Subject: How Take Ownership of Registry Key with .NET 2.0?

[Guest]

Apologies for the double-post.. I'm new, just getting used to this.. and
should have posted this way in the first place..

How does one go about taking ownership of a registry key using C# & .NET 2.0
*IF* one has _only_ TakeOwnership privilege?

The problem is exactly as specified in MS KB Article ID: 111546 at:
http://support.microsoft.com/kb/111546/EN-US/

...except that I would like to know how to do it in C#

Any help would be much appreciated. Thanks! (Again!)

 

[Jeffrey Tan[MSFT]]

Hi Rheal,

Thanks for your post.

In .Net 1.1, there is no build-in for Access Control support, however,
Net2.0 has finally released several access control namespace such as
System.Security.AccessControl and System.Security.Principal. The article
below showed how to use these 2 namespaces to do what you want:
"Item 46: How to take ownership of an object"
http://www.pluralsight.com/keith/book/html/howto_takeownership.html

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Andrew]

Thank you for your reply:

In .Net 1.1, there is no build-in for Access Control support, however,
.Net2.0 has finally released several access control namespace such as
System.Security.AccessControl and System.Security.Principal. The article
below showed how to use these 2 namespaces to do what you want:
"Item 46: How to take ownership of an object"
http://www.pluralsight.com/keith/book/html/howto_takeownership.html

Unfortunately, the code example uses a type that VS 2005 RC does not
recognize - "LeafObjectSecurity"

A google search turns up very little, but more than a search on msdn,
microsoft.com, or the Visual Studio 2005 RC help, all of which turned up
absolutely *nothing* when I searched for simply "LeafObjectSecurity" - Of
the few results from Google, only one provided any hint - which seems to be
that LeafObjectSecurity was introduced in .NET Beta 1, but dropped in .NET
Beta 2.

http://www.aspnetdev.de/ClassReference/System.Security.AccessControl.aspx

I am aware of the other namespaces you mentioned, and am able to pretty
much do any type of security manipulation with the Registry Keys *except*
take ownership when I have no other privileges than TakeOwner.

Do you have any other thoughts on how I might be able to take ownership of
a Registry Key using C# and any of the new .NET 2.0 features? (that are
still valid in RC1, and hopefully also in Beta 2) .. and assuming still, of
course, that I have no other privileges than TakeOwner.

Thank you again for your time and assistance.

Cheers

 

[Jeffrey Tan[MSFT]]

Hi Andrew,

Thanks for your feedback.

Yes, Whidbey is in beta versions, and everything may be changed in RTM.

Currently, I suggest you p/invoke RegOpenKeyEx and RegSetKeySecurity to get
this done. With this, we do not reply on the change of Whidbey framework.
Thanks

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Andrew]

Hi Andrew,

Thanks for your feedback.

Yes, Whidbey is in beta versions, and everything may be changed in RTM.

Currently, I suggest you p/invoke RegOpenKeyEx and RegSetKeySecurity to get
this done. With this, we do not reply on the change of Whidbey framework.
Thanks

Hi Jeffrey,

Thank you very much again for your reply, and for the information.

Just to clarify - Is .NET 2.0 essentially a part of Whidbey? (and thus
meaning there's essentially no documented way to do what I want in .NET 2.0
for now..?)

I only ask because I sort of had the impression the .NET 2.0 went with
Visual Studio .NET 2005, and was thus going to be "released" with VS 2005.
If that were true (and I could obviously be totally mistaken) then there
"should" be a way to use the new .NET 2.0 functionality to take ownership
of a registry key as I wanted to, shouldn't there?

Meantime -- I'll try your suggestion about p/invoke - I've just never used
that before and it sounds complicated.

Thanks again! I totally appreciate having you and the Concierge available!

Cheers

- Andrew

 

[Jeffrey Tan[MSFT]]

Hi

Thanks for your feedback.

Yes, Whidbey is the code name of .Net 2.0. I agree with you that Whidbey
should have build-in method to take the ownership of an object. But,
because Whidbey is still does not release, everything may change, and may
not available in RTM version. So using p/invoke to do this should be more
reliable currently. This is why I suggest you use legacy Win32 way(p/invoke
to Win32 API).

Anyway, in my Whidbey Beta2 version, there is a RegistrySecurity class can
be used for representing registry security. The code snippet below how to
get this done:

NTAccount account = new NTAccount(Environment.UserDomainName+
"\\"+Environment.UserName);
RegistryKey rk = Registry.ClassesRoot.CreateSubKey("mytest");
RegistrySecurity rs=rk.GetAccessControl();
rs.SetOwner(account);
rk.SetAccessControl(rs);

Note: we should first enable the TakeOwnership privilege in the process
token, however, currently, .Net still did not provide a way to enable this
privilege, we have to resort to win32 way. For a sample, please refer to
the link below:
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HowToUseAPrivilege.
html
===================================================
Thank you for your patience and cooperation. If you have any questions or
concerns, please feel free to post it in the group. I am standing by to be
of assistance.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Jeffrey Tan[MSFT]]

Hi Andrew,

Does my reply make sense to you? Is your problem resolved? Please feel free
to tell me, thanks

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Andrew]

Hi Andrew,

Does my reply make sense to you? Is your problem resolved? Please feel free
to tell me, thanks

Hi Jeffrey,

Thanks for the reply! And.. well.. your reply in and of itself does
make sense to me...

However, that code you pointed me at, over on pluralsight.com seems
excessively complicated just to be _able_ to take ownership of a registry
key.. But if that's what I need to do, well, I'll try and figure it out.

I have to admit that all that token stuff is new to me... nor am I really
that sure how I'm supposed to use that code. It sounds like he's talking
about multiple privileges (privCount) - I don't even know how to begin to
call it and specify that I want the TakeOwnership privilege in the process
token. He also seems to be indicating that I should disable the privilege
afterwards.

I get the feeling that I can't just take that code, and dump it in at the
end of my source file and have it work. (even if I _did_ know how to
call it..)

Is there somewhere that sort of eases into that stuff slowly, so that I
might have some hope of understanding it, and how I might make use of it? I
feel that I'm just missing some fundamentals about dealing with this type
of coding. (The privilege stuff from C++ _and_ calling C++ from C#)

Any pointers to documentation, tips, suggestions, thoughts, ideas, or any
other type of further assistance in figuring this out would again be very
much appreciated!

Thank you (again!) for your time and assistance with this!

- Andrew

 

[Jeffrey Tan[MSFT]]

Hi Andrew,

Thanks for your feedback.

I think your current concern is how to use the unmanaged code snippet of
enabling privilege in your application, yes?

I am not sure if you are familiar with making dll in VC++. I suggest you
use VC++ with that code snippet to create a dll which exports a function to
enable privilege. Then in .Net, we can use P/invoke to call this exported
function. After doing this, we should can use .Net2.0 classes to take the
ownership of registry.

Addtionally, if you just want to set the ownership of the registry to your
login account, just enabling SeTakeOwnershipPrivilege is enough. However,
if you want to set its ownership to any other valid account SID, we have to
enable another privilege: SeRestorePrivilege(These 2 privileges are both
assigned to Administrators local group by default, however it is disabled
by default, so we should enable it in our login account). For more
information about ownership, please refer to the links below:

http://win32.mvps.org/security/ownership.html
"A .NET Developer's Guide to Windows Security: Understanding Ownership"
http://www.awprofessional.com/articles/article.asp?p=350386&rl=1

For more information about p/invoke, please refer to the msdn article
below:
http://msdn.microsoft.com/msdnmag/issues/03/07/NET/

At last, for debugging or testing purpose, I usually use PView.exe in
Platform SDK to enable certain privilege of certain process. To do this, we
can first run up the application, then use PView.exe to find our process
and view its Process token, in the popup process token dialog, we can
enable any privilege we want. After enabling the privilege, we can force
the application to run the take ownership security code.

Hope this helps

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[Jeffrey Tan[MSFT]]

Hi Andrew,

Does my reply make sense to you? Is your problem resolved? Please feel free
to tell me, thanks

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.