Running vb.net 2005 app under windows restricted user

[Steve]

Hi All

I have several vb.net 2005 apps which have run fine until now

A new customer has set up windows XP with restricted users

When my application starts I get errors, when accessing the registry etc,
due to insufficent rights for the user

If I create a keyfile and set my app to full trust in project settings, many
of the 3rd party dll's (.net and com) that my apps use give the error on
compilation that they do not have a strong name

I am lost as to what to do next

Any ideas appreciated

Regards
Steve

 

[Jeffrey Tan[MSFT]]

Hi Steve,

Can you provide which registry key path do you write to? As the name
indicated, the restricted user has limited permission than Administrator,
so if your application wanted to support the usage by restricted users, you
should take care of Windows security. For example, you should not write to
HKLM or C:\Windows\System32 directories etc... Because these directories
and registry paths are all system maintained, any modification to them will
affect the entire system and other users. This is by the design of Windows
security.

To workaround this problem, instead of writting to system sensitive
registry paths, you may write to some other keys under HKEY_CURRENT_USER.

Actually, this type of issue is considered as Least-Privilege User bugs in
security programming. You may understand the principle and workarounds in
Aaron Margosis' great article below:
"Problems of Privilege: Find and Fix LUA Bugs"
http://www.microsoft.com/technet/technetmag/issues/2006/08/LUABugs/

PS. In Vista, the virtualization feature will automatically redirect your
writting to HKLM to HKEY_CURRENT_USER.

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Phill W.]

When my application starts I get errors, when accessing the registry etc,
due to insufficent rights for the user

And it gets even worse with Vista!

This isn't want you want to hear but ...

You're going to have to face this eventually, so it may be better to
bite the bullet now and change you application, removing its use of
these "restricted" Registry areas, etc.

What are you trying to store under there?
If it's user-specific, it should really be under HKey_Current_User, to
which every User can write without problems.

Regards,
Phill W.

 

[Steve]

Hi Jeffrey

Thanks for the reply very helpful

I am writing to HKLM, which I have fixed, and the application now runs

I have one last problem

As part of my licence in the program I read the Hard drive serial number,
using system.management class and pass it to the licence checking code

code.....
searcher = New System.Management.ManagementClass("Win32_DiskDrive")

Dim queryCollection As ManagementObjectCollection = searcher.GetInstances

dtserialNo.Columns.Add("Signature", GetType(System.String))

For Each wmi_HD As ManagementObject In queryCollection

' get the hardware serial no.

If Not IsNothing(wmi_HD("Signature")) Then

dr = dtserialNo.NewRow

dr("Signature") = wmi_HD("Signature").ToString

dtserialNo.Rows.Add(dr)

End If

Next


Under Restricted user it doesn't return the serial number

Any ideas

Regards
Steve

Hi Steve,

Can you provide which registry key path do you write to? As the name
indicated, the restricted user has limited permission than Administrator,
so if your application wanted to support the usage by restricted users,
you
should take care of Windows security. For example, you should not write to
HKLM or C:\Windows\System32 directories etc... Because these directories
and registry paths are all system maintained, any modification to them
will
affect the entire system and other users. This is by the design of Windows
security.

To workaround this problem, instead of writting to system sensitive
registry paths, you may write to some other keys under HKEY_CURRENT_USER.

Actually, this type of issue is considered as Least-Privilege User bugs in
security programming. You may understand the principle and workarounds in
Aaron Margosis' great article below:
"Problems of Privilege: Find and Fix LUA Bugs"
http://www.microsoft.com/technet/technetmag/issues/2006/08/LUABugs/

PS. In Vista, the virtualization feature will automatically redirect your
writting to HKLM to HKEY_CURRENT_USER.

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Steve]

Phil

Thanks for the reply

I have now changed the registry sections in my app to HKCU

Regards
Steve

 

[Jeffrey Tan[MSFT]]

Hi Steve,

Thanks for your feedback.

Yes, coding under the normal user account is not a trivial task; you have
to perform a lot of security test to ensure all the code paths can succeed
in this restricted security environment, but it is also a good sandbox for
security.

Regarding your further problem of using WMI to read serial number, I
suspect the hard drive security setting may do not grant read access to the
normal user account. You may download the Process Monitor and monitor your
application for file system activities. I think there must be some "Access
Denied" records during your WMI code. Then, you may analysis which device
is responsible for this "Access Denied". You may download the Process
Monitor from the link below:
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx

Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.