Access HKCU from an app with another set of credentials

Hi,

Take a look at the registrypermiss ion class
http://msdn.microsoft.com/library/de...classtopic.asp

Ken
-----------------
"MSDN Account" <ni********@nos pam.nospam> wrote in message
news:uh******** ******@TK2MSFTN GP12.phx.gbl...
I have looked at the documentation for 'Microsoft.Win3 2.Registry' and
'System.Securit y.Permissions.R egistryPermissi on' but am still stuck, hoping
some can give me a nudge in the right direction.

I would like to be able to modify the GPO Policy keys under HKCU for the
logged user from an application. Because they are read only to the user can
I prompt for an ID and PW (say a support tech) that can be used to access
the keys with read/write permissions?

Thanks Dan Rhoads

Hi

In addition to Ken's suggestion, what is the exact registry key you want to
change?
What is the registry key's permission setting? You may check it by
following the steps below.
1. run regedit
2. Navigate to the registry key node
3. right click on the key and select permissions, check it to see if you
have permission.

The HKCU is only valid for the current logon user, if another user logon,
the HKCU will be loaded for that user.
So also through we can call the logonuser API to run the currect process in
another user's credential, but this will also cause the OS to load another
user's HKCU.

If you still have any concern, please feel free to post here.

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Ken,

I have already been there, I will check again, maybe I missed what I was
lookoing for.

Dan R

"Ken Tucker [MVP]" <vb***@bellsout h.net> wrote in message
news:eP******** ******@tk2msftn gp13.phx.gbl...

Hi,

Take a look at the registrypermiss ion class
http://msdn.microsoft.com/library/de...classtopic.asp
Ken
-----------------
"MSDN Account" <ni********@nos pam.nospam> wrote in message
news:uh******** ******@TK2MSFTN GP12.phx.gbl...
I have looked at the documentation for 'Microsoft.Win3 2.Registry' and
'System.Securit y.Permissions.R egistryPermissi on' but am still stuck, hoping some can give me a nudge in the right direction.

I would like to be able to modify the GPO Policy keys under HKCU for the
logged user from an application. Because they are read only to the user can I prompt for an ID and PW (say a support tech) that can be used to access
the keys with read/write permissions?

Thanks Dan Rhoads

Peter,

GPO keys are stored in to two locations in HCKU (ignoring HKLM for now).

HKEY_CURRENT_US ER\Software\Mic rosoft\Windows\ CurrentVersion\ Policies
HKEY_CURRENT_US ER\Software\Pol icies

These keys, and all sub keys are at a minimum full control to
<computername>\ administrators and read only to the end user (provided the
user does not have membership in <computername>\ administrators. The reason
it is read only to the end users is to prevent them from removing policy
from themselves.

Here is an example of usage am I looking for:
The GPO applied to the end user has the "Disable registry editing tools"
policy enable which prevents a support tech from opening REGEDIT with the
user logged to review the user's HKCU hive. I would like to ask the support
tech for his credentials, which are in <computername>\ administrators, to use
to access the keys above (in the users hive) to delete the policy that
disables the registry editing tools. This would temporarily allow access to
the end users HKCU hive. A GPUPDATE (or SECEDIT) could be run to restore
any key(s) there were removed. We have a fairly locked down user
environment and allowing the support tech to temporally remove policies
would be helpful for them.

Thanks,
Dan Rhoads
""Peter Huang" [MSFT]" <v-******@online.m icrosoft.com> wrote in message
news:G2******** ******@TK2MSFTN GXA02.phx.gbl.. .

Hi

In addition to Ken's suggestion, what is the exact registry key you want to change?
What is the registry key's permission setting? You may check it by
following the steps below.
1. run regedit
2. Navigate to the registry key node
3. right click on the key and select permissions, check it to see if you
have permission.

The HKCU is only valid for the current logon user, if another user logon,
the HKCU will be loaded for that user.
So also through we can call the logonuser API to run the currect process in another user's credential, but this will also cause the OS to load another
user's HKCU.

If you still have any concern, please feel free to post here.

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Dan,

I am sorry that I ahve made a mistake about the LogonUser.
Based on my test, we can use the LogonUser and WindowsIdentity to
impersonate the current thread running at another high rights account .e.g
the administrator.
<PermissionSetA ttribute(Securi tyAction.Demand , Name:="FullTrus t")> _
Private Sub Impersonate()
Dim tokenHandle As New IntPtr(0)
Dim dupeTokenHandle As New IntPtr(0)
Try
Dim userName, domainName As String
domainName = Environment.Mac hineName
userName = "Test"
Const LOGON32_PROVIDE R_DEFAULT As Integer = 0
Const LOGON32_LOGON_I NTERACTIVE As Integer = 2
Const SecurityImperso nation As Integer = 2
tokenHandle = IntPtr.Zero
dupeTokenHandle = IntPtr.Zero
Dim returnValue As Boolean = LogonUser(userN ame, domainName,
"Password01 !", LOGON32_LOGON_I NTERACTIVE, LOGON32_PROVIDE R_DEFAULT,
tokenHandle)
Console.WriteLi ne("LogonUser called.")
If False = returnValue Then
Dim ret As Integer = Marshal.GetLast Win32Error()
Console.WriteLi ne("LogonUser failed with error code : {0}",
ret)
Console.WriteLi ne(ControlChars .Cr + "Error: [{0}] {1}" +
ControlChars.Cr , ret, GetErrorMessage (ret))
Return
End If

Dim success As String
If returnValue Then success = "Yes" Else success = "No"
Console.WriteLi ne(("Did LogonUser succeed? " + success))
Console.WriteLi ne(("Value of Windows NT token: " +
tokenHandle.ToS tring()))

' Check the identity.
Console.WriteLi ne(("Before impersonation: " +
WindowsIdentity .GetCurrent().N ame))

Dim retVal As Boolean = DuplicateToken( tokenHandle,
SecurityImperso nation, dupeTokenHandle )
If False = retVal Then
CloseHandle(tok enHandle)
Console.WriteLi ne("Exception thrown in trying to duplicate
token.")
Return
End If

' TThe token that is passed to the following constructor must
' be a primary token in order to use it for impersonation.
Dim newId As New WindowsIdentity (dupeTokenHandl e)
Dim impersonatedUse r As WindowsImperson ationContext =
newId.Impersona te()

' Check the identity.
System.Diagnost ics.Debug.Write Line(("After impersonation: " +
WindowsIdentity .GetCurrent().N ame))
Test()
' Stop impersonating the user.
impersonatedUse r.Undo()

' Check the identity.
System.Diagnost ics.Debug.Write Line(("After Undo: " +
WindowsIdentity .GetCurrent().N ame))
' Free the tokens.
If Not System.IntPtr.o p_Equality(toke nHandle, IntPtr.Zero) Then
CloseHandle(tok enHandle)
End If
If Not System.IntPtr.o p_Equality(dupe TokenHandle, IntPtr.Zero)
Then
CloseHandle(dup eTokenHandle)
End If
Catch ex As Exception
Console.WriteLi ne(("Exception occurred. " + ex.Message))
End Try
End Sub

Private Sub Test()
Dim subkey As RegistryKey =
Registry.Curren tUser.OpenSubKe y("Software\Mic rosoft\Windows\ CurrentVersion\ P
olicies\Explore r\Test", True)
subkey.SetValue ("Hello", 1)
End Sub

Private Sub Button1_Click(B yVal sender As System.Object, ByVal e As
System.EventArg s) Handles Button1.Click
Try
Test() 'The line will fail, because the current user account
has not permission.
Catch ex As Exception
MsgBox(ex.ToStr ing())
End Try

Impersonate() 'Impersonate to another user to do the registry key
write..
End Sub

Also here is a detailed link about the issue, you may take at look.
How to impersonate a user in .NET (VB.NET, C#)
http://msdn.microsoft.com/library/de...us/cpref/html/
frlrfSystemSecu rityPrincipalWi ndowsIdentityCl assImpersonateT opic2.asp
Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Peter,

No need to apologize, I could have been clearer in my first post. More
importantly THANK YOU! This was the nudge (you gave me more than I hoped
for!) I was looking for.

Dan Rhoads

""Peter Huang" [MSFT]" <v-******@online.m icrosoft.com> wrote in message
news:Uq******** ******@TK2MSFTN GXA01.phx.gbl.. .

Hi Dan,

I am sorry that I ahve made a mistake about the LogonUser.
Based on my test, we can use the LogonUser and WindowsIdentity to
impersonate the current thread running at another high rights account .e.g
the administrator.
<PermissionSetA ttribute(Securi tyAction.Demand , Name:="FullTrus t")> _
Private Sub Impersonate()
Dim tokenHandle As New IntPtr(0)
Dim dupeTokenHandle As New IntPtr(0)
Try
Dim userName, domainName As String
domainName = Environment.Mac hineName
userName = "Test"
Const LOGON32_PROVIDE R_DEFAULT As Integer = 0
Const LOGON32_LOGON_I NTERACTIVE As Integer = 2
Const SecurityImperso nation As Integer = 2
tokenHandle = IntPtr.Zero
dupeTokenHandle = IntPtr.Zero
Dim returnValue As Boolean = LogonUser(userN ame, domainName,
"Password01 !", LOGON32_LOGON_I NTERACTIVE, LOGON32_PROVIDE R_DEFAULT,
tokenHandle)
Console.WriteLi ne("LogonUser called.")
If False = returnValue Then
Dim ret As Integer = Marshal.GetLast Win32Error()
Console.WriteLi ne("LogonUser failed with error code : {0}", ret)
Console.WriteLi ne(ControlChars .Cr + "Error: [{0}] {1}" +
ControlChars.Cr , ret, GetErrorMessage (ret))
Return
End If

Dim success As String
If returnValue Then success = "Yes" Else success = "No"
Console.WriteLi ne(("Did LogonUser succeed? " + success))
Console.WriteLi ne(("Value of Windows NT token: " +
tokenHandle.ToS tring()))

' Check the identity.
Console.WriteLi ne(("Before impersonation: " +
WindowsIdentity .GetCurrent().N ame))

Dim retVal As Boolean = DuplicateToken( tokenHandle,
SecurityImperso nation, dupeTokenHandle )
If False = retVal Then
CloseHandle(tok enHandle)
Console.WriteLi ne("Exception thrown in trying to duplicate
token.")
Return
End If

' TThe token that is passed to the following constructor must
' be a primary token in order to use it for impersonation.
Dim newId As New WindowsIdentity (dupeTokenHandl e)
Dim impersonatedUse r As WindowsImperson ationContext =
newId.Impersona te()

' Check the identity.
System.Diagnost ics.Debug.Write Line(("After impersonation: " +
WindowsIdentity .GetCurrent().N ame))
Test()
' Stop impersonating the user.
impersonatedUse r.Undo()

' Check the identity.
System.Diagnost ics.Debug.Write Line(("After Undo: " +
WindowsIdentity .GetCurrent().N ame))
' Free the tokens.
If Not System.IntPtr.o p_Equality(toke nHandle, IntPtr.Zero