Old 17th February 2021, 08:15   #1
stass
Senior Member
 
Join Date: Nov 2012
Posts: 165
How to find out - who is the owner of any registry key?

How to find out about permissions (access rights) in NSIS, who is the owner of any registry key ?
How can you use the RegGetKeySecurity function for these purposes ?

ps AccessControl plug-in - why doesn't it work ...

code:
!addplugindir .
OutFile AccessControlTest.exe
RequestExecutionLevel admin
var Owner

Section
AccessControl::GetRegKeyOwner "HKLM" "SYSTEM\ControlSet001\Control\AGP"
Pop $Owner
MessageBox MB_OK "$Owner"
SectionEnd

stass is offline   Reply With Quote
Old 20th February 2021, 15:11   #2
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,358
There was a bug, I uploaded a new version.

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 24th February 2021, 11:22   #3
stass
Senior Member
 
Join Date: Nov 2012
Posts: 165
Thank you Anders !

Is it possible to add another very important option: who has full control over the registry key ?

For example: AccessControl::GetRegKeyFullControl

FullControl : builtin \ Administrators , SYSTEM
FullControl : TrustedInstaller
stass is offline   Reply With Quote
Old 24th February 2021, 13:12   #4
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,358
I don't see how that is useful. You can be pretty close to FullControl without actually having it. For the registry, somebody could have everything except notify right for example, this is effectively the same as FullControl. Anyone with with WRITE_DAC can give themselves FullControl if they want it.

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 24th February 2021, 13:29   #5
stass
Senior Member
 
Join Date: Nov 2012
Posts: 165
Knowing who has full control is important for using reg files. (This is even more important than knowing who the owner of the registry key is).
If system or TI has full control, then you have to use special utilities, such as Subinacl, etc. This is important to know in advance.
For example, in PowerShell there is a GetAcl command.
Unfortunately, NSIS does not yet have such a toolkit...
stass is offline   Reply With Quote
Old 24th February 2021, 14:15   #6
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,358
That is simply not how ACLs work. System or TI are not special, they don't block access to others simply by existing in the ACL.

Newer versions of Windows try to make it harder for people to write to certain keys. This forces people to first take ownership of the key so that they can add write access for themselves.

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 24th February 2021, 14:29   #7
stass
Senior Member
 
Join Date: Nov 2012
Posts: 165
Quote:
Originally Posted by Anders View Post
Newer versions of Windows try to make it harder for people to write to certain keys. This forces people to first take ownership of the key so that they can add write access for themselves.
Therefore, I would like to solve this problem with the help of NSIS.
It would be nice with the AccessControl plug-in...
stass is offline   Reply With Quote
Old 24th February 2021, 14:42   #8
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,358
It already has SetRegKeyOwner

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 25th February 2021, 06:06   #9
stass
Senior Member
 
Join Date: Nov 2012
Posts: 165
Quote:
Originally Posted by Anders View Post
It already has SetRegKeyOwner
As it turned out, this is not enough ...
stass is offline   Reply With Quote
Old 25th February 2021, 11:45   #10
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,358
Because?

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 25th February 2021, 12:52   #11
stass
Senior Member
 
Join Date: Nov 2012
Posts: 165
Because, for example, in Windows 10, in my scripts I often have to run different reg files to change the system settings. And very often, these reg files must be run with elevated rights, which is not known in advance. You need to know who has full control over a given registry key.
Do not go into the registry every time to manually view the rights ...
stass is offline   Reply With Quote
Old 25th February 2021, 12:59   #12
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,358
Which keys are not working?

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 26th February 2021, 06:48   #13
stass
Senior Member
 
Join Date: Nov 2012
Posts: 165
There are many keys that are not available to the user due to the full control of TI or System.
For example, in Windows 10, it is often necessary to disable or stop WindowsDefender. (If you install a different antivirus or temporarily stop WindowsDefender services when executing scripts from your installer, because this antivirus is paranoid ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004

Also, sometimes it is necessary to make ordinary user settings such as: disable Cloud Protection, Automatic submission of samples, etc.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet]
"SpyNetReporting"=dword:00000000
"SubmitSamplesConsent"=dword:00000000

All such registry keys cannot be listed ... And Microsoft increasingly protects the registry from the user ...
stass is offline   Reply With Quote
Old 26th February 2021, 11:21   #14
JasonFriday13
Major Dude
 
JasonFriday13's Avatar
 
Join Date: May 2005
Location: New Zealand
Posts: 906
Quote:
Originally Posted by stass View Post
And Microsoft increasingly protects the registry from programmers ...
It's the users choice to change it, not the programmers choice. I would be pretty upset if a program turned off my firewall... I might start using linux more often .

