RegistryPermissionAttribues

  • Thread starter Thread starter John Bowman
  • Start date Start date
J

John Bowman

Hi All,

I've got an app I need to modifiy that's written in C# VS2005/.NET 2.0 which
is dsigned to ONLY run when the logged in user has administrator privileges.
At one point it needs to delete a HKLM\Software\... registry value if it
has, in fact, created it. So there is a method that deletes this registry
key. The method has the following RegistryPermission attributes....

[RegistryPermissionAttribute(SecurityAction.PermitOnly,
Read=@"HKEY_LOCAL_MACHINE\Software\My Company Name"]

[RegistryPermissionAttribute(SecurityAction.PermitOnly,
Write=@"HKEY_LOCAL_MACHINE\Software\My Company Name"]

This all works just fine on WinXP, but throws an exception under WinVista
Build: 5384:

"Request for the permission of type
'System.Security.Permissions.UIPermission, mscorlib, Version=2.0.0.0,
Culture=neutral, PublicKey Token=b77a5c561934e089' failed."

I'm fairly new to security stuff under .NET. Has something changed in
WinVista as compared to WinXPSP2 that would be expected to cause this or is
this a known issue WinVista? What can I do to work around it? I'm NOT
allowed to move the setting to HKCU\Software\My Company Name" since other
programs rely upon it being there while this app is running and they will
NOT necessarily be changing to run under
WinVista.

TIA,
 
Hello,

If you need to delete a registry key in HKLM, your program will have to be
running elevated. Remember, in Windows Vista, programs are only given normal
user access to the system unless your program asks the user to elevate it.

The solution is to create a vista-compatible manifest for your program that
tells Windows Vista that your program requires administrator permissions.
This will cause your program to prompt the user for permission every time it
is started.

However, this should only be done if your entire program always needs admin
power. If possible, your program should be designed to run as a standard
user. If there are just a few chunks of your program that need admin
permission, you should seperate those chunks out of your main program into
secondary programs that have the special manifest, and call these programs
from your main program when you need to do those admin tasks. This way, your
program will only prompt the user for admin permission when it is doing
those certain tasks that requires admin powers. This will make your program
more secure. This is similar to the way Windows Explorer works when it needs
to perform privileged operations on files/folders that require administrator
permission.
 
Jimmy,

Thanks for the additional info. Unfortunately this program happens to be a
program whose purpose in life is to manage and launch numerous other program
installers (all MSI based). There are times when the called MSI packages
that are not changing for quite a while) will need to read special settings
in the reg - which unfortunately they expect it in HKLM for historical
backward compatibility reasons - placed there by this calling program. When
all is complete this program needs to clean up after itself. So it needs
full admin while it's running.

That said, how do I create a "vista-compatible manifest"? Can you point me
to some doc's that describe how to go about this?

Thanks!

John
 
Hello Mr. Brush,

I have a similar situation, but in "native" windows...

You say:

"If there are just a few chunks of your program that need admin
permission, you should seperate those chunks out of your main program into
secondary programs that have the special manifest, and call these programs
from your main program when you need to do those admin tasks. "

In C++, that implies a COM component, how does one make such a component?
Available to perform secure tasks otherwise requiring higher permissions.

I know how to do this for IE7 (protected mode), but how to do it for another
application?

Is the component registered in a special way?

Is there a special registry location for such components?

Is there a .net manifest equivalent for C++ dev?

Other?


--
Thanks so much,

george

_________________________
George S. Lockwood
Lead Client Developer
peoplePC, an EarthLink company
 
Back
Top