFTWARE\\MyApp");
Prm->AddPathList(RegistryPermissionAccess::AllAccess,
// THIS DOESNT SET AllAccess
L"HKEY_LOCAL_MACHINE\\SOFTWARE\\MyApp"); // FOR LIMITED USER AS IMPLIED
return 0;
// BY MSDN EXAMPLE.
}
void TestPermission() // Call as limited user
{
HKEY hKey = 0;
if(!RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SOFTWARE\\MyApp", 0,
KEY_ALL_ACCESS, &hKey))
{
DWORD dwVal = 5;
DWORD dwType = REG_DWORD;
DWORD dwSize = sizeof(DWORD);
long lRet = RegSetValueEx(hKey, L"MyKey", 0, REG_DWORD, (BYTE*) &dwVal, sizeof(DWORD));
RegCloseKey(hKey);
}
}

Jan M

2010-02-25 06:12:47 UTC

Permalink

Hi Alexander,

Thanks for your reply.

In which case how do I programatically change the registry permissions permanently to allow a limited user to write to
HKLM\SOFTWARE\MyApp?

Regards,

Jan

As I understand, this class implement code-based access restrictions for managed code, in this process context only.
It doesn't modify actual security descriptors. It doesn't add permissions if existing security descriptors doesn't
give it.

Alexander Grigoriev

2010-02-25 15:05:45 UTC

Permalink

Pass SECURITY_ATTRIBUTES with an appropriate descriptor to RegCreateEx.

But if you want the apps to write to the registry just to communicate with
the driver, this is wrong approach. The apps should use IOCTL or WMI for
that.

Post by Jan M
Hi Alexander,
Thanks for your reply.
In which case how do I programatically change the registry permissions
permanently to allow a limited user to write to HKLM\SOFTWARE\MyApp?
Regards,
Jan

Post by Alexander Grigoriev
As I understand, this class implement code-based access restrictions for
managed code, in this process context only. It doesn't modify actual
security descriptors. It doesn't add permissions if existing security
descriptors doesn't give it.

Jan M

2010-02-25 17:36:22 UTC

Permalink

Hi Alexander,

I sorted it using Get/Set DACL.

Thanks for your help.

Jan