Thread: Copying Reg Key With Descriptor Error

I am attempting to copy a Registry Key(including its values and subkeys). I am also trying to copy the security descriptor of the key. I am accomplishing this by using GetSecurityInfo to get the descriptor of the key I am copying. I then use RegCreateKeyEx to create the key using the security descriptor I obtained. This generally works. However I encountered a key that RegCreateKeyEx fails with ERROR_INVALID_OWNER.

I am assuming that the account I am running in(Administrator) is not an owner of the original key. However, I still want to copy this key with the exact same descriptor of the original. Is there anyway to accomplish this? (I do not want to use RegSaveKey)

Thanks for any help you can provide.

Joe

Hi, welcome to the forums!

According to usenet, you need to enable the SE_RESTORE_NAME privilege. There is code in this post to enable a privilege.

Thank you very much. At first I thought you were referring to the RegSaveKey function, but I was very suprised to find that the privilege works. Do you know why the privilege makes it work correctly?

Will the GetSecurityInfo tactic ensure that the privileges are exactly the same on the key I create? I want to make sure I am not modifying the privileges on the key in any way.

Thank you very much for the help.

Joe

Thank you very much. At first I thought you were referring to the RegSaveKey function, but I was very suprised to find that the privilege works. Do you know why the privilege makes it work correctly?

For some operations, Windows requires that the user hold a certain privilege and that privilege be enabled in the current process. There is a list of privileges here. Administrators can assign or remove privileges from different users. Certain privileges must be enabled for the process, so that dangerous options can not be performed accidentally.

Will the GetSecurityInfo tactic ensure that the privileges are exactly the same on the key I create? I want to make sure I am not modifying the privileges on the key in any way.

A registry key does not have privileges. Privileges are hold by a user and by a process (where they may be enabled or disabled). All the code does is enable (or disable) a specific privilege for the current process.

I think your code is probably copying the owner, group and DACL correctly, but I'm wondering if it is copying the SACL successfully. This may not show up as you are unlikely to have any SACL entries defined. For testing, you may wish to create some. To do this, open regedit: Right click on a key->Permissions->Advanced->Auditing tab->Create one or more entries. If everything is working correctly, these entries should be copied to the new key.

According to the documentation, you should be able to copy the SACL by opening both keys with the REG_OPTION_BACKUP_RESTORE flag and having SE_BACKUP_NAME and SE_RESTORE_NAME privileges enabled.

Could I ask why you are avoiding RegSaveKey?

I am trying to extract the registry information in a way that can later be editted. Since RegSaveKey saves in a proprietary format, it does not offer that flexibility. I basically am trying to implement something similar to the .reg way of editting the registry but am including key descriptors and such. I am also applying this technique for copying registry keys to different parts of the registry.

Oh I mean Security Descriptor on the key, not privileges. I use privileges kind of loosely in that sense(which results in some ambiguity). The SACL does work properly (as tested by the method you suggested). I used GetSecurityInfo and RegSetKeySecurity for my purposes instead of setting the security descriptor at RegCreateKeyEx. It worked fine during RegCreateKeyEx except I could not add subkeys and values to the key after setting the Security Descriptor. So I save that step until after I have successfully copied the key.

I have one more question, if you might have information on it. I have run into a key that has only SYSTEM as a member of its security descriptor. My program runs in the Administrator account on my machine. I try to open the key with RegOpenKeyEx with KEY_READ. This fails with error code 5, ERROR_ACCESS_DENIED, presumably because I do not have rights to open the key. However regedit can enumerate the key and allows me to modify the security descriptor of the key. I imagine regedit is gaining access to the SYSTEM context to accomplish this (perhaps I am wrong). How can I make my app capable of opening the key? Is there anyway to run in the SYSTEM context without being a service? I know how to write it as a service, but that goes against the GUI I would need to run my program.

Thank you for all your help.

Joe

I have one more question, if you might have information on it. I have run into a key that has only SYSTEM as a member of its security descriptor. My program runs in the Administrator account on my machine. I try to open the key with RegOpenKeyEx with KEY_READ. This fails with error code 5, ERROR_ACCESS_DENIED, presumably because I do not have rights to open the key. However regedit can enumerate the key and allows me to modify the security descriptor of the key.

I believe that if you open the key with RegCreateKeyEx and the REG_OPTION_BACKUP_RESTORE flag, you can bypass the access check. I suspect this is the method that RegEdit uses.

The other alternative is to take ownership of the key. You could return ownership once you were done manipulating. Obviously, this method is messier than above.

Do you ever get tired of being right? Seriously though, thanks a lot. I appreciate it. The REG_OPTION_BACKUP_RESTORE worked like a charm. Everything seems to be copied successfully now.

Out of curiosity, how did you know these specific details? Just experience and familiarity, or did you search for them? I ask mostly because I have a reasonable amount of experience with WinAPI, had used everything you suggested for different purposes, but missed their subtleties because I had never needed them(like the fact that REG_OPTION_BACKUP_RESTORE gives access to the Security Descriptor and Read of keys that are otherwise untouchable outside the SYSTEM context).

Thank you again. It's refreshing to get very useful information.

Joe

Glad you got it working.

Out of curiosity, how did you know these specific details? Just experience and familiarity, or did you search for them?

A little of both. I suspected a privilege was required but had to search to confirm this and find out which one. Searching on an error code or message often gives good results (Google Groups usually provides better info compared to a web search).

The REG_OPTION_BACKUP_RESTORE flag is similar to the FILE_FLAG_BACKUP_SEMANTICS flag that can be passed to CreateFile where a better explanation of its function is given:

Originally Posted by MSDN CreateFile

Indicates that the file is being opened or created for a backup or restore operation. The system ensures that the calling process overrides file security checks, provided it has the SE_BACKUP_NAME and SE_RESTORE_NAME privileges.