RegOpenKeyEx failure

[Polaris]

Hi Experts:

I'm writing a console app which accesses and changes some values under
Windows registry: HKLM\System\CurrentControlSet\Enum and I'm the admin on
the machine (XP).

I have done the following steps but failed at step #4 with access denied
error.

1. Get the process handle with PROCESS_ALL_ACCESS; success.

2. Get the token handle with TOKEN_ALL_ACCESS; success.

3. Adjust token privilege to SE_TAKE_OWNERSHIP_NAME; success.

4. open the reg key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum" using
RegOpenKeyEx with KEY_ALL_ACCESS (tried also WRITE_ONWER); but failed with
return code 5 (Access Denied).

If I manually change the permission for "EVERYONE" with full permissions
using RegEdit.exe, it worked fine. But this is not what I want. I like the
app to be able to programmatically do that through certain steps (hopefully
similar steps to what I have tried above).

Any pointer on the possible cause is appreciated.

Thanks in Advance.

Polaris

[David Wilkinson]

HKLM is not accessible to a non-elevated process under Vista or Windows 7.

If your application had no manifest, then writing would to HKLM would be
virtualized, so I assume that your application has the standard "AsInvoker"
manifest (as it should).

Really, your application should not be writing to HKLM. If you need occasional
access to HKLM is perform some specific task, you could instruct the user to
start the application as Administrator.

--
David Wilkinson
Visual C++ MVP

[Alexander Grigoriev]

The OP is running XP, as Administrator. Enum key can only be written by
LOCAL_SYSTEM account. Even though in XP one can take ownership, that would
be a kludge. Even worse, in Vista SP2/Windows 7, Enum key ownership cannot
even be taken by an admin (it's already owned by Administrators). This key
has a special token (owner permissions), which sets maximum owner
permissions. Traditionally, in Windows an object owner could open it with
any access requested, even if ACL specified lower permissions. This new
token changed that.

"David Wilkinson" <no-r...@effisols.com> wrote in message
news:u%2352UA3a...@TK2MSFTNGP02.phx.gbl...

> Polaris wrote:
>> I'm writing a console app which accesses and changes some values under
>> Windows registry: HKLM\System\CurrentControlSet\Enum and I'm the admin on
>> the machine (XP).
>

[Joseph M. Newcomer]

I agree. I find far too many programmers think HKLM is available for writing. Assume
that it is not, and never will be, for any normal user program. It can only be written by
elevated programs, and that means you should not be running an ordinary program as
elevated; only installers and other very special code should run elevated.

I find one of the truly wonderful features of Vista is that I can run in a restricted
account; even though I'm in the "Administrator" group, my code runs without admin
privileges, as it should. This means that blunders like this would be caught early in the
design.

The enum key is one of the very critical keys; the ability of a program to write this
could render the system unbootable; to protect against malware, it is highly protected.
Manually changing the permission is granting open season on the machine by any malware
wandering by. This would be a colossal mistake.

You have failed to give any good reason you need to write this key. In the absence of a
good reason, the answer is simple: Change the design.

Note that the solution of asking the user to Run As Administrator is not a good solution;
in most real contexts (e.g., corporate sites with *real* security), most users are not
permitted to Run As Administrator even on their own machines as local administrator. This
prevents social engineering attacks that could compromise corporate security. So not only
should you not assume you can write anything in HKLM, you must assume that the user will
not have permission to Run As Administrator and therefore nothing can ever be done to
HKLM. Note also that any program that requires Run As Administrator or has a manifest
that requires administrator will not receive logo certification, and therefore any program
that does so does not represent anything remotely close to what is considered Best
Practice.

I just finished a project where the old software assumed you could write to HKLM. The
client had serious opposition to any change that would remove this feature, until I
pointed out that they would never receive logo certification for their product, something
they really want. That settled the argument. The bug had never been noticed before
because all the in-house programmers were using XP and running with admin privileges, and
nobody had read anything about what constituted Best Practice.
joe

Joseph M. Newcomer [MVP]
email: newc...@flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm

[Pavel A.]

MS has warned ever so often, not to fool with the enum key, because it holds
PnP database.
Eventually, their patience ended.

--pa

"Polaris" <etpo...@hotmail.com> wrote in message
news:e8crIm0a...@TK2MSFTNGP02.phx.gbl...

[David Wilkinson]

Alexander Grigoriev wrote:
> The OP is running XP, as Administrator. Enum key can only be written by
> LOCAL_SYSTEM account. Even though in XP one can take ownership, that would
> be a kludge. Even worse, in Vista SP2/Windows 7, Enum key ownership cannot
> even be taken by an admin (it's already owned by Administrators). This key
> has a special token (owner permissions), which sets maximum owner
> permissions. Traditionally, in Windows an object owner could open it with
> any access requested, even if ACL specified lower permissions. This new
> token changed that.

Oops, yes. I missed the XP (and the particular reference to the Enum registry
key). In short, I did not read the question carefully...

I would still maintain, though, that an application has no business messing with
anything in HKLM. This was possible in XP because most users run as
administrator, but in Vista/Win7 it is not possible without elevation.