|
Subject:
|
Remote Registry
|
|
Posted By:
|
Kep
|
Post Date:
|
8/10/2003 9:28:03 PM
|
Hi all,
I realise this is more a Windows NT security question than a C++ specific question but perhaps some one can help.
I'm connecting to the registry on a remote computer and looking to read a value from the registry key (on the remote host) called:-
HKEY_LOCAL_MACHINE\SOFTWARE\MyApp
There is a value in this key called "MyValue". All I need is read access and the security descriptor for this key (and all it's parent keys) provide read access to the "Everyone" group.
When I try and open the key I get an access denied error message. The only way I can read the data is if I add my user account to the Adminstrators group on the remote host.
The Administrators group provides too much access (read/write/delete etc.) where as I only want standard users to be able to see the data.
I'm using windows API registry functions throughout.
Can anyone tell me what's going on?
Cheers,
Kep.
|
|
Reply By:
|
merediths
|
Reply Date:
|
8/27/2003 6:29:04 PM
|
Registries have DACLs / CACLS (discretinoary access control lists / system access control lists ) just like normal files [1]. You can add your username to the ACL of the registry key in question by following the procedure:
1.) open the remote registry with your registry editor (regedit should work on XP, but on some older versions of NT you may need to specify regedt32 to see the ACLs).
2.) Right-click on the hive / key in question and go to permissions
3.) Wala -- a familiar looking security dialog box should pop up. Add your username and specify permissions.
You should now be able to access said registry key.
[1] actually, all objects in NT managed by the ORM/Executive have ACLs.
Regards,
Meredith Shaebanyan
|
|
Reply By:
|
Kep
|
Reply Date:
|
8/27/2003 7:04:04 PM
|
Thanks Meredith, I tried what you suggested and added the username to the DACL for the registry key's they need access to. If you log on to the PC locally then they have access. If you connect to the registry remotely then it still denies access.
I'm using NT server 4.0, maybe there is something special about the Administrators group when connecting to remote registries?
Thanks for your help,
Kep.
|
|
Reply By:
|
merediths
|
Reply Date:
|
9/18/2003 5:39:51 PM
|
Kep,
you need to add the key you want to edit remotely to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
by default only Administrators can remotely edit the registry. I had never run up against this before because I typically only programaticaly access the registry for things that require admin privlages anyway, and therefore run from an admin account.
Regards
Meredith Shaebanyan
|
