Impersonation to less powerfull user and the executing app with link label leads to security excepti

K

Kerem Gümrükcü

Hi,

the topic of this thread implies the question.
Why does this happen. What can i do against
it. App runs in admin context, then ii switch to
user standard user context and open a form
with linklabel. this leads to following exeption:


Informationen über das Aufrufen von JIT-Debuggen
anstelle dieses Dialogfelds finden Sie am Ende dieser Meldung.

************** Ausnahmetext **************
System.Security.SecurityException: Der angeforderte Registrierungszugriff
ist unzulässig.
bei System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
bei Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
bei Microsoft.Win32.RegistryKey.OpenSubKey(String name)
bei System.Windows.Forms.LinkUtilities.GetIEColor(String name)
bei System.Windows.Forms.LinkUtilities.get_IELinkColor()
bei System.Windows.Forms.LinkLabel.get_IELinkColor()
bei System.Windows.Forms.LinkLabel.get_LinkColor()
bei System.Windows.Forms.LinkLabel.OnPaint(PaintEventArgs e)
bei System.Windows.Forms.Control.PaintWithErrorHandling(PaintEventArgs e,
Int16 layer, Boolean disposeEventArgs)
bei System.Windows.Forms.Control.WmPaint(Message& m)
bei System.Windows.Forms.Control.WndProc(Message& m)
bei System.Windows.Forms.Label.WndProc(Message& m)
bei System.Windows.Forms.LinkLabel.WndProc(Message& msg)
bei System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message&
m)
bei System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
bei System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg,
IntPtr wparam, IntPtr lparam)
Die Zone der Assembly, bei der ein Fehler aufgetreten ist:
MyComputer

quickly translated: The requested registry access is not alowed.
The Zone where the error was thrown: MyComputer

Any ideas how to fix this,...

TIA

Regards

Kerem

--
 
A

Alvin Bruney [ASP.NET MVP]

The user you are impersonating does not have access to the registry keys.
That's the easy part. The hard part is why you would go from admin to a
lesser account. It's like a right hander insisting on writing with her left
hand. The admin account can access the registry keys so you should read the
keys from the admin account instead of impersonating.

--

Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The O.W.C. Black Book, 2nd Edition
Exclusively on www.lulu.com/owc $19.99
 
K

Kerem Gümrükcü

Hi Alvin,
The hard part is why you would go from admin to a
lesser account
Click to expand...

there is a simple answer to this. I was checking the
applications behavior under less powerfull conext
usage, just to see how it will work under this
circumstances. Without switching the context and
by just running the app under standard user or power,
even admin user it works fine. The context switch
does affect this registry stuff. I will check with regmon
or procmon what the stuff is that my app cant read/write
to,...

The "real" reason for the context switch is the intention,
that you work with less powerfull account all time, but
you will need more power, eg. control some system stuff,
you will have the chance to do a quick context switch,...

Thanks for your reply,...

Regards

Kerem

--
-----------------------
Beste Grüsse / Best regards / Votre bien devoue
Kerem Gümrükcü
Microsoft Live Space: http://kerem-g.spaces.live.com/
Latest Open-Source Projects: http://entwicklung.junetz.de
-----------------------
"This reply is provided as is, without warranty express or implied."

Alvin Bruney said:
The user you are impersonating does not have access to the registry keys.
That's the easy part. The hard part is why you would go from admin to a
lesser account. It's like a right hander insisting on writing with her left
hand. The admin account can access the registry keys so you should read the
keys from the admin account instead of impersonating.

--

Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The O.W.C. Black Book, 2nd Edition
Exclusively on www.lulu.com/owc $19.99
-------------------------------------------------------


Kerem Gümrükcü said:
Hi,

the topic of this thread implies the question.
Why does this happen. What can i do against
it. App runs in admin context, then ii switch to
user standard user context and open a form
with linklabel. this leads to following exeption:


Informationen über das Aufrufen von JIT-Debuggen
anstelle dieses Dialogfelds finden Sie am Ende dieser Meldung.

************** Ausnahmetext **************
System.Security.SecurityException: Der angeforderte Registrierungszugriff
ist unzulässig.
bei System.ThrowHelper.ThrowSecurityException(ExceptionResource
resource)
bei Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean
writable)
bei Microsoft.Win32.RegistryKey.OpenSubKey(String name)
bei System.Windows.Forms.LinkUtilities.GetIEColor(String name)
bei System.Windows.Forms.LinkUtilities.get_IELinkColor()
bei System.Windows.Forms.LinkLabel.get_IELinkColor()
bei System.Windows.Forms.LinkLabel.get_LinkColor()
bei System.Windows.Forms.LinkLabel.OnPaint(PaintEventArgs e)
bei System.Windows.Forms.Control.PaintWithErrorHandling(PaintEventArgs
e, Int16 layer, Boolean disposeEventArgs)
bei System.Windows.Forms.Control.WmPaint(Message& m)
bei System.Windows.Forms.Control.WndProc(Message& m)
bei System.Windows.Forms.Label.WndProc(Message& m)
bei System.Windows.Forms.LinkLabel.WndProc(Message& msg)
bei System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message&
m)
bei System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
bei System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg,
IntPtr wparam, IntPtr lparam)
Die Zone der Assembly, bei der ein Fehler aufgetreten ist:
MyComputer

quickly translated: The requested registry access is not alowed.
The Zone where the error was thrown: MyComputer

Any ideas how to fix this,...

TIA

Regards

Kerem

--
-----------------------
Beste Grüsse / Best regards / Votre bien devoue
Kerem Gümrükcü
Microsoft Live Space: http://kerem-g.spaces.live.com/
Latest Open-Source Projects: http://entwicklung.junetz.de
Click to expand...
Click to expand...
 
A

Alvin Bruney [ASP.NET MVP]

Right, so that's why you should run with least privilege and then
impersonate a stronger account when you need to read to, remembering to
revert back when you are done.

--

Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The O.W.C. Black Book, 2nd Edition
Exclusively on www.lulu.com/owc $19.99
-------------------------------------------------------


Kerem Gümrükcü said:
Hi Alvin,
The hard part is why you would go from admin to a
lesser account
Click to expand...

there is a simple answer to this. I was checking the
applications behavior under less powerfull conext
usage, just to see how it will work under this
circumstances. Without switching the context and
by just running the app under standard user or power,
even admin user it works fine. The context switch
does affect this registry stuff. I will check with regmon
or procmon what the stuff is that my app cant read/write
to,...

The "real" reason for the context switch is the intention,
that you work with less powerfull account all time, but
you will need more power, eg. control some system stuff,
you will have the chance to do a quick context switch,...

Thanks for your reply,...

Regards

Kerem

--
-----------------------
Beste Grüsse / Best regards / Votre bien devoue
Kerem Gümrükcü
Microsoft Live Space: http://kerem-g.spaces.live.com/
Latest Open-Source Projects: http://entwicklung.junetz.de
-----------------------
"This reply is provided as is, without warranty express or implied."

"Alvin Bruney [ASP.NET MVP]" <vapor dan using hot male spam filter>
schrieb
im Newsbeitrag news:[email protected]...
The user you are impersonating does not have access to the registry keys.
That's the easy part. The hard part is why you would go from admin to a
lesser account. It's like a right hander insisting on writing with her left
hand. The admin account can access the registry keys so you should read the
keys from the admin account instead of impersonating.

--

Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The O.W.C. Black Book, 2nd Edition
Exclusively on www.lulu.com/owc $19.99
-------------------------------------------------------


Kerem Gümrükcü said:
Hi,

the topic of this thread implies the question.
Why does this happen. What can i do against
it. App runs in admin context, then ii switch to
user standard user context and open a form
with linklabel. this leads to following exeption:


Informationen über das Aufrufen von JIT-Debuggen
anstelle dieses Dialogfelds finden Sie am Ende dieser Meldung.

************** Ausnahmetext **************
System.Security.SecurityException: Der angeforderte Registrierungszugriff
ist unzulässig.
bei System.ThrowHelper.ThrowSecurityException(ExceptionResource
resource)
bei Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean
writable)
bei Microsoft.Win32.RegistryKey.OpenSubKey(String name)
bei System.Windows.Forms.LinkUtilities.GetIEColor(String name)
bei System.Windows.Forms.LinkUtilities.get_IELinkColor()
bei System.Windows.Forms.LinkLabel.get_IELinkColor()
bei System.Windows.Forms.LinkLabel.get_LinkColor()
bei System.Windows.Forms.LinkLabel.OnPaint(PaintEventArgs e)
bei
System.Windows.Forms.Control.PaintWithErrorHandling(PaintEventArgs
e, Int16 layer, Boolean disposeEventArgs)
bei System.Windows.Forms.Control.WmPaint(Message& m)
bei System.Windows.Forms.Control.WndProc(Message& m)
bei System.Windows.Forms.Label.WndProc(Message& m)
bei System.Windows.Forms.LinkLabel.WndProc(Message& msg)
bei System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message&
m)
bei System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
bei System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32
msg,
IntPtr wparam, IntPtr lparam)
Die Zone der Assembly, bei der ein Fehler aufgetreten ist:
MyComputer

quickly translated: The requested registry access is not alowed.
The Zone where the error was thrown: MyComputer

Any ideas how to fix this,...

TIA

Regards

Kerem

--
-----------------------
Beste Grüsse / Best regards / Votre bien devoue
Kerem Gümrükcü
Microsoft Live Space: http://kerem-g.spaces.live.com/
Latest Open-Source Projects: http://entwicklung.junetz.de
Click to expand...
Click to expand...
Click to expand...
 
K

Kerem Gümrükcü

Hi Alvin,
revert back when you are done
Click to expand...

RevertToSelf();

or the mannaged version from ImpersonationContext,...

Thanks for remembering, but my application handles
all the "freing" stuff (Revert,Free Memory, Fre Handles, etc)
fully automatically,...it has its own resource management
extending the .NET FW GC Classes, because it uses heavilly
PInvoke unmanaged Heap Memory and Marshal-Class stuff.
So this must be handled and cleaned-up very efficientlly,...

Have a nice day,...

Regards

Kerem

--
-----------------------
Beste Grüsse / Best regards / Votre bien devoue
Kerem Gümrükcü
Microsoft Live Space: http://kerem-g.spaces.live.com/
Latest Open-Source Projects: http://entwicklung.junetz.de
-----------------------
"This reply is provided as is, without warranty express or implied."
Alvin Bruney said:
Right, so that's why you should run with least privilege and then
impersonate a stronger account when you need to read to, remembering to
revert back when you are done.

--

Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The O.W.C. Black Book, 2nd Edition
Exclusively on www.lulu.com/owc $19.99
-------------------------------------------------------


Kerem Gümrükcü said:
Hi Alvin,
The hard part is why you would go from admin to a
lesser account
Click to expand...

there is a simple answer to this. I was checking the
applications behavior under less powerfull conext
usage, just to see how it will work under this
circumstances. Without switching the context and
by just running the app under standard user or power,
even admin user it works fine. The context switch
does affect this registry stuff. I will check with regmon
or procmon what the stuff is that my app cant read/write
to,...

The "real" reason for the context switch is the intention,
that you work with less powerfull account all time, but
you will need more power, eg. control some system stuff,
you will have the chance to do a quick context switch,...

Thanks for your reply,...

Regards

Kerem

--
-----------------------
Beste Grüsse / Best regards / Votre bien devoue
Kerem Gümrükcü
Microsoft Live Space: http://kerem-g.spaces.live.com/
Latest Open-Source Projects: http://entwicklung.junetz.de
-----------------------
"This reply is provided as is, without warranty express or implied."

"Alvin Bruney [ASP.NET MVP]" <vapor dan using hot male spam filter>
schrieb
im Newsbeitrag news:[email protected]...
The user you are impersonating does not have access to the registry
keys.
That's the easy part. The hard part is why you would go from admin to a
lesser account. It's like a right hander insisting on writing with her left
hand. The admin account can access the registry keys so you should read the
keys from the admin account instead of impersonating.

--

Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The O.W.C. Black Book, 2nd Edition
Exclusively on www.lulu.com/owc $19.99
-------------------------------------------------------


Hi,

the topic of this thread implies the question.
Why does this happen. What can i do against
it. App runs in admin context, then ii switch to
user standard user context and open a form
with linklabel. this leads to following exeption:


Informationen über das Aufrufen von JIT-Debuggen
anstelle dieses Dialogfelds finden Sie am Ende dieser Meldung.

************** Ausnahmetext **************
System.Security.SecurityException: Der angeforderte Registrierungszugriff
ist unzulässig.
bei System.ThrowHelper.ThrowSecurityException(ExceptionResource
resource)
bei Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean
writable)
bei Microsoft.Win32.RegistryKey.OpenSubKey(String name)
bei System.Windows.Forms.LinkUtilities.GetIEColor(String name)
bei System.Windows.Forms.LinkUtilities.get_IELinkColor()
bei System.Windows.Forms.LinkLabel.get_IELinkColor()
bei System.Windows.Forms.LinkLabel.get_LinkColor()
bei System.Windows.Forms.LinkLabel.OnPaint(PaintEventArgs e)
bei
System.Windows.Forms.Control.PaintWithErrorHandling(PaintEventArgs
e, Int16 layer, Boolean disposeEventArgs)
bei System.Windows.Forms.Control.WmPaint(Message& m)
bei System.Windows.Forms.Control.WndProc(Message& m)
bei System.Windows.Forms.Label.WndProc(Message& m)
bei System.Windows.Forms.LinkLabel.WndProc(Message& msg)
bei System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message&
m)
bei
System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message&
Click to expand...
m)
bei System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32
msg,
IntPtr wparam, IntPtr lparam)
Die Zone der Assembly, bei der ein Fehler aufgetreten ist:
MyComputer

quickly translated: The requested registry access is not alowed.
The Zone where the error was thrown: MyComputer

Any ideas how to fix this,...

TIA

Regards

Kerem

--
-----------------------
Beste Grüsse / Best regards / Votre bien devoue
Kerem Gümrükcü
Microsoft Live Space: http://kerem-g.spaces.live.com/
Latest Open-Source Projects: http://entwicklung.junetz.de
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Impersonation and LinkLabels result in SecurityException 9

Top