"Only a MouseHelmet will save you from a MouseTrap" -Jason Ross (Me)
NSIS 3 POSIX Ninja
Wiki Profile
JasonFriday13 is offline   Reply With Quote
Old 26th February 2021, 12:42   #15
stass
Senior Member
 
Join Date: Nov 2012
Posts: 165
Quote:
Originally Posted by JasonFriday13 View Post
It's the users choice to change it, not the programmers choice.
It's a choice (or rather coercion) of Microsoft.
Programmers are just trying to help users overcome harmful prohibitions. Users using NSIS solve the same problem. Why not help them?
stass is offline   Reply With Quote
Old 26th February 2021, 15:14   #16
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,358
Regedit cannot take ownership of WinDefend nor Spynet. If Regedit can't do it, we can't do it.

Just to clarify, trying to set S-1-5-32-544 (BUILTIN\Administrators) as the owner of the Spynet key with SetNamedSecurityInfoW fails even though we have enabled both SE_RESTORE_NAME and SE_TAKE_OWNERSHIP_NAME in the process token.

Which tricks are you currently using to bypass this security?

See also:
https://docs.microsoft.com/en-us/win...nership-in-c--

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 27th February 2021, 05:23   #17
stass
Senior Member
 
Join Date: Nov 2012
Posts: 165
Registry key values for WindowsDefender change without problems when you run reg files as TrustedInstaller. (it is better to do this using special utilities such as devxexec.exe, RunAsTI.exe, PowerRun.exe, etc.)
Keys for WindowsDefender are an exception. Probably, I gave an unsuccessful example ... There shouldn't be any problems for full control detection for the rest of the registry keys.

(I tested the key
[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ AGP] )
stass is offline   Reply With Quote
Old 27th February 2021, 17:54   #18
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,358
Ideally you should probably use transacted registry when doing evil things like this but it is a start at least:

PHP Code:
requestexecutionlevel admin
unicode true
!include LogicLib.nsh

Section
!define REGROOTANDKEY 'HKLM "SYSTEM\CurrentControlSet\Control\AGP"'

AccessControl::GetRegKeyRawSD ${REGROOTANDKEY"OGD"
Pop $1
${If} $1 P<> 0
    AccessControl
::SetRegKeyOwner ${REGROOTANDKEY} (BA)
    
Pop $0
    
${If} $== error
        Pop 
$2
        DetailPrint 
$0:$2
    
${Else}
        
AccessControl::DisableRegKeyInheritance ${REGROOTANDKEY
        
Pop $0
        
${IfThen} $== error ${|} Pop $${|}

        
AccessControl::ClearOnRegKey /NOINHERIT ${REGROOTANDKEY} (BA"FullAccess"
        
Pop $0
        
${If} $== error
            Pop 
$2
            DetailPrint 
$0:$2
        
${Else}
            
WriteRegStr ${REGROOTANDKEY"Test" "Hello World"
            
MessageBox "" "I did it?"
            
DeleteRegValue ${REGROOTANDKEY"Test"
        
${EndIf}

        
AccessControl::SetRegKeyRawSD ${REGROOTANDKEY"*" $1
        Pop 
$9
        DetailPrint RestoreSD
=$9
    
${EndIf}
    
AccessControl::FreeRawSD $1
${EndIf}
SectionEnd 
If you want to look for your precious FullControl:

PHP Code:
AccessControl::GetRegKeyRawSD ${REGROOTANDKEY"D"
Pop $1
${If} $1 P<> 0
    System
::Call 'ADVAPI32::ConvertSecurityDescriptorToStringSecurityDescriptor(p$1,i1,i0x4,*p.r2,p0)i.r0'
    
${If} $<> 0
        System
::Call KERNEL32::lstrcpyn(t.r0,pr2,i${NSIS_MAX_STRLEN})
        
System::Call KERNEL32::LocalFree(pr2)
        
MessageBox "" $https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format
    
${EndIf}
    
AccessControl::FreeRawSD $1
${EndIf} 
Attached Files
File Type: zip AccessControl.zip (8.1 KB, 30 views)

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 28th February 2021, 08:33   #19
stass
Senior Member
 
Join Date: Nov 2012
Posts: 165
Great ! Anders, thanks a lot ! I will study and apply your coding magic.
stass is offline   Reply With Quote
Old 3rd March 2021, 12:07   #20
stass
Senior Member
 
Join Date: Nov 2012
Posts: 165
I'm sorry, but I'm back to the damn registry keys in Windows 10 ...

A seemingly simple task is to determine the existence of a key in the registry. It is easy to determine whether there is such a key or not.
The key is still the same:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows Defender \ Spynet

And one more :
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsSelfHost \ UI \ Visibility

But the task was not solvable!
What's the matter ? How do I solve this?

code:
!addplugindir .
!include "LogicLib.nsh"
!include "Registry.nsh"
OutFile "IfKeyExist-test.exe"
RequestExecutionLevel admin
Var NameKey

Section
StrCpy $NameKey "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet"
ClearErrors
${registry::KeyExists} "$NameKey" $R0
${If} $R0 = -1
MessageBox MB_OK "NO Key"
${ElseIf} $R0 = 0
MessageBox MB_OK "OK!"
${EndIf}

${Do}
EnumRegKey $1 HKLM "SOFTWARE\Microsoft\Windows Defender" $0
IntOp $0 $0 + 1
StrCpy $2 $1
${If} $2 == "Spynet"
ClearErrors
sleep 30
MessageBox MB_OK "$1"
${EndIf}
${LoopUntil} $1 == ""

StrCpy $NameKey "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility"
ClearErrors
${registry::KeyExists} "$NameKey" $R0
${If} $R0 = -1
MessageBox MB_OK "NO Key"
${ElseIf} $R0 = 0
MessageBox MB_OK "OK!"
${EndIf}

${Do}
EnumRegKey $1 HKLM "SOFTWARE\Microsoft\WindowsSelfHost\UI" $0
IntOp $0 $0 + 1
StrCpy $2 $1
${If} $2 == "Visibility"
ClearErrors
sleep 30
MessageBox MB_OK "$1"
${EndIf}
${LoopUntil} $1 == ""
SectionEnd

stass is offline   Reply With Quote
Old 4th March 2021, 07:19   #21
JasonFriday13
Major Dude
 
JasonFriday13's Avatar
 
Join Date: May 2005
Location: New Zealand
Posts: 906
Is = the same as == ? You used both in your ${If} statements.

"Only a MouseHelmet will save you from a MouseTrap" -Jason Ross (Me)
NSIS 3 POSIX Ninja
Wiki Profile
JasonFriday13 is offline   Reply With Quote
Old 4th March 2021, 07:30   #22
stass
Senior Member
 
Join Date: Nov 2012
Posts: 165
With other registry keys, this code is working normally. (Forgot to specify $ {registry :: unload})
The point is not in this code, but in the principle of determining the existence of keys that does not work ...
stass is offline   Reply With Quote
Old 4th March 2021, 09:28   #23
irfanyasinpro
Banned
 
Join Date: Feb 2021
Posts: 2
[*]Open the Registry Editor by running regedit.exe.[*]Navigate to the branch for which you want to modify the permissions.[*]Right-click on the branch, and choose Permissions…[*]Click the Advanced button.[*]In the Adv[/LIST]anced Security Settings dialog, note down the owner.
irfanyasinpro is offline   Reply With Quote
Old 4th March 2021, 09:42   #24
stass
Senior Member
 
Join Date: Nov 2012
Posts: 165
The owner in this case does not matter.
Here is an example with the owner of TrustedInstaller.
The key is determined without problems.

Working example:

code:

!addplugindir .
!include "LogicLib.nsh"
!include "Registry.nsh"
OutFile "IfKeyExist-test.exe"
RequestExecutionLevel admin
Var NameKey

Section
StrCpy $NameKey "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\AGP"
ClearErrors
${registry::KeyExists} "$NameKey" $R0
${If} $R0 = -1
MessageBox MB_OK "NO Key"
${ElseIf} $R0 = 0
MessageBox MB_OK "OK!"
${EndIf}
${registry::unload}
SectionEnd

stass is offline   Reply With Quote
Old 5th March 2021, 13:29   #25
stass
Senior Member
 
Join Date: Nov 2012
Posts: 165
Oops ... completely forgot about SetRegView 64.
stass is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Developer Center > NSIS Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump