Old 17th February 2021, 09:15   #1
stass
Senior Member
 
Join Date: Nov 2012
Posts: 156
How to find out - who is the owner of any registry key?

How to find out about permissions (access rights) in NSIS, who is the owner of any registry key ?
How can you use the RegGetKeySecurity function for these purposes ?

ps AccessControl plug-in - why doesn't it work ...

code:
!addplugindir .
OutFile AccessControlTest.exe
RequestExecutionLevel admin
var Owner

Section
AccessControl::GetRegKeyOwner "HKLM" "SYSTEM\ControlSet001\Control\AGP"
Pop $Owner
MessageBox MB_OK "$Owner"
SectionEnd

stass is offline   Reply With Quote
Old 20th February 2021, 16:11   #2
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,356
There was a bug, I uploaded a new version.

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 24th February 2021, 12:22   #3
stass
Senior Member
 
Join Date: Nov 2012
Posts: 156
Thank you Anders !

Is it possible to add another very important option: who has full control over the registry key ?

For example: AccessControl::GetRegKeyFullControl

FullControl : builtin \ Administrators , SYSTEM
FullControl : TrustedInstaller
stass is offline   Reply With Quote
Old 24th February 2021, 14:12   #4
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,356
I don't see how that is useful. You can be pretty close to FullControl without actually having it. For the registry, somebody could have everything except notify right for example, this is effectively the same as FullControl. Anyone with with WRITE_DAC can give themselves FullControl if they want it.

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 24th February 2021, 14:29   #5
stass
Senior Member
 
Join Date: Nov 2012
Posts: 156
Knowing who has full control is important for using reg files. (This is even more important than knowing who the owner of the registry key is).
If system or TI has full control, then you have to use special utilities, such as Subinacl, etc. This is important to know in advance.
For example, in PowerShell there is a GetAcl command.
Unfortunately, NSIS does not yet have such a toolkit...
stass is offline   Reply With Quote
Old 24th February 2021, 15:15   #6
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,356
That is simply not how ACLs work. System or TI are not special, they don't block access to others simply by existing in the ACL.

Newer versions of Windows try to make it harder for people to write to certain keys. This forces people to first take ownership of the key so that they can add write access for themselves.

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 24th February 2021, 15:29   #7
stass
Senior Member
 
Join Date: Nov 2012
Posts: 156
Quote:
Originally Posted by Anders View Post
Newer versions of Windows try to make it harder for people to write to certain keys. This forces people to first take ownership of the key so that they can add write access for themselves.
Therefore, I would like to solve this problem with the help of NSIS.
It would be nice with the AccessControl plug-in...
stass is offline   Reply With Quote
Old 24th February 2021, 15:42   #8
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,356
It already has SetRegKeyOwner

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 25th February 2021, 07:06   #9
stass
Senior Member
 
Join Date: Nov 2012
Posts: 156
Quote:
Originally Posted by Anders View Post
It already has SetRegKeyOwner
As it turned out, this is not enough ...
stass is offline   Reply With Quote
Old 25th February 2021, 12:45   #10
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,356
Because?

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old 25th February 2021, 13:52   #11
stass
Senior Member
 
Join Date: Nov 2012
Posts: 156
Because, for example, in Windows 10, in my scripts I often have to run different reg files to change the system settings. And very often, these reg files must be run with elevated rights, which is not known in advance. You need to know who has full control over a given registry key.
Do not go into the registry every time to manually view the rights ...
stass is offline   Reply With Quote
Old 25th February 2021, 13:59   #12
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,356
Which keys are not working?

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old Yesterday, 07:48   #13
stass
Senior Member
 
Join Date: Nov 2012
Posts: 156
There are many keys that are not available to the user due to the full control of TI or System.
For example, in Windows 10, it is often necessary to disable or stop WindowsDefender. (If you install a different antivirus or temporarily stop WindowsDefender services when executing scripts from your installer, because this antivirus is paranoid ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv]
"Start"=dword:00000004

Also, sometimes it is necessary to make ordinary user settings such as: disable Cloud Protection, Automatic submission of samples, etc.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet]
"SpyNetReporting"=dword:00000000
"SubmitSamplesConsent"=dword:00000000

All such registry keys cannot be listed ... And Microsoft increasingly protects the registry from the user ...
stass is offline   Reply With Quote
Old Yesterday, 12:21   #14
JasonFriday13
Major Dude
 
JasonFriday13's Avatar
 
Join Date: May 2005
Location: New Zealand
Posts: 901
Quote:
Originally Posted by stass View Post
And Microsoft increasingly protects the registry from programmers ...
It's the users choice to change it, not the programmers choice. I would be pretty upset if a program turned off my firewall... I might start using linux more often .

"Only a MouseHelmet will save you from a MouseTrap" -Jason Ross (Me)
NSIS 3 POSIX Ninja
Wiki Profile
JasonFriday13 is offline   Reply With Quote
Old Yesterday, 13:42   #15
stass
Senior Member
 
Join Date: Nov 2012
Posts: 156
Quote:
Originally Posted by JasonFriday13 View Post
It's the users choice to change it, not the programmers choice.
It's a choice (or rather coercion) of Microsoft.
Programmers are just trying to help users overcome harmful prohibitions. Users using NSIS solve the same problem. Why not help them?
stass is offline   Reply With Quote
Old Yesterday, 16:14   #16
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,356
Regedit cannot take ownership of WinDefend nor Spynet. If Regedit can't do it, we can't do it.

Just to clarify, trying to set S-1-5-32-544 (BUILTIN\Administrators) as the owner of the Spynet key with SetNamedSecurityInfoW fails even though we have enabled both SE_RESTORE_NAME and SE_TAKE_OWNERSHIP_NAME in the process token.

Which tricks are you currently using to bypass this security?

See also:
https://docs.microsoft.com/en-us/win...nership-in-c--

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Old Today, 06:23   #17
stass
Senior Member
 
Join Date: Nov 2012
Posts: 156
Registry key values for WindowsDefender change without problems when you run reg files as TrustedInstaller. (it is better to do this using special utilities such as devxexec.exe, RunAsTI.exe, PowerRun.exe, etc.)
Keys for WindowsDefender are an exception. Probably, I gave an unsuccessful example ... There shouldn't be any problems for full control detection for the rest of the registry keys.

(I tested the key
[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ AGP] )
stass is offline   Reply With Quote
Old Today, 18:54   #18
Anders
Moderator
 
Anders's Avatar
 
Join Date: Jun 2002
Location: ${NSISDIR}
Posts: 5,356
Ideally you should probably use transacted registry when doing evil things like this but it is a start at least:

PHP Code:
requestexecutionlevel admin
unicode true
!include LogicLib.nsh

Section
!define REGROOTANDKEY 'HKLM "SYSTEM\CurrentControlSet\Control\AGP"'

AccessControl::GetRegKeyRawSD ${REGROOTANDKEY"OGD"
Pop $1
${If} $1 P<> 0
    AccessControl
::SetRegKeyOwner ${REGROOTANDKEY} (BA)
    
Pop $0
    
${If} $== error
        Pop 
$2
        DetailPrint 
$0:$2
    
${Else}
        
AccessControl::DisableRegKeyInheritance ${REGROOTANDKEY
        
Pop $0
        
${IfThen} $== error ${|} Pop $${|}

        
AccessControl::ClearOnRegKey /NOINHERIT ${REGROOTANDKEY} (BA"FullAccess"
        
Pop $0
        
${If} $== error
            Pop 
$2
            DetailPrint 
$0:$2
        
${Else}
            
WriteRegStr ${REGROOTANDKEY"Test" "Hello World"
            
MessageBox "" "I did it?"
            
DeleteRegValue ${REGROOTANDKEY"Test"
        
${EndIf}

        
AccessControl::SetRegKeyRawSD ${REGROOTANDKEY"*" $1
        Pop 
$9
        DetailPrint RestoreSD
=$9
    
${EndIf}
    
AccessControl::FreeRawSD $1
${EndIf}
SectionEnd 
If you want to look for your precious FullControl:

PHP Code:
AccessControl::GetRegKeyRawSD ${REGROOTANDKEY"D"
Pop $1
${If} $1 P<> 0
    System
::Call 'ADVAPI32::ConvertSecurityDescriptorToStringSecurityDescriptor(p$1,i1,i0x4,*p.r2,p0)i.r0'
    
${If} $<> 0
        System
::Call KERNEL32::lstrcpy(t.r0,pr2)
        
System::Call KERNEL32::LocalFree(pr2)
        
MessageBox "" $https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format
    
${EndIf}
    
AccessControl::FreeRawSD $1
${EndIf} 
Attached Files
File Type: zip AccessControl.zip (8.1 KB, 0 views)

IntOp $PostCount $PostCount + 1
Anders is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Developer Center > NSIS Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump