Registry writes fail quietly in Win7 x64

[v6gfZc9p]

I'm trying to make a few adjustments to explorer on Windows 7 Ultimate x64 with that following registry writes (this removes the damn homegroup)

code:
RequestExecutionLevel admin

SetRegView 64

WriteRegDWORD HKCR "CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\ShellFolder" "Attributes" 0xB094010C

${If} ${RunningX64}

WriteRegDWORD HKCR "Wow6432Node\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\ShellFolder" "Attributes" 0xB094010C

${EndIf}

But the writes silently fail. Using Process Monitor i can see that they fail with access denied. Shouldn't there at least be an error message?

Turns out Administrator doesn't have write access to the keys. TrustedInstaller it is the only "user" that has access.

Is there something I'm doing wrong, or is there a bug in NSIS? Shouldn't the installer automatically be run under the TrustedInstaller account?

[Anders]

No, TrustedInstaller is Microsoft exclusive special user account that exists to make it harder for people to change Windows system files and settings. RequestExecutionLevel admin only gets you a integrity level of high, there are two levels above this.

You need to use the AccessControl plugin to take ownership of the key and give yourself write access before you can write. Ideally you should restore the ACL and owner when you are done...

[v6gfZc9p]

I had a feeling it was going to be something like that :-(

So no way to trick Windows into thinking the installer was for XP or older so it would be run in some kind of compatibility mode with full registry access?

Is there a suggestions forum somewhere? Cause taking care of standard access problems for registry writes seem very much like something NSIS should be doing automatically.

[JasonFriday13]

Quote:

Originally Posted by v6gfZc9p

Is there a suggestions forum somewhere? Cause taking care of standard access problems for registry writes seem very much like something NSIS should be doing automatically.

Alright, lets look at this from a hackers point-of-view. Having a tool that can read and write ANY key and/or value would be very helpful to them. This means they can change system keys and values and Windows wouldn't be able to repair them, resulting in a messed up system that would probably need to have Windows reinstalled, which is a real pain if that system has alot of data on it.

NSIS is always going to stay within the restrictions set out by Microsoft, I'm sorry but that's the way it is. You are free to write your own code that does the job though.

[Anders]

Quote:

Originally Posted by v6gfZc9p

Cause taking care of standard access problems for registry writes seem very much like something NSIS should be doing automatically.

This is not a standard access problem, Microsoft changed the owner of these keys to stop people from changing them. You face the same issue if you try to do it with regedit. I already told you how to get around it in my first reply...

[v6gfZc9p]

Quote:

Originally Posted by Anders

This is not a standard access problem, Microsoft changed the owner of these keys to stop people from changing them. You face the same issue if you try to do it with regedit. I already told you how to get around it in my first reply...

I'd still like to bring the issue to the attention of the developers, modifying the registry is absolutely basic installer functionality, it shouldn't be necessary to go through a ton of trouble to get it done.

[Anders]

Quote:

Originally Posted by v6gfZc9p

I'd still like to bring the issue to the attention of the developers, modifying the registry is absolutely basic installer functionality, it shouldn't be necessary to go through a ton of trouble to get it done.

So you don't consider Regedit to be a registry editor then?

You are doing special things here that Microsoft don't really want you to do, some extra speed bumps should be expected.

[v6gfZc9p]

Quote:

Originally Posted by Anders

So you don't consider Regedit to be a registry editor then?

Yes, but I'm not trying to edit the registry or make a registry editor! I'm trying to create an installer and installers create and modify registry keys. And even Regedit will modify the registry without changing access rights if you just save your changes in a .reg file!

Quote:

Originally Posted by Anders

You are doing special things here that Microsoft don't really want you to do, some extra speed bumps should be expected.

NO!!! Modifying the registry is a standard operation for an installer, not some "special thing". And Microsoft is trying to keep the amateurs out of the registry (not that it's any of their business what people do to their own computers), not installer writers!

But perhaps the real problem is the RequestExecutionLevel directive? Apparently TrustedInstaller rather than Administrator is the correct user account for installers on all windows versions newer than 7.

[JasonFriday13]

A quick google search on this 'TrustedInstaller' shows that it's for Windows Update and System Resource Protection, nothing else. So as far as I can see, only specific tools from Microsoft can use the TrustedInstaller privilege because it modifies the systems files that make the OS work. So I can see why the TrustedInstaller privilege is so restricted, they don't want hackers using it to corrupt the system and cause loss of data, I guess this includes HomeGroup as it's part of the system files.