AccessControl SetRegKeyOwner failing

arrow15 · 12th July 2007, 19:28

Hi.

So basically, I'm trying to use AccessControl to gain control of several registry keys before changing their permissions to FullAccess for Everyone, then deleting them. Windows Vista forces every user, including administrators to first take control of a registry key before they can make any modifications to it, if they do not already have explicit write control.

I've been successful with GrantOnRegKey:

Quote:

AccessControl::GrantOnRegKey HKLM $KeyPath "Everyone" "FullAccess"

This works perfectly.

I haven't had the same success with SetRegKeyOwner.

Quote:

AccessControl::SetRegKeyOwner HKLM $KeyPath "user"

When I pop the errors off the stack for a few of these SetRegKeyOwner, GrantOnRegKey owner sequences, there are no errors for GrantOnRegKey, but for SetRegKeyOwner calls I get the following for the first:

Quote:

Cannot apply new ownership.
Error code: 0

Then for the rest:

Quote:

Cannot apply new ownership.
Error code: 997

Error code 997 is ERROR_IO_PENDING, which doesn't really make sense to me, as permissions changes work, and then the first error code reads as 0 (even though it shouldn't error on 0). The user name is correct, because if I put in a bad one, it gives me a bad trustee error.

Any ideas?...

arrow15 · 12th July 2007, 21:59

Follow up:

So I tried manually changing the registry key's permissions to full control to everyone, and the change of ownership worked. So basically as I see it here's how things stand on Vista:

-To edit permissions of the registry key (no write owner control), I have to first have the user take control of the key from the administrators group

-To take control of the key from the administrators group, I must first take write owner control permissions.

kichik · 13th July 2007, 08:57

I don't know why it fails, but you get the wrong error codes because of a bug in AccessControl. It uses GetLastError() to get the last error of SetNamedSecurityInfo, but SetNamedSecurityInfo uses the return value for specifying the error.

I've attached a fixed version. Let me know if it works before I upload it to the Wiki.

arrow15 · 13th July 2007, 18:47

Yes, thank you, the new version's error codes are accurate. (That's what I suspected might be happening when I looked at the source code) I now get error code 5 (Access denied), which is far more believable, and seems to be what is going wrong. As for finding a solution, I'm still looking, and I'll post it if I find something. From what I've read though, many people consider this registry permissions / ownership business a bug with Vista, because it seems to basically trap you.

Thanks again.

Lyra78 · 27th December 2007, 15:34

Hi everybody.
I tried kichik's version of the plug-in and the most recent (November 2007).
I realized that "GrantOnRegKey" doesn't work properly in the last version. Kichik's version works fine.

Does anyone know why kichik's changes seem to be lost in the last official version?

Thanks!

Afrow UK · 27th December 2007, 16:30

In what way does it not work correctly?

Stu

Lyra78 · 28th December 2007, 06:48

Setting full access on a registry key in local machine doesn't work. It just sets this permission for administrators and power users, not for users. The previous version I mentioned works correctly.

Afrow UK · 28th December 2007, 12:04

Something else is wrong. The code to change a file or registry ACL has not changed between those two version with the exception of /noinherit.

Stu

Lyra78 · 28th December 2007, 13:23

I'd like to try the intermediate version of AccessControl.dll (August 2007), but I'm not able to find it. Can you help me?

Anyway, that's what happens: in my installation I create a registry key in local machine, then I set full access for all users by "GrantOnRegKey" function. If I compile the script with the latest version of AccessControl.dll (in ProgramFiles\NSIS\Plugins), and execute the file, then in my registry I get just "reading permissions" for Users.
But if I compile with kichik's version installed, then I get the right permissions for all users of that registry key.
I executed both the compiled files on Windows XP and Vista, and found the same curious behaviour.

This is my code:
WriteRegStr HKLM "Software\${COMPANY}\$REG_KEY" "$REG_VALUE" "$REG_DATA"
AccessControl::GrantOnRegKey \
HKLM "Software\${COMPANY}\$REG_KEY" "(S-1-5-32-545)" "FullAccess"

Thanks for help.

Afrow UK · 31st December 2007, 10:15

Any error messages on the stack?

Stu

Afrow UK · 7th January 2008, 18:59

There was a bug.
http://nsis.sourceforge.net/File:AccessControl.zip

Stu

Lyra78 · 8th January 2008, 08:58

That's why there weren't any errors on the stack! :-)

Thanks for the correction: now it works fine!

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

12th July 2007, 21:59	#2
arrow15 Junior Member Join Date: Jun 2007 Posts: 4	Follow up: So I tried manually changing the registry key's permissions to full control to everyone, and the change of ownership worked. So basically as I see it here's how things stand on Vista: -To edit permissions of the registry key (no write owner control), I have to first have the user take control of the key from the administrators group -To take control of the key from the administrators group, I must first take write owner control permissions.

13th July 2007, 18:47	#4
arrow15 Junior Member Join Date: Jun 2007 Posts: 4	Yes, thank you, the new version's error codes are accurate. (That's what I suspected might be happening when I looked at the source code) I now get error code 5 (Access denied), which is far more believable, and seems to be what is going wrong. As for finding a solution, I'm still looking, and I'll post it if I find something. From what I've read though, many people consider this registry permissions / ownership business a bug with Vista, because it seems to basically trap you. Thanks again.

27th December 2007, 15:34	#5
Lyra78 Junior Member Join Date: Dec 2007 Location: Italy Posts: 5	Hi everybody. I tried kichik's version of the plug-in and the most recent (November 2007). I realized that "GrantOnRegKey" doesn't work properly in the last version. Kichik's version works fine. Does anyone know why kichik's changes seem to be lost in the last official version? Thanks!

27th December 2007, 16:30	#6
Afrow UK Moderator Join Date: Nov 2002 Location: Surrey, England Posts: 8,434	In what way does it not work correctly? Stu

28th December 2007, 06:48	#7
Lyra78 Junior Member Join Date: Dec 2007 Location: Italy Posts: 5	Setting full access on a registry key in local machine doesn't work. It just sets this permission for administrators and power users, not for users. The previous version I mentioned works correctly.

28th December 2007, 12:04	#8
Afrow UK Moderator Join Date: Nov 2002 Location: Surrey, England Posts: 8,434	Something else is wrong. The code to change a file or registry ACL has not changed between those two version with the exception of /noinherit. Stu

28th December 2007, 13:23	#9
Lyra78 Junior Member Join Date: Dec 2007 Location: Italy Posts: 5	I'd like to try the intermediate version of AccessControl.dll (August 2007), but I'm not able to find it. Can you help me? Anyway, that's what happens: in my installation I create a registry key in local machine, then I set full access for all users by "GrantOnRegKey" function. If I compile the script with the latest version of AccessControl.dll (in ProgramFiles\NSIS\Plugins), and execute the file, then in my registry I get just "reading permissions" for Users. But if I compile with kichik's version installed, then I get the right permissions for all users of that registry key. I executed both the compiled files on Windows XP and Vista, and found the same curious behaviour. This is my code: WriteRegStr HKLM "Software\${COMPANY}\$REG_KEY" "$REG_VALUE" "$REG_DATA" AccessControl::GrantOnRegKey \ HKLM "Software\${COMPANY}\$REG_KEY" "(S-1-5-32-545)" "FullAccess" Thanks for help.

31st December 2007, 10:15	#10
Afrow UK Moderator Join Date: Nov 2002 Location: Surrey, England Posts: 8,434	Any error messages on the stack? Stu

7th January 2008, 18:59	#11
Afrow UK Moderator Join Date: Nov 2002 Location: Surrey, England Posts: 8,434	There was a bug. http://nsis.sourceforge.net/File:AccessControl.zip Stu

8th January 2008, 08:58	#12
Lyra78 Junior Member Join Date: Dec 2007 Location: Italy Posts: 5	That's why there weren't any errors on the stack! :-) Thanks for the correction: now it works fine!