"Requested registry access is not allowed." and performance counte

Hi Peter,

Thank you for posting here.

From your description, you're dynamically creating
PerformanceCounter/Category in your ASP.NET webservice's code, however,
you're euncountering smoe security exception against the registry accessing
at runtime, correct?

Based on my experience, there does exists some issues regarding on the
ASP.NET idenitity doesn't have sufficient permission for accessing certain
registry entry. For your scenario, your ASP.NET application is running on
XP box, by default the ASP.NET process idenitity is the machine\ASPNET
account, however, I'm wondering whether you've used any other security
related setting in IIS or ASP.NET such as impersonation which could change
the default process idenitity of ASP.NET. You can verify this in your web
application, and here is a kb article introduce the ASP.NET process
identity:

#Process and request identity in ASP.NET
http://support.microsoft.com/?id=317012

Also, since the security exception is still complaining about the registry,
I suggest you use the regmon tool to trace the registry accessing failure,
this tool is very good at capturing reigstry access problem:

http://www.sysinternals.com/utilities/regmon.html

BTW, to help make the troubleshooting simplifed, I suggest you keep your
ASP.NET application running as "Fulltrust" mode(this is the default mode if
you haven't explicitly change the Trust level in your machine.config or
web.config).

Hope this helps.

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead
==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Hi Steven. Thanks for the reply. Had a server-down situation, so it took me
a couple of days to get back to this...

After some inspection with RegMon it would appear that the ASPNET account
also needs full control over HKLM\System\CurrentControlSet\Services. I tried
several advanced permissions options, like "this key only" and "Set Value"
and "Create Subkey"; but could only get it to work if I can the ASPNET
account full control over HKLM\System\CurrentControlSet\Services--which
doesn't give me a warm-and-fuzzy.

Doing that gets rid of the "Requested registry access is not allowed"
exception text. The process gets further, by creating the
Performance-counter--related sub-keys in
HKLM\System\CurrentControlSet\Services; but,
PerformanceCounterCategory.Create now raises a Win32Exception with Message
property equal to "The handle is invalid" or ErrorCode == 0x80004005.

--
http://www.peterRitchie.com/
"Steven Cheng[MSFT]" wrote:

Hi Peter,

Thank you for posting here.

From your description, you're dynamically creating
PerformanceCounter/Category in your ASP.NET webservice's code, however,
you're euncountering smoe security exception against the registry accessing
at runtime, correct?

Based on my experience, there does exists some issues regarding on the
ASP.NET idenitity doesn't have sufficient permission for accessing certain
registry entry. For your scenario, your ASP.NET application is running on
XP box, by default the ASP.NET process idenitity is the machine\ASPNET
account, however, I'm wondering whether you've used any other security
related setting in IIS or ASP.NET such as impersonation which could change
the default process idenitity of ASP.NET. You can verify this in your web
application, and here is a kb article introduce the ASP.NET process
identity:

#Process and request identity in ASP.NET
http://support.microsoft.com/?id=317012

Also, since the security exception is still complaining about the registry,
I suggest you use the regmon tool to trace the registry accessing failure,
this tool is very good at capturing reigstry access problem:

http://www.sysinternals.com/utilities/regmon.html

BTW, to help make the troubleshooting simplifed, I suggest you keep your
ASP.NET application running as "Fulltrust" mode(this is the default mode if
you haven't explicitly change the Trust level in your machine.config or
web.config).

Hope this helps.

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead
==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights

Hello,

When get the exception "The handle is invalid", are there any Access Denied
in the regmon log? You may also monitor it with another utility named
"Filemon" ( same from www.systeminternal.com), which can monitor access on
files I/O.

Also, to confirm it is a security issue, you may try run your applicaiton
in full trust and under a local administrator account; if this can make it
work, than change them back and monitor it with filemon&regmon. They may
help us find something.

Reagrds,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

I believe there was no access denied entries in the Regmon log; I'll
double-check and repost if there were some.

I'll try with an admin account (an application performing the same action
running in the admin account works fine); but, my guess is it will work fine.
I'll spark up filemon with regmon and run some tests and let you know.

Thanks,
--
http://www.peterRitchie.com/
"Luke Zhang [MSFT]" wrote:

Hello,

When get the exception "The handle is invalid", are there any Access Denied
in the regmon log? You may also monitor it with another utility named
"Filemon" ( same from www.systeminternal.com), which can monitor access on
files I/O.

Also, to confirm it is a security issue, you may try run your applicaiton
in full trust and under a local administrator account; if this can make it
work, than change them back and monitor it with filemon®mon. They may
help us find something.

Reagrds,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights

Thank you for the reply. I will be here and wait for your update.

Regards,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Hi Luke.

I switched the aspnet_wp.exe user from ASPNET to administrator and re-tried
the code. There were no exceptions (i.e. no Win32Exception with message ==
"invalid handle").

There were also no ACCESS DENIED reported by regmon or filemon with the
aspnet_wp.exe user being ASPNET or administrator.

There are a few BUFFER OVERFLOW results from some of the performance counter
registry entries though, with either user.
--
http://www.peterRitchie.com/
"Peter Ritchie" wrote:

Hi Steven. Thanks for the reply. Had a server-down situation, so it took me
a couple of days to get back to this...

After some inspection with RegMon it would appear that the ASPNET account
also needs full control over HKLM\System\CurrentControlSet\Services. I tried
several advanced permissions options, like "this key only" and "Set Value"
and "Create Subkey"; but could only get it to work if I can the ASPNET
account full control over HKLM\System\CurrentControlSet\Services--which
doesn't give me a warm-and-fuzzy.

Doing that gets rid of the "Requested registry access is not allowed"
exception text. The process gets further, by creating the
Performance-counter--related sub-keys in
HKLM\System\CurrentControlSet\Services; but,
PerformanceCounterCategory.Create now raises a Win32Exception with Message
property equal to "The handle is invalid" or ErrorCode == 0x80004005.

--
http://www.peterRitchie.com/
"Steven Cheng[MSFT]" wrote:

Hi Peter,

Thank you for posting here.

From your description, you're dynamically creating
PerformanceCounter/Category in your ASP.NET webservice's code, however,
you're euncountering smoe security exception against the registry accessing
at runtime, correct?

Based on my experience, there does exists some issues regarding on the
ASP.NET idenitity doesn't have sufficient permission for accessing certain
registry entry. For your scenario, your ASP.NET application is running on
XP box, by default the ASP.NET process idenitity is the machine\ASPNET
account, however, I'm wondering whether you've used any other security
related setting in IIS or ASP.NET such as impersonation which could change
the default process idenitity of ASP.NET. You can verify this in your web
application, and here is a kb article introduce the ASP.NET process
identity:

#Process and request identity in ASP.NET
http://support.microsoft.com/?id=317012

Also, since the security exception is still complaining about the registry,
I suggest you use the regmon tool to trace the registry accessing failure,
this tool is very good at capturing reigstry access problem:

http://www.sysinternals.com/utilities/regmon.html

BTW, to help make the troubleshooting simplifed, I suggest you keep your
ASP.NET application running as "Fulltrust" mode(this is the default mode if
you haven't explicitly change the Trust level in your machine.config or
web.config).

Hope this helps.

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead
==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights

Hi Peter,

Thank you for the information. So, it is still a permission issue since the
error disppeared after you change the identity. If you change it back and
moniter with regmon & Filemon, can you get some Access denied error in the
log file?

Additionally, ccan you explain more abou the error "BUFFER OVERFLOW"? how
did you find it?

Regards,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)