Registry Permissions

[Al Kaufman]

I have a simple console app that uses:

regSubKey = <some registry key>
Dim reg As RegistryKey = Registry.ClassesRoot.OpenSubKey(regSubKey)

Dim path As String

path = CStr(reg.GetValue(""))


to grab the default value of a registry key.

It works great on my machine. When I try to
access the application from another machine, it fails due to security
issues. Specifically I get an error message regarding
System.Security.Permissions.RegistryPermissions. Apparently I don't have
permission to read the registry on the remote PC.

How can this be handled?

Thanks,

Al

 

[Peter Huang]

Hi,

Thanks for posting in the community.

First of all, I would like to confirm my understanding of your issue.
From your description, I understand that your app which will access local
registry successfully will not work for remote registry.
Have I fully understood you? If there is anything I misunderstood, please
feel free to let me know.

From the MSDN,
In order for a key to be opened remotely, both machines (the service, and
client) must be running the remote registry service, and have remote
administration enabled.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/
frlrfmicrosoftwin32registrykeyclassopenremotebasekeytopic.asp


As the feature is provided by OS but not .NET framework. Hence, the regular
policies apply. The user of application needs the Administrator privilege
of the remote machine. Additional, in order for a key to be opened
remotely, both machines (the service, and client) must be running the
remote registry service, and have remote administration enabled.

You may try to log on as an user in the administrators group. Here is my
test code.
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click
Dim regLocalMachine As RegistryKey =
RegistryKey.OpenRemoteBaseKey(RegistryHive.LocalMachine, "<Computer Name>")
Dim regComputerName As RegistryKey =
regLocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Control\ComputerName\Co
mputerName", False)
MessageBox.Show(regComputerName.GetValue("ComputerName"))
End Sub

Please apply my suggestion above and let me know if it helps resolve your
problem.


Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Al Kaufman]

Peter,

Thanks for your response. I should have been more specific. Here's what
I'm trying to do:

My application will reside on a central server and be run from PCs on the
LAN. It's intent is to launch Microsoft Access applications which reside on
the central server. That means that each individual PC must launch its
local version of MSAccess.exe. My application looks in the registry for the
path to MSAccess.exe and then launches it. The problem is that I cannot
read the registry on the local PC.

If you need any more information, please let me know. Thanks for your help,

Al

 

[Peter Huang]

Hi,

Thanks for your quickly reply!

Here I wants to reword your senario as below.

1. a cetral server SRV which will share the winform application in a shared
folder.
2. e.g. PC A will access the winform application by using UNC path, i.e.
\\SRV \Sharedfolder\winapp.exe
3. the winapp will check the MSAccess.exe path in the PC A, and the winapp
will lauch the application.

In this senario, the winapp.exe run on the UNC path need the CAS permission
on the PC A.
You may set it by following the steps below.
1. Run the command line below
%systemroot%\Microsoft.NET\Framework\v1.1.4322\mscorcfg.msc
to open the .NET Configuration 1.1
( you may also open the dialog by browse to Control Panel/Adminitrative
Tools/Microsoft .NET Framework 1.1 Configuration)

2. Navigate to My Computer/Runtime Security Policy/Machine/Code
Groups/All_Code/Internet_Zone
3. Right click on the Internet_Zone and select New...
4. Check "Create a new code group", input text into name(e.g.
Testcodegroup) Next
5. In the drop down box select URL, in the URL: input the UNC path the
format is similar with below
\\SRV \Sharedfolder\*

Next
6. Check "Use existing permission set: select Full Trust/Next
7. Finish

8. Run the \\SRV \Sharedfolder\winapp.exe on the PC A to see if the problem
persists.




BTW

It's intent is to launch Microsoft Access applications which reside on
the central server. That means that each individual PC must launch its
local version of MSAccess.exe.

So I am confused by you statement about where the Microsoft Access
applications resided?
It is on the central server SRV or PC A?

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Al Kaufman]

Peter,

I don't think it makes any difference but my application is a console
application, not a windows application. For clarification purposes, my .NET
application's exe resides on PC A, but that's just a maintenance and
administration convenience. It would be a headache but it could be
installed on each PC. If it is installed on a PC, it runs just fine, i.e.,
there is no problem reading the registry. If the application is installed
on PC A and run from PC B then PC B's registry cannot be read.

Here's where I get confused. When the application is executed from PC B, I
thought it was running on the PC B regardless of the location of the exe. I
didn't think the location of the exe controlled where the application was
running. Are you saying that the application is running on PC A and is
therefore attempting to access the registry on PC B that it considers
remote?

The bottom line seems to be: Installed locally, the application can read
the registry. Installed remotely but run locally, the application cannot
read the registry.

Thanks again for your help,

Al

 

[Peter Huang]

Hi,

Thanks for your quickly reply!

Comments in line.

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

From: "Al Kaufman" <[email protected]>
References: <[email protected]>

<[email protected]>

Subject: Re: Registry Permissions
Date: Fri, 20 Feb 2004 09:56:34 -0600
Lines: 92
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.languages.vb
NNTP-Posting-Host: cs24243238-237.austin.rr.com 24.243.238.237
Path: cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA06.phx.gbl!TK2MSFTNGXA0
5.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.languages.vb:183037
X-Tomcat-NG: microsoft.public.dotnet.languages.vb

Peter,

I don't think it makes any difference but my application is a console
application, not a windows application. For clarification purposes, my .NET
application's exe resides on PC A, but that's just a maintenance and
administration convenience. It would be a headache but it could be
installed on each PC. If it is installed on a PC, it runs just fine, i.e.,
there is no problem reading the registry. If the application is installed
on PC A and run from PC B then PC B's registry cannot be read.

From your description, I assume that you application is similar with code
below. That is to say it will not need any other resource, e.g. it do not
need to open an file that is located on PC A, or it hasn't some information
in the registry on PC A particularlly.

Imports Microsoft.Win32
Module Module1
Public Sub Main()
Dim regLocalMachine As RegistryKey =
RegistryKey.OpenRemoteBaseKey(RegistryHive.LocalMachine, "sha-phuang-03")
Dim regComputerName As RegistryKey =
Registry.LocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Control\ComputerN
ame\ComputerName", False)
Console.WriteLine(regComputerName.GetValue("ComputerName"))
End Sub
End Module

Here's where I get confused. When the application is executed from PC B, I
thought it was running on the PC B regardless of the location of the exe. I
didn't think the location of the exe controlled where the application was
running. Are you saying that the application is running on PC A and is
therefore attempting to access the registry on PC B that it considers
remote?

Yes, if an application is located on PC A, and you shared the application
with an UNC path.
If you run the application from PC B, the code will run in PC B.

But .NET framework has a set of security modal(CAS code access security ).
You can specify an application from different place with different security
level. As I said in my last post, Microsoft .NET Framework 1.1
Configuration will help you configurate the permission for the application
from different place. By default, the local machine has the high privilege
to let the code from local machine do the thing which needs high privilege.
While an application from outside the local machine will be given less
privilege, so that when you run the application from another PC will get
the security exception which was thrown by .NET framework.
So to run the application located in PC A from PC B, you must change the
default CAS setting on the PC B as I said in my last post.

For detailed information about .NET Framework Configuration Tool . Take a
look at the link below.
.NET Framework Tools
.NET Framework Configuration Tool (Mscorcfg.msc)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/htm
l/cpconnetframeworkadministrationtoolmscorcfgmsc.asp

 

[Al Kaufman]

Hello Peter,

Sorry if I don't seem to be getting the point but here's a little more
information that, hopefully, will clarify my understanding.

My code contains something like:

Dim regSubKey As String
regSubKey = "Access.Application.8\shell\Open\Command"
Dim reg As RegistryKey = Registry.ClassesRoot.OpenSubKey(regSubKey)
Console.Write(CStr(reg.GetValue("")))

I am not using OpenRemoteBaseKey, i.e., I am not trying to read the
registry on a remote PC. I am trying to read the registry on the local PC.
The exe resides on a remote PC, call it PC A, but it is executed from PC B
and the intent is to read the registry on PC B.

If after reading this, your suggested resolution is the same, i.e., the
permissions at each PC on which the application runs will need to be
changed, is there a way to do it programatically? The intent of this little
application was to avoid having to change settings on each PC and reduce the
administrative duties.

Thanks for your patience,

Al

 

[Peter Huang]

Hi,

I am sorry for confusion, but even if we did not OpenRemoteBaseKey,

The code access security setting is also needed to run the code below.

Dim regComputerName As RegistryKey =
Registry.LocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Control\ComputerN
ame\ComputerName", False)
Console.WriteLine(regComputerName.GetValue("ComputerName"))

Also .NET framework provide a tool for us the modify the CAS
setting.(caspol.exe)
You may find it by referring the link below

Adding Code Groups
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
l/cpconaddingcodegrouptocodegrouphierarchy.asp

More detailed information about caspol.
Code Access Security Policy Tool (Caspol.exe)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/htm
l/cpgrfCodeAccessSecurityPolicyUtilityCaspolexe.asp

Here I write the code for you. You may need to run the code line on PC B,
and the other machines which need to access the WinAPP.exe will need to run
the code line locally, and just run once is OK. (I assume the Winapp.exe in
on PCA.)

caspol -q -m -addgroup 1 -url \\PCA\Sharedfolder\Winapp.exe FullTrust

[Note:]
caspol usually located in the path below
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\caspol.exe

The code above will grant the \\PCA\Sharedfolder\Winapp.exe the FullTrust
permission so that it can read the local registry. You may try to save the
command line above as a bat file(e.g. settting.cmd)

So that your user can just run the setting.cmd just once to set the CAS
setting.

If you have any concern on this issue, please post here.

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Satya Kota]

Hi
I followed the posting and understand the security requirements for an
app to access the local machine's registry.

Is there a programatic way of reding a local machines registry even
when executed using UNC.

thanks!