How to find out - who is the owner of any registry key?

[stass]

How to find out about permissions (access rights) in NSIS, who is the owner of any registry key ?
How can you use the RegGetKeySecurity function for these purposes ?

ps AccessControl plug-in - why doesn't it work ...

code:
!addplugindir .

OutFile AccessControlTest.exe

RequestExecutionLevel admin

var Owner



Section

AccessControl::GetRegKeyOwner "HKLM" "SYSTEM\ControlSet001\Control\AGP"

Pop $Owner

MessageBox MB_OK "$Owner"

SectionEnd

[Anders]

There was a bug, I uploaded a new version.

[stass]

Thank you Anders !

Is it possible to add another very important option: who has full control over the registry key ?

For example: AccessControl::GetRegKeyFullControl

FullControl : builtin \ Administrators , SYSTEM
FullControl : TrustedInstaller

[Anders]

I don't see how that is useful. You can be pretty close to FullControl without actually having it. For the registry, somebody could have everything except notify right for example, this is effectively the same as FullControl. Anyone with with WRITE_DAC can give themselves FullControl if they want it.

[stass]

Knowing who has full control is important for using reg files. (This is even more important than knowing who the owner of the registry key is).
If system or TI has full control, then you have to use special utilities, such as Subinacl, etc. This is important to know in advance.
For example, in PowerShell there is a GetAcl command.
Unfortunately, NSIS does not yet have such a toolkit...

[Anders]

That is simply not how ACLs work. System or TI are not special, they don't block access to others simply by existing in the ACL.

Newer versions of Windows try to make it harder for people to write to certain keys. This forces people to first take ownership of the key so that they can add write access for themselves.

[stass]

Quote:

Originally Posted by Anders

Newer versions of Windows try to make it harder for people to write to certain keys. This forces people to first take ownership of the key so that they can add write access for themselves.

Therefore, I would like to solve this problem with the help of NSIS.
It would be nice with the AccessControl plug-in...

[Anders]

It already has SetRegKeyOwner

[stass]

Quote:

Originally Posted by Anders

It already has SetRegKeyOwner

As it turned out, this is not enough ...

[Anders]

Because?

[stass]

Because, for example, in Windows 10, in my scripts I often have to run different reg files to change the system settings. And very often, these reg files must be run with elevated rights, which is not known in advance. You need to know who has full control over a given registry key.
Do not go into the registry every time to manually view the rights ...

[Anders]

Which keys are not working?

[stass]

There are many keys that are not available to the user due to the full control of TI or System.
For example, in Windows 10, it is often necessary to disable or stop WindowsDefender. (If you install a different antivirus or temporarily stop WindowsDefender services when executing scripts from your installer, because this antivirus is paranoid ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004

Also, sometimes it is necessary to make ordinary user settings such as: disable Cloud Protection, Automatic submission of samples, etc.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet]
"SpyNetReporting"=dword:00000000
"SubmitSamplesConsent"=dword:00000000

All such registry keys cannot be listed ... And Microsoft increasingly protects the registry from the user ...

[JasonFriday13]

Quote:

Originally Posted by stass

And Microsoft increasingly protects the registry from programmers ...

It's the users choice to change it, not the programmers choice. I would be pretty upset if a program turned off my firewall... I might start using linux more often .

[stass]

Quote:

Originally Posted by JasonFriday13

It's the users choice to change it, not the programmers choice.

It's a choice (or rather coercion) of Microsoft.
Programmers are just trying to help users overcome harmful prohibitions. Users using NSIS solve the same problem. Why not help them?

[Anders]

Regedit cannot take ownership of WinDefend nor Spynet. If Regedit can't do it, we can't do it.

Just to clarify, trying to set S-1-5-32-544 (BUILTIN\Administrators) as the owner of the Spynet key with SetNamedSecurityInfoW fails even though we have enabled both SE_RESTORE_NAME and SE_TAKE_OWNERSHIP_NAME in the process token.

Which tricks are you currently using to bypass this security?

See also:
https://docs.microsoft.com/en-us/win...nership-in-c--

[stass]

Registry key values for WindowsDefender change without problems when you run reg files as TrustedInstaller. (it is better to do this using special utilities such as devxexec.exe, RunAsTI.exe, PowerRun.exe, etc.)
Keys for WindowsDefender are an exception. Probably, I gave an unsuccessful example ... There shouldn't be any problems for full control detection for the rest of the registry keys.

(I tested the key
[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ AGP] )

[Anders]

Ideally you should probably use transacted registry when doing evil things like this but it is a start at least:

PHP Code:

requestexecutionlevel admin
unicode true
!include LogicLib.nsh

Section
!define REGROOTANDKEY 'HKLM "SYSTEM\CurrentControlSet\Control\AGP"'

AccessControl::GetRegKeyRawSD ${REGROOTANDKEY} "OGD"
Pop $1
${If} $1 P<> 0
    AccessControl::SetRegKeyOwner ${REGROOTANDKEY} (BA)
    Pop $0
    ${If} $0 == error
        Pop $2
        DetailPrint $0:$2
    ${Else}
        AccessControl::DisableRegKeyInheritance ${REGROOTANDKEY} 
        Pop $0
        ${IfThen} $0 == error ${|} Pop $0 ${|}

        AccessControl::ClearOnRegKey /NOINHERIT ${REGROOTANDKEY} (BA) "FullAccess"
        Pop $0
        ${If} $0 == error
            Pop $2
            DetailPrint $0:$2
        ${Else}
            WriteRegStr ${REGROOTANDKEY} "Test" "Hello World"
            MessageBox "" "I did it?"
            DeleteRegValue ${REGROOTANDKEY} "Test"
        ${EndIf}

        AccessControl::SetRegKeyRawSD ${REGROOTANDKEY} "*" $1
        Pop $9
        DetailPrint RestoreSD=$9
    ${EndIf}
    AccessControl::FreeRawSD $1
${EndIf}
SectionEnd 


If you want to look for your precious FullControl:

PHP Code:

AccessControl::GetRegKeyRawSD ${REGROOTANDKEY} "D"
Pop $1
${If} $1 P<> 0
    System::Call 'ADVAPI32::ConvertSecurityDescriptorToStringSecurityDescriptor(p$1,i1,i0x4,*p.r2,p0)i.r0'
    ${If} $0 <> 0
        System::Call KERNEL32::lstrcpyn(t.r0,pr2,i${NSIS_MAX_STRLEN})
        System::Call KERNEL32::LocalFree(pr2)
        MessageBox "" $0 ; https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format
    ${EndIf}
    AccessControl::FreeRawSD $1
${EndIf} 


[stass]

Great ! Anders, thanks a lot ! I will study and apply your coding magic.

[stass]

I'm sorry, but I'm back to the damn registry keys in Windows 10 ...

A seemingly simple task is to determine the existence of a key in the registry. It is easy to determine whether there is such a key or not.
The key is still the same:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows Defender \ Spynet

And one more :
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsSelfHost \ UI \ Visibility

But the task was not solvable!
What's the matter ? How do I solve this?

code:
!addplugindir .

!include "LogicLib.nsh"

!include "Registry.nsh"

OutFile "IfKeyExist-test.exe"

RequestExecutionLevel admin

Var NameKey



Section

StrCpy $NameKey "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet"  

ClearErrors

${registry::KeyExists} "$NameKey" $R0

${If} $R0 = -1

MessageBox MB_OK "NO Key"

${ElseIf} $R0 = 0

MessageBox MB_OK "OK!"

${EndIf}



${Do}

EnumRegKey $1 HKLM "SOFTWARE\Microsoft\Windows Defender" $0  

IntOp $0 $0 + 1

StrCpy $2 $1

${If} $2 == "Spynet"

ClearErrors

sleep 30

MessageBox MB_OK "$1"

${EndIf}

${LoopUntil} $1 == ""



StrCpy $NameKey "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility"  

ClearErrors

${registry::KeyExists} "$NameKey" $R0

${If} $R0 = -1

MessageBox MB_OK "NO Key"

${ElseIf} $R0 = 0

MessageBox MB_OK "OK!"

${EndIf}



${Do}

EnumRegKey $1 HKLM "SOFTWARE\Microsoft\WindowsSelfHost\UI" $0  

IntOp $0 $0 + 1

StrCpy $2 $1

${If} $2 == "Visibility"

ClearErrors

sleep 30

MessageBox MB_OK "$1"

${EndIf}

${LoopUntil} $1 == ""

SectionEnd

[JasonFriday13]

Is = the same as == ? You used both in your ${If} statements.

[stass]

With other registry keys, this code is working normally. (Forgot to specify $ {registry :: unload})
The point is not in this code, but in the principle of determining the existence of keys that does not work ...

[irfanyasinpro]

[*]Open the Registry Editor by running regedit.exe.[*]Navigate to the branch for which you want to modify the permissions.[*]Right-click on the branch, and choose Permissions…[*]Click the Advanced button.[*]In the Adv[/LIST]anced Security Settings dialog, note down the owner.

[stass]

The owner in this case does not matter.
Here is an example with the owner of TrustedInstaller.
The key is determined without problems.

Working example:

code:


!addplugindir .

!include "LogicLib.nsh"

!include "Registry.nsh"

OutFile "IfKeyExist-test.exe"

RequestExecutionLevel admin

Var NameKey



Section

StrCpy $NameKey "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\AGP"  

ClearErrors

${registry::KeyExists} "$NameKey" $R0

${If} $R0 = -1

MessageBox MB_OK "NO Key"

${ElseIf} $R0 = 0

MessageBox MB_OK "OK!"

${EndIf}

${registry::unload}

SectionEnd

[stass]

Oops ... completely forgot about SetRegView 64.