writing to registry in vista from guest account

[alexia]

Hi,

My application fails to write into registry key. When it runs in user/
guest account.

When I install my application in administrator, the installing process
creates reg key in HKLM.
I compile my application using manifest.
After the installation I create new user/guest account and runs the
application from that account.
The failure is when my application tries to write to the registry I
get the following error:
"Requested registry access is not allowed". I use the following code:
Note that I can read with no problem. My application doesn't fail in
administrator account.
try
{
// I get "Requested registry access is not allowed" error here...
RegistryPermission rm = new RegistryPermission
(RegistryPermissionAccess.AllAccess, TCPRoot);
rm.Demand();
}
catch (Exception e)
{
throw new Exception(e.Message);
}

RegistryKey myRegKey = Registry.LocalMachine;
myRegKey = myRegKey.OpenSubKey("SOFTWARE\\Giant Steps\\SLIP\\TCP",

RegistryKeyPermissionCheck.ReadWriteSubTree,

System.Security.AccessControl.RegistryRights.FullControl);
try
{
myRegKey.SetValue("Subnet", subnet);
}
catch (Exception e)
{
throw new Exception(e.Message);
}

Is there a way to write to a HKLM key which was created in admin
account from user/guest account?

Thanks.

 

[Cowboy \(Gregory A. Beamer\)]

The option I know is to reduce security on this particular hive so a user
can alter it. I am not sure this is wise. Better to put the configuration in
a config file, even if you have to encrypt it.

Another option is releasing the app as a web site or a click once
deployment, where it does not require registry access.

--
Gregory A. Beamer
MVP; MCP: +I, Se, SD, DBA

Blog:
http://feeds.feedburner.com/GregoryBeamer

*************************************************
| Think outside the box! |
*************************************************

 

[alexia]

The option I know is to reduce security on this particular hive so a user
can alter it. I am not sure this is wise. Better to put the configurationin
a config file, even if you have to encrypt it.

Another option is releasing the app as a web site or a click once
deployment, where it does not require registry access.

--
Gregory A. Beamer
MVP; MCP: +I, Se, SD, DBA

Blog:http://feeds.feedburner.com/GregoryBeamer

*************************************************
|  Think outside the box!                          |










- Show quoted text -

Hi Cowboy,

So what you are saying is that CE application can't modify registry
settings in HKLM
even if it has been elevated?
Can I write the settings in CURRENT_USER? Will each user has his own
entry which will be set to his account?

Thanks.

 

[Cowboy \(Gregory A. Beamer\)]

By CE, I assume you mean Windows CE? It has been awhile since I dinked with
CE programming, but I remember having to use the coredll.dll and registering
routines from it, like RegCreateKeyEx and RegSetValueEx. A google search may
yield a wrapper someone has already written.

If not CE, then correct me and we can go from there.

--
Gregory A. Beamer
MVP; MCP: +I, Se, SD, DBA

Blog:
http://feeds.feedburner.com/GregoryBeamer

*************************************************
| Think outside the box! |
*************************************************

The option I know is to reduce security on this particular hive so a user
can alter it. I am not sure this is wise. Better to put the configuration
in
a config file, even if you have to encrypt it.

Another option is releasing the app as a web site or a click once
deployment, where it does not require registry access.

--
Gregory A. Beamer
MVP; MCP: +I, Se, SD, DBA

Blog:http://feeds.feedburner.com/GregoryBeamer

*************************************************
| Think outside the box! |
*************************************************"alexia"










- Show quoted text -

Hi Cowboy,

So what you are saying is that CE application can't modify registry
settings in HKLM
even if it has been elevated?
Can I write the settings in CURRENT_USER? Will each user has his own
entry which will be set to his account?

Thanks.

 

[alexia]

By CE, I assume you mean Windows CE? It has been awhile since I dinked with
CE programming, but I remember having to use the coredll.dll and registering
routines from it, like RegCreateKeyEx and RegSetValueEx. A google search may
yield a wrapper someone has already written.

If not CE, then correct me and we can go from there.

--
Gregory A. Beamer
MVP; MCP: +I, Se, SD, DBA

Blog:http://feeds.feedburner.com/GregoryBeamer

*************************************************
|  Think outside the box!                          |






Hi Cowboy,

So what you are saying is that CE application can't modify registry
settings in HKLM
even if it has been elevated?
Can I write the settings in CURRENT_USER? Will each user has his own
entry which will be set to his account?

Thanks.- Hide quoted text -

- Show quoted text -

Ignore the CE by accident I added that.

 

[alexia]

alexiawrote:



That's correct. The Standard user can have its rights elevated to admin
level by giving a admin user-id a psw, which is only at the moment of
escalation and is not maintained for the user.

By escalating rights of a user that is a Standard user does not make the
user have admin rights at the moment of privileged escalation. If the
user account is a non-admin account, then it's not going to have admin
rights as an designated user admin account, and the access is denied.

Even an admin user account, the one out of the box or subsequent new
user admin accounts created, are not user-admin accounts with UAC
enabled. They are Standard users accounts as user admin on Vista, which
has two access tokens assigned to the user-admin account.

One token is for Standard user and the other one is for full admin
rights token.  The admin user with UAC enabled must have its rights
escalated to use the full admin rights token to perform the admin tasks,
and then the user admin is returned to being a Standard user.


You need to find out how UAC is working from a programmer's view point
and how Virtualization works on Vista with UAC.

http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx
<http://www.symantec.com/community/article/2665/folder-virtualization-...>

I think you're going to have to use this account to give you the power,
which is not that user-admin account out of the box.

<http://www.howtogeek.com/howto/windows-vista/enable-the-hidden-admini...>

I do recall something about how to get settings set by user-account, but
it had to with Virtualization and you'll have to follow that path and
look it up using Google, becuase you're not going to be able to do too
much with Vista and user admin concerning the registry, becuase Vista is
not XP or any other previous versions of the NT based O/S.

You can't even get away with certain things on Vista, even if you use
the hidden account, that has full admin rights at all times, as Vista
will protect itself from even a user using that account with UAC enabled
or disabled.- Hide quoted text -

- Show quoted text -

Hello Arnold,

Thanks for the reply, though I'm a little confused (English is not my
mother's tongue).
I have few questions if I may:
1. My application needs to be able to run in any user type. It should
save user settings as he selected. Should I save it in
HKEY_CURRENT_USER (will this mean that each user will save it settings
in his own HKCU?)
or in xml file at "Application Data" folder?
2. Even though I used manifest when building the application, I still
get the UAC prompt and need to enter admin password when running the
application. My assembly hasn't been digitally signed yet.
3. My C# calls C++ dlls. Do I need to build the Dlls with manifest
also?
4. I noticed that if UAC is disabled, I can't write to HKLM registry
while if UAC is enabled I can write.

I hope the programming in Windows 7 will be mush easier than
programming in VISTA. It seems that all the advantages programming in
C# is reduced if doing it in VISTA.
Thanks for the help.

 

[Cowboy \(Gregory A. Beamer\)]

If you mean UAC in Vista, the elevation is temporary. And, by default, the
account must be an admin to escalate priveleges. When you escalate, it is
temporary and only last for the length of the call. The next call needs
escalation again.

When you get into certain registry keys, you have a bit more latitude.
Example, the user specific keys are more open. So, you can write to user
data.

But, ask if the registry is the best place for settings, as you can set
config settings per user as well.

--
Gregory A. Beamer
MVP; MCP: +I, Se, SD, DBA

Blog:
http://feeds.feedburner.com/GregoryBeamer

*************************************************
| Think outside the box! |
*************************************************

By CE, I assume you mean Windows CE? It has been awhile since I dinked
with
CE programming, but I remember having to use the coredll.dll and
registering
routines from it, like RegCreateKeyEx and RegSetValueEx. A google search
may
yield a wrapper someone has already written.

If not CE, then correct me and we can go from there.

--
Gregory A. Beamer
MVP; MCP: +I, Se, SD, DBA

Blog:http://feeds.feedburner.com/GregoryBeamer

*************************************************
| Think outside the box! |
*************************************************"alexia"






Hi Cowboy,

So what you are saying is that CE application can't modify registry
settings in HKLM
even if it has been elevated?
Can I write the settings in CURRENT_USER? Will each user has his own
entry which will be set to his account?

Thanks.- Hide quoted text -

- Show quoted text -

Ignore the CE by accident I added that.

 

[alexia]

If you mean UAC in Vista, the elevation is temporary. And, by default, the
account must be an admin to escalate priveleges. When you escalate, it is
temporary and only last for the length of the call. The next call needs
escalation again.

When you get into certain registry keys, you have a bit more latitude.
Example, the user specific keys are more open. So, you can write to user
data.

But, ask if the registry is the best place for settings, as you can set
config settings per user as well.

--
Gregory A. Beamer
MVP; MCP: +I, Se, SD, DBA

Blog:http://feeds.feedburner.com/GregoryBeamer

*************************************************
|  Think outside the box!                          |









Ignore the CE by accident I added that. - Hide quoted text -

- Show quoted text -

Why can't I save settings per user in HKEY_CURRENT_USER?