HKEY_LOCAL_MACHINE Registry Access

[Guest]

I'm attempting some remote registry manipulation via C#. I've written a test
app to simply grab a specified key from a specified hive on a specified
machine. The call to OpenSubKey is throwing System.SecurityException.

Also of note: Sitting at my local box, I can open regedit and connect to the
remote registry. I see three hives: _CLASSES_ROOT, _LOCAL_MACHINE, and
_USERS. I can open all but HKEY_LOCAL_MACHINE. When I try to expand that one,
I get a simple error message that tells me almost nothing.

So I'm fairly certain I'm running up against some kind of permissions issue.
This is a dev server, but I still don't want to go mucking around too much
without knowing what I'm doing. Via Terminal Services, I added LOCAL SERVICE
to HKEY_LOCAL_MACHINE and a few sub keys. That didn't help. I also found two
interesting entries in the Local Security Polcy: Remotely accessible registry
paths and Remotely accesible registry paths and sub-paths. I didn't mess
around with those much, but I did notice that there's no hive on any of the
entries, and it doesn't LOOK like all of the paths I can see connecting
remotely via regedit are in those lists (but I could be wrong).

So what's the magic formula for accessing these keys remotely? And are some
of them tied down by default? I don't think anyone here specifically decided
to make the local_machine hive inaccessible remotely...

Here's some details:
My Machine: Windows 2000 Professional
Remote Machine: Windows 2003 Server
I'm an admin on both machines...

Just for fun, here's a code sample:

public static RegistryKey GetKey(RegistryHive hive, string key, string server)
{
RegistryKey parentKey;
RegistryKey returnKey = null;

if (server == null || server.Length == 0)
{
server = string.Empty;
}

parentKey = RegistryKey.OpenRemoteBaseKey(hive, server);


if (parentKey != null)
{
try
{
// THE LINE BELOW THROWS
//
System.SecurityException

returnKey = parentKey.OpenSubKey(key, true);
}
catch(Exception exception)
{
// handle the exception!
returnKey = null;
}

}

return returnKey;
}

 

[Willy Denoyette [MVP]]

I'm attempting some remote registry manipulation via C#. I've written a
test
app to simply grab a specified key from a specified hive on a specified
machine. The call to OpenSubKey is throwing System.SecurityException.

Also of note: Sitting at my local box, I can open regedit and connect to
the
remote registry. I see three hives: _CLASSES_ROOT, _LOCAL_MACHINE, and
_USERS. I can open all but HKEY_LOCAL_MACHINE. When I try to expand that
one,
I get a simple error message that tells me almost nothing.

So I'm fairly certain I'm running up against some kind of permissions
issue.
This is a dev server, but I still don't want to go mucking around too much
without knowing what I'm doing. Via Terminal Services, I added LOCAL
SERVICE
to HKEY_LOCAL_MACHINE and a few sub keys. That didn't help. I also found
two
interesting entries in the Local Security Polcy: Remotely accessible
registry
paths and Remotely accesible registry paths and sub-paths. I didn't mess
around with those much, but I did notice that there's no hive on any of
the
entries, and it doesn't LOOK like all of the paths I can see connecting
remotely via regedit are in those lists (but I could be wrong).

So what's the magic formula for accessing these keys remotely? And are
some
of them tied down by default? I don't think anyone here specifically
decided
to make the local_machine hive inaccessible remotely...

Here's some details:
My Machine: Windows 2000 Professional
Remote Machine: Windows 2003 Server
I'm an admin on both machines...

Just for fun, here's a code sample:

public static RegistryKey GetKey(RegistryHive hive, string key, string
server)
{
RegistryKey parentKey;
RegistryKey returnKey = null;

if (server == null || server.Length == 0)
{
server = string.Empty;
}

parentKey = RegistryKey.OpenRemoteBaseKey(hive, server);


if (parentKey != null)
{
try
{
// THE LINE BELOW THROWS
//
System.SecurityException

returnKey = parentKey.OpenSubKey(key, true);
}
catch(Exception exception)
{
// handle the exception!
returnKey = null;
}

}

return returnKey;
}

You need to be an admininistrator on the remote machine for this to work.

Willy.

 

[Guest]

yeah... I'm an admin on both machines.

You need to be an admininistrator on the remote machine for this to work.

Willy.

 

[Willy Denoyette [MVP]]

A local admin cannot be admin on two different machines unless it's a shadow
account, that is the credentials (account/password) are the same. Is this
the case?


Willy.

 

[Guest]

Okay, one of is is obviously not understanding something. Probably it's me.

Using Regedit: I'm sitting at my local machine, logged on under my network
account. I pull up regedit, click Registyr/Connect Network Registry, and type
in the remote server name. At this point, I can see the HKLM hive, but I get
an error when I try to open it.

Programmatically: Running an app on my local machine, I succeed when calling
RegistryKey.OpenRemoteBaseKey, but fail when calling OpenSubKey.

So... I don't understand where the local accounts come into play (unless
you're talking about the LOCAL SERVICE account).

 

[Willy Denoyette [MVP]]

Okay, one of is is obviously not understanding something. Probably it's
me.

Using Regedit: I'm sitting at my local machine, logged on under my
network
account. I pull up regedit, click Registyr/Connect Network Registry, and
type
in the remote server name. At this point, I can see the HKLM hive, but I
get
an error when I try to open it.

Programmatically: Running an app on my local machine, I succeed when
calling
RegistryKey.OpenRemoteBaseKey, but fail when calling OpenSubKey.

So... I don't understand where the local accounts come into play (unless
you're talking about the LOCAL SERVICE account).

<logged on under my network account...>, does it mean you are logged on
using a DOMAIN account (I guess not), or a local account?
You said you were an administrator on both machines, right? This can only be
true if:
- you are logged on using a DOMAIN administrators account that is a member
of the remote and the local machines administrators group, or
- you are logged on as a local administrator who has a shadow account on the
remote machine.
A shadows account is an account with the same credentials
(username/password) having the same privileges (so a member of
administrators in your case).

Hope it clears things up now,

Willy.

 

[Guest]

Willy,

Sorry it's taken so long for a reply. Somehow I didn't receive notice that
you had replied.

I'm signed into a domain account. The domain account is an admin on both
machines.

 

[Kevin Yu [MSFT]]

Hi Kevin,

If you logon on the remote machine using the same domain account, can to
access the registry key? Also, please check if the user has full control to
the registry key and wasn't denied access to it.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

 

[Guest]

KY,

Yeah... I can log on to the remote machine using my domain account, and get
full access to the registry. But I can't open HKLM using regedit from my
machine (same domain account) and connecting to the remote machine. I can see
the hive, but can't open it.

 

[Kevin Yu [MSFT]]

Hi Kevin,

Looking at the nature of this issue, it would require intensive
troubleshooting which would be done quickly and effectively with direct
assistance from a Microsoft Support Professional through Microsoft Product
Support Services. You can contact Microsoft Product Support directly to
discuss additional support options you may have available, by contacting us
at 1-(800)936-5800 or by choosing one of the options listed at
http://support.microsoft.com/default.aspx?scid=sz;en-us;top.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

 

[Guest]

I have a similar problem with accessing the remote registry on W2K SP4 from
W2K3 SP1. My problem strictly exist only with W2K3 SP1. I don't get this
problem with no service pack or when I access WXP. I always get "Access
Denied" when I try to open a registry key on W2K from W2K3 SP1. I run as a
web service on IIS under the IWAM account. I impersonate the local
administrator on the W2K3 box and authenticate as the local administrator on
the W2K box. I connect to the remote registry with no problems. I just
can't open any keys as the local administrator on the W2K box. I have full
permissions to the registry. I'm not sure why this only happens with W2K3
SP1. I haven't solved my problem, yet. I found this knowledgebase pretty
helpful. Appearly, Exchange Server 2003 also has a similar problem with a
fix: http://support.microsoft.com/?id=841561. Unfortunately, the fix is
application specific for Exchange Server 2003. I wish I can find more
details on what they did to fix this problem.

 

[Willy Denoyette [MVP]]

Mind to explain how you authenticate as a W2K 'local' administrator when
accessing the remote registry while impersonating a W2K3 "local"
administrator?
Did you turn on Logon auditing on W2K and check who is failed to
authenticate and what privileges are requested during logon.

Willy.

 

[Guest]

I used the local loopback in the user name i.e. 127.0.0.1\Administrator. I
didn't turn on the logon auditing. That's a good idea. Here is the security
event from my W2K3 box:
Logon attempt using explicit credentials:
Logged on user:
User Name: Administrator
Domain: NAPA-2003
Logon ID: (0x0,0x7EFD55)
Logon GUID: -
User whose credentials were used:
Target User Name: administrator
Target Domain: 127.0.0.1
Target Logon GUID: -

Target Server Name: SONOMA-2000S
Target Server Info: SONOMA-2000S
Caller Process ID: 4
Source Network Address: -
Source Port: -

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[Guest]

I turned on the "Audit logon events" in "Local Securtiy Settings" for
successes and failures. My W2K box tells me I tried to logon as "ANONYMOUS
LOGON" from my W2K3 SP1 box. I actually register as the W2K adminstrator
from my W2K3 noSP box. Here is the event log:
Successful Network Logon:
User Name: Administrator
Domain: SONOMA-2000S
Logon ID: (0x0,0x5070C)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: CARMEL-2003

 

[Guest]

I change every audit policy to log success and failure in "Local Security
Settings". I found "ANONYMOUS LOGON" everytime I ran my test. I'm limited
to the SeChangeNotifyPrivilege. I am not sure why my identity as W2K
administrator does not carry over when I try to open a registry key. This
doesn't happen with no service pack on W2K3. I would get "Administrator" with
no problem. What are the new security restriction to the remote registry in
SP1? Thanks!

 

[Dmitriy Kolesnik]

Hello all!

I have similar problem too. But I work on the one machine. My operation
system is Windows XP SP2.
I read data from registry with help OpenSubKey and exception appeares for
key HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System
provider\S-1-5-21-2025815041-1961764723-2087665911-3808. I saw permissions
in this key - permissions for SYSTEM exist only. How I can read this key
without changing permissions manually?

Help me please if anybody can!
Thank You.

Dmitriy.

P.S. I am sorry for my English but my native language is Russian.

 

[Dmitriy Kolesnik]

Hello all!

I have similar problem too. But I work on the one machine. My operation
system is Windows XP SP2.
I read data from registry with help OpenSubKey and exception appeares for
key HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System
provider\S-1-5-21-2025815041-1961764723-2087665911-3808. I saw permissions
in this key - permissions for SYSTEM exist only. How I can read this key
without changing permissions manually?

Help me please if anybody can!
Thank You.

Dmitriy.

P.S. I am sorry for my English but my native language is Russian.

 

[Dmitriy Kolesnik]

Hello all!

I have similar problem too. But I work on the one machine. My operation
system is Windows XP SP2.
I read data from registry with help OpenSubKey and exception appeares for
key HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System
provider\S-1-5-21-2025815041-1961764723-2087665911-3808. I saw permissions
in this key - permissions for SYSTEM exist only. How I can read this key
without changing permissions manually?

Help me please if anybody can!
Thank You.

Dmitriy.

P.S. I am sorry for my English but my native language is Russian.

 

[Alex Hague]

I have been experiencing a similar problem accessing a remote registry.

It seems that W2K3 SP1 breaks the authentication mechanism used by the
remote registry call. The following is a link to a MS article detailing
the problem. They do not mention the .NET API call, but I assume it is
reasonable for the .NET functions to be a wrapped of some other
functions.

http://support.microsoft.com/default.aspx?scid=kb;en-us;906570

Hopefully this is of some help!

 

[Ricardo Santos]

try using this before the OpenRemoteBaseKey line

RegistryPermission rpWrite = new
RegistryPermission(RegistryPermissionAccess.AllAccess,
@"HKEY_LOCAL_MACHINE\SOFTWARE\ODBC");
RegistryKey rkodbc = local.OpenSubKey("SOFTWARE", true);

this works for me, but my impersonation of the apppool is defined with a
administrator.

hope it helps