Old 21st November 2015, 13:29   #1
v6gfZc9p
Junior Member
 
Join Date: Nov 2015
Posts: 4
Registry writes fail quietly in Win7 x64

I'm trying to make a few adjustments to explorer on Windows 7 Ultimate x64 with that following registry writes (this removes the damn homegroup)

code:
RequestExecutionLevel admin
SetRegView 64
WriteRegDWORD HKCR "CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\ShellFolder" "Attributes" 0xB094010C
${If} ${RunningX64}
WriteRegDWORD HKCR "Wow6432Node\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\ShellFolder" "Attributes" 0xB094010C
${EndIf}



But the writes silently fail. Using Process Monitor i can see that they fail with access denied. Shouldn't there at least be an error message?

Turns out Administrator doesn't have write access to the keys. TrustedInstaller it is the only "user" that has access.

Is there something I'm doing wrong, or is there a bug in NSIS? Shouldn't the installer automatically be run under the TrustedInstaller account?
v6gfZc9p is offline   Reply With Quote
Old 21st November 2015, 17:37   #2
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,449
No, TrustedInstaller is Microsoft exclusive special user account that exists to make it harder for people to change Windows system files and settings. RequestExecutionLevel admin only gets you a integrity level of high, there are two levels above this.

You need to use the AccessControl plugin to take ownership of the key and give yourself write access before you can write. Ideally you should restore the ACL and owner when you are done...

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 23rd November 2015, 18:04   #3
v6gfZc9p
Junior Member
 
Join Date: Nov 2015
Posts: 4
I had a feeling it was going to be something like that :-(

So no way to trick Windows into thinking the installer was for XP or older so it would be run in some kind of compatibility mode with full registry access?

Is there a suggestions forum somewhere? Cause taking care of standard access problems for registry writes seem very much like something NSIS should be doing automatically.
v6gfZc9p is offline   Reply With Quote
Old 24th November 2015, 09:14   #4
JasonFriday13
Major Dude
 
JasonFriday13's Avatar
 
Join Date: May 2005
Location: New Zealand
Posts: 916
Quote:
Originally Posted by v6gfZc9p View Post
Is there a suggestions forum somewhere? Cause taking care of standard access problems for registry writes seem very much like something NSIS should be doing automatically.
Alright, lets look at this from a hackers point-of-view. Having a tool that can read and write ANY key and/or value would be very helpful to them. This means they can change system keys and values and Windows wouldn't be able to repair them, resulting in a messed up system that would probably need to have Windows reinstalled, which is a real pain if that system has alot of data on it.

NSIS is always going to stay within the restrictions set out by Microsoft, I'm sorry but that's the way it is. You are free to write your own code that does the job though.

"Only a MouseHelmet will save you from a MouseTrap" -Jason Ross (Me)
NSIS 3 POSIX Ninja
Wiki Profile
JasonFriday13 is offline   Reply With Quote
Old 24th November 2015, 09:32   #5
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,449
Quote:
Originally Posted by v6gfZc9p View Post
Cause taking care of standard access problems for registry writes seem very much like something NSIS should be doing automatically.
This is not a standard access problem, Microsoft changed the owner of these keys to stop people from changing them. You face the same issue if you try to do it with regedit. I already told you how to get around it in my first reply...

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 1st December 2015, 19:41   #6
v6gfZc9p
Junior Member
 
Join Date: Nov 2015
Posts: 4
Quote:
Originally Posted by Anders View Post
This is not a standard access problem, Microsoft changed the owner of these keys to stop people from changing them. You face the same issue if you try to do it with regedit. I already told you how to get around it in my first reply...
I'd still like to bring the issue to the attention of the developers, modifying the registry is absolutely basic installer functionality, it shouldn't be necessary to go through a ton of trouble to get it done.
v6gfZc9p is offline   Reply With Quote
Old 1st December 2015, 20:09   #7
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,449
Quote:
Originally Posted by v6gfZc9p View Post
I'd still like to bring the issue to the attention of the developers, modifying the registry is absolutely basic installer functionality, it shouldn't be necessary to go through a ton of trouble to get it done.
So you don't consider Regedit to be a registry editor then?

You are doing special things here that Microsoft don't really want you to do, some extra speed bumps should be expected.

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 7th December 2015, 06:24   #8
v6gfZc9p
Junior Member
 
Join Date: Nov 2015
Posts: 4
Quote:
Originally Posted by Anders View Post
So you don't consider Regedit to be a registry editor then?
Yes, but I'm not trying to edit the registry or make a registry editor! I'm trying to create an installer and installers create and modify registry keys. And even Regedit will modify the registry without changing access rights if you just save your changes in a .reg file!

Quote:
Originally Posted by Anders View Post
You are doing special things here that Microsoft don't really want you to do, some extra speed bumps should be expected.
NO!!! Modifying the registry is a standard operation for an installer, not some "special thing". And Microsoft is trying to keep the amateurs out of the registry (not that it's any of their business what people do to their own computers), not installer writers!

But perhaps the real problem is the RequestExecutionLevel directive? Apparently TrustedInstaller rather than Administrator is the correct user account for installers on all windows versions newer than 7.
v6gfZc9p is offline   Reply With Quote
Old 7th December 2015, 09:45   #9
JasonFriday13
Major Dude
 
JasonFriday13's Avatar
 
Join Date: May 2005
Location: New Zealand
Posts: 916
A quick google search on this 'TrustedInstaller' shows that it's for Windows Update and System Resource Protection, nothing else. So as far as I can see, only specific tools from Microsoft can use the TrustedInstaller privilege because it modifies the systems files that make the OS work. So I can see why the TrustedInstaller privilege is so restricted, they don't want hackers using it to corrupt the system and cause loss of data, I guess this includes HomeGroup as it's part of the system files.

"Only a MouseHelmet will save you from a MouseTrap" -Jason Ross (Me)
NSIS 3 POSIX Ninja
Wiki Profile
JasonFriday13 is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Developer Center > NSIS Discussion

Tags
win7 registry x64

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump