Reading keys from HKEY_CURRENT_USER from an impersonated Web Service

[Simon Hart]

Hi,

I am using Impersonation and turned off anon access for my web service. I am
using the administator to authenticate the request using ICredentials. I am
simply trying to read a key in HKEY_CURRENT_USER from my Web Service method
call which I am unable to. When I try and open it it returns null. Even
iterating all keys under HKEY_CURRENT_USER only returns a handful of keys.

I can happily read any key under HKEY_LOCAL_MACHINE. I have checked the
identity of the user and it is definately running under the local
administrator.

Any ideas what to check would be great.
Regards
Simon Hart.

 

[scott blood]

Simon,

What account is your web service running under?

I have come across this issue before and the way i resolved it was to change
the app pool of the web service to a user who had permission to the actual
registry values you are attempting to read.

I must admit i have not come across the issue where iterating through the
keys only returns a hand full, because if the user is logged on as an
administrator, they should have full access to the registry, especially
there own area of the registry, i.e. HKEY_CURRENT_USER

Hope this helps.
Regards
Scott Blood
C# Developer

 

[Ignacio Machin \( .NET/ C# MVP \)]

Hi,

IIRC CURRENT_USER refer to the user currently logged in the computer , your
service does not has this info associated

 

[Simon Hart]

Hi,

I thought this *might* be the case. When I check the user identity using
WindowsIdentity class, the user is the local Administrator account. The key
was installed via an install set which was installed under the local
Administrator account.

How do I do a real impersonate then, is it not possible to read a
*non-windows* key in HKEY_CURRENT_USER via a Web service?

I know this works if running under a Serviced Component. What I might have
to do as a work around, is hand off control to the Serviced Component to do
the work, reading registry etc.

Florida - what a fine place btw - I learned to skydive there in 2004 at
DeLand.

Cheers
Simon.

 

[Simon Hart]

Hi Scott,

The local administrator. I checked and verified this by using
WindowsIdentity class.

Cheers
Simon.

 

[Ignacio Machin \( .NET/ C# MVP \)]

Hi,

How do I do a real impersonate then, is it not possible to read a
*non-windows* key in HKEY_CURRENT_USER via a Web service?

I don;t even think if that is possible, you should check who component, or
at what moment the CURRENT_USER branch is generated, IMO it's at logon time
by either the shell or the login component.
If any of these is the case then I don't think you can get around it.

why you store your data under current_user? why not use local_machine
instead?

 

[Simon Hart]

Hi,

Thanks for your input.

This is going to be a problem then. I would have put it under LOCAL_MACHINE
myself but I am integrating to a third party system from a Pocket PC
application. The PPC app connects to the Web Service using NTLM
authentication which does a sync with SQL Mobile on the device against the
MS Access database on the desktop. I need to read a key under
HKEY_CURRENT_USER in order to get the install path for a INI file which I
read.

Cheers
Simon.

 

[Willy Denoyette [MVP]]

Ignacio is right, web services or web applications do load a profile, the
HKCU is pointing to the default profile of the IIS user ('localsystem' for
IIS5.x or 'network user' for IIS6). That means that HKCU is mapped to
HKU\.default on XP/W2K or HKU\S-1-5-19 on W2K3.

Willy.


| Hi,
|
| I thought this *might* be the case. When I check the user identity using
| WindowsIdentity class, the user is the local Administrator account. The
key
| was installed via an install set which was installed under the local
| Administrator account.
|
| How do I do a real impersonate then, is it not possible to read a
| *non-windows* key in HKEY_CURRENT_USER via a Web service?
|
| I know this works if running under a Serviced Component. What I might have
| to do as a work around, is hand off control to the Serviced Component to
do
| the work, reading registry etc.
|
| Florida - what a fine place btw - I learned to skydive there in 2004 at
| DeLand.
|
| Cheers
| Simon.
|
| "Ignacio Machin ( .NET/ C# MVP )" <ignacio.machin AT dot.state.fl.us>
wrote
| in message | > Hi,
| >
| > IIRC CURRENT_USER refer to the user currently logged in the computer ,
| > your service does not has this info associated
| >
| >
| > --
| > Ignacio Machin,
| > ignacio.machin AT dot.state.fl.us
| > Florida Department Of Transportation
| >
| > | >> Hi,
| >>
| >> I am using Impersonation and turned off anon access for my web service.
I
| >> am
| >> using the administator to authenticate the request using ICredentials.
I
| >> am
| >> simply trying to read a key in HKEY_CURRENT_USER from my Web Service
| >> method
| >> call which I am unable to. When I try and open it it returns null. Even
| >> iterating all keys under HKEY_CURRENT_USER only returns a handful of
| >> keys.
| >>
| >> I can happily read any key under HKEY_LOCAL_MACHINE. I have checked the
| >> identity of the user and it is definately running under the local
| >> administrator.
| >>
| >> Any ideas what to check would be great.
| >> Regards
| >> Simon Hart.
| >>
| >>
| >
| >
|
|

 

[Simon Hart]

Hi Willy,

Is this true even though impersonation is used? and the user is
authenticated correctly?

Regards
Simon.

 

[Willy Denoyette [MVP]]

Yes, impersonating does not load the profile of the impersonated user. Only
"accounts" that are logged in interactively (called an interactive session)
have their profiles loaded by the Winlogon process. If you need to load a
profile for a specific user, you'll have to load it yourself by calling
LoadUserProfile Win32 API via PInvoke, but this can become extremely
expensive (in terms of speed and space) in Web services where you need to
impersonate different users, and it's extremely unsafe to load a users
profile in the context of a webservice, user profiles can hold private
secured info of a user that is supposed to run in an interactive session
only!
Really, services (all kind) should not rely on the presence of a specific
user profiles.


Willy.




| Hi Willy,
|
| Is this true even though impersonation is used? and the user is
| authenticated correctly?
|
| Regards
| Simon.
| | > Ignacio is right, web services or web applications do load a profile,
the
| > HKCU is pointing to the default profile of the IIS user ('localsystem'
for
| > IIS5.x or 'network user' for IIS6). That means that HKCU is mapped to
| > HKU\.default on XP/W2K or HKU\S-1-5-19 on W2K3.
| >
| > Willy.
| >
| >
| > | > | Hi,
| > |
| > | I thought this *might* be the case. When I check the user identity
using
| > | WindowsIdentity class, the user is the local Administrator account.
The
| > key
| > | was installed via an install set which was installed under the local
| > | Administrator account.
| > |
| > | How do I do a real impersonate then, is it not possible to read a
| > | *non-windows* key in HKEY_CURRENT_USER via a Web service?
| > |
| > | I know this works if running under a Serviced Component. What I might
| > have
| > | to do as a work around, is hand off control to the Serviced Component
to
| > do
| > | the work, reading registry etc.
| > |
| > | Florida - what a fine place btw - I learned to skydive there in 2004
at
| > | DeLand.
| > |
| > | Cheers
| > | Simon.
| > |
| > | "Ignacio Machin ( .NET/ C# MVP )" <ignacio.machin AT dot.state.fl.us>
| > wrote
| > | in message | > | > Hi,
| > | >
| > | > IIRC CURRENT_USER refer to the user currently logged in the computer
,
| > | > your service does not has this info associated
| > | >
| > | >
| > | > --
| > | > Ignacio Machin,
| > | > ignacio.machin AT dot.state.fl.us
| > | > Florida Department Of Transportation
| > | >
| > | > | > | >> Hi,
| > | >>
| > | >> I am using Impersonation and turned off anon access for my web
| > service.
| > I
| > | >> am
| > | >> using the administator to authenticate the request using
| > ICredentials.
| > I
| > | >> am
| > | >> simply trying to read a key in HKEY_CURRENT_USER from my Web
Service
| > | >> method
| > | >> call which I am unable to. When I try and open it it returns null.
| > Even
| > | >> iterating all keys under HKEY_CURRENT_USER only returns a handful
of
| > | >> keys.
| > | >>
| > | >> I can happily read any key under HKEY_LOCAL_MACHINE. I have checked
| > the
| > | >> identity of the user and it is definately running under the local
| > | >> administrator.
| > | >>
| > | >> Any ideas what to check would be great.
| > | >> Regards
| > | >> Simon Hart.
| > | >>
| > | >>
| > | >
| > | >
| > |
| > |
| >
| >
|
|

 

[Simon Hart]

Thank you for your very valued input Willy.

I think what I will probebly do is call a out-of-process COM object that
will return me the path of a key that I need to read.
Then of course terminate the COM object.

Regards
Simon.

 

[Simon Hart]

This would never work as it would need to be called from a Web Service so
the process would run under ASPNET user account regardless of if
impersonation is used.

Furthermore C# does not support out-of-process COM object so it would have
to have been developed in native code.

I have got the developer to change where the registry settings will be
stored. They will now be stored in HKEY_LOCAL_MACHINE.

Regards and thanks for all your help.
Simon.

 

[Willy Denoyette [MVP]]

| This would never work as it would need to be called from a Web Service so
| the process would run under ASPNET user account regardless of if
| impersonation is used.
|
| Furthermore C# does not support out-of-process COM object so it would have
| to have been developed in native code.
|

COM+ is made for this, drop your class ,derived from ComponentServices, in a
server type COM+ application and run this one as a local user.

Willy.