Copying Reg Key With Descriptor Error

This is a discussion on Copying Reg Key With Descriptor Error within the Windows Programming forums, part of the Platform Specific Boards category; I am attempting to copy a Registry Key(including its values and subkeys). I am also trying to copy the security ...

  1. #1
    Registered User
    Join Date
    Nov 2005
    Posts
    88

    Copying Reg Key With Descriptor Error

    I am attempting to copy a Registry Key(including its values and subkeys). I am also trying to copy the security descriptor of the key. I am accomplishing this by using GetSecurityInfo to get the descriptor of the key I am copying. I then use RegCreateKeyEx to create the key using the security descriptor I obtained. This generally works. However I encountered a key that RegCreateKeyEx fails with ERROR_INVALID_OWNER.

    I am assuming that the account I am running in(Administrator) is not an owner of the original key. However, I still want to copy this key with the exact same descriptor of the original. Is there anyway to accomplish this? (I do not want to use RegSaveKey)

    Thanks for any help you can provide.

    Joe

  2. #2
    Yes, my avatar is stolen anonytmouse's Avatar
    Join Date
    Dec 2002
    Posts
    2,544
    Hi, welcome to the forums!

    According to usenet, you need to enable the SE_RESTORE_NAME privilege. There is code in this post to enable a privilege.

  3. #3
    Registered User
    Join Date
    Nov 2005
    Posts
    88
    Thank you very much. At first I thought you were referring to the RegSaveKey function, but I was very suprised to find that the privilege works. Do you know why the privilege makes it work correctly?

    Will the GetSecurityInfo tactic ensure that the privileges are exactly the same on the key I create? I want to make sure I am not modifying the privileges on the key in any way.

    Thank you very much for the help.

    Joe

  4. #4
    Yes, my avatar is stolen anonytmouse's Avatar
    Join Date
    Dec 2002
    Posts
    2,544
    Thank you very much. At first I thought you were referring to the RegSaveKey function, but I was very suprised to find that the privilege works. Do you know why the privilege makes it work correctly?
    For some operations, Windows requires that the user hold a certain privilege and that privilege be enabled in the current process. There is a list of privileges here. Administrators can assign or remove privileges from different users. Certain privileges must be enabled for the process, so that dangerous options can not be performed accidentally.
    Will the GetSecurityInfo tactic ensure that the privileges are exactly the same on the key I create? I want to make sure I am not modifying the privileges on the key in any way.
    A registry key does not have privileges. Privileges are hold by a user and by a process (where they may be enabled or disabled). All the code does is enable (or disable) a specific privilege for the current process.

    I think your code is probably copying the owner, group and DACL correctly, but I'm wondering if it is copying the SACL successfully. This may not show up as you are unlikely to have any SACL entries defined. For testing, you may wish to create some. To do this, open regedit: Right click on a key->Permissions->Advanced->Auditing tab->Create one or more entries. If everything is working correctly, these entries should be copied to the new key.

    According to the documentation, you should be able to copy the SACL by opening both keys with the REG_OPTION_BACKUP_RESTORE flag and having SE_BACKUP_NAME and SE_RESTORE_NAME privileges enabled.

    Could I ask why you are avoiding RegSaveKey?

  5. #5
    Registered User
    Join Date
    Nov 2005
    Posts
    88
    I am trying to extract the registry information in a way that can later be editted. Since RegSaveKey saves in a proprietary format, it does not offer that flexibility. I basically am trying to implement something similar to the .reg way of editting the registry but am including key descriptors and such. I am also applying this technique for copying registry keys to different parts of the registry.

    Oh I mean Security Descriptor on the key, not privileges. I use privileges kind of loosely in that sense(which results in some ambiguity). The SACL does work properly (as tested by the method you suggested). I used GetSecurityInfo and RegSetKeySecurity for my purposes instead of setting the security descriptor at RegCreateKeyEx. It worked fine during RegCreateKeyEx except I could not add subkeys and values to the key after setting the Security Descriptor. So I save that step until after I have successfully copied the key.

    I have one more question, if you might have information on it. I have run into a key that has only SYSTEM as a member of its security descriptor. My program runs in the Administrator account on my machine. I try to open the key with RegOpenKeyEx with KEY_READ. This fails with error code 5, ERROR_ACCESS_DENIED, presumably because I do not have rights to open the key. However regedit can enumerate the key and allows me to modify the security descriptor of the key. I imagine regedit is gaining access to the SYSTEM context to accomplish this (perhaps I am wrong). How can I make my app capable of opening the key? Is there anyway to run in the SYSTEM context without being a service? I know how to write it as a service, but that goes against the GUI I would need to run my program.

    Thank you for all your help.

    Joe

  6. #6
    Yes, my avatar is stolen anonytmouse's Avatar
    Join Date
    Dec 2002
    Posts
    2,544
    I have one more question, if you might have information on it. I have run into a key that has only SYSTEM as a member of its security descriptor. My program runs in the Administrator account on my machine. I try to open the key with RegOpenKeyEx with KEY_READ. This fails with error code 5, ERROR_ACCESS_DENIED, presumably because I do not have rights to open the key. However regedit can enumerate the key and allows me to modify the security descriptor of the key.
    I believe that if you open the key with RegCreateKeyEx and the REG_OPTION_BACKUP_RESTORE flag, you can bypass the access check. I suspect this is the method that RegEdit uses.

    The other alternative is to take ownership of the key. You could return ownership once you were done manipulating. Obviously, this method is messier than above.

  7. #7
    Registered User
    Join Date
    Nov 2005
    Posts
    88
    Do you ever get tired of being right? Seriously though, thanks a lot. I appreciate it. The REG_OPTION_BACKUP_RESTORE worked like a charm. Everything seems to be copied successfully now.

    Out of curiosity, how did you know these specific details? Just experience and familiarity, or did you search for them? I ask mostly because I have a reasonable amount of experience with WinAPI, had used everything you suggested for different purposes, but missed their subtleties because I had never needed them(like the fact that REG_OPTION_BACKUP_RESTORE gives access to the Security Descriptor and Read of keys that are otherwise untouchable outside the SYSTEM context).

    Thank you again. It's refreshing to get very useful information.

    Joe

  8. #8
    Registered User
    Join Date
    Nov 2005
    Posts
    88
    My method below was flawed because I was copying it to a different key, so it was inheriting a slightly different parent security descriptor. That seems to have fixed it.

    PROBLEM THAT WAS RESOLVED:
    Actually it does not seem to be perfectly working. The method I am using seems to be missing something. While everything appeared as though it was right at first glance, I tested it by using RegSaveKey to save the key I was copying. Then I used RegSaveKey of the copy. The two files are different in size. Some aspect of the descriptor must not be contained in what is returned by GetSecurityInfo with the flags (DACL_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION).

    Do you have any idea what could be missing? Is there something I am neglecting. Thank you very much.
    Last edited by mercury529; 11-11-2005 at 03:21 PM.

  9. #9
    Yes, my avatar is stolen anonytmouse's Avatar
    Join Date
    Dec 2002
    Posts
    2,544
    Glad you got it working.
    Out of curiosity, how did you know these specific details? Just experience and familiarity, or did you search for them?
    A little of both. I suspected a privilege was required but had to search to confirm this and find out which one. Searching on an error code or message often gives good results (Google Groups usually provides better info compared to a web search).

    The REG_OPTION_BACKUP_RESTORE flag is similar to the FILE_FLAG_BACKUP_SEMANTICS flag that can be passed to CreateFile where a better explanation of its function is given:
    Quote Originally Posted by MSDN CreateFile
    Indicates that the file is being opened or created for a backup or restore operation. The system ensures that the calling process overrides file security checks, provided it has the SE_BACKUP_NAME and SE_RESTORE_NAME privileges.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Replies: 16
    Last Post: 11-23-2007, 01:48 PM
  2. Virtual keys
    By Arkanos in forum Windows Programming
    Replies: 4
    Last Post: 12-12-2005, 10:00 AM
  3. Directional Keys - Useing in Console
    By RoD in forum C++ Programming
    Replies: 38
    Last Post: 10-06-2002, 05:42 PM
  4. FAQ: Directional Keys - Useing in Console
    By RoD in forum FAQ Board
    Replies: 38
    Last Post: 10-06-2002, 05:42 PM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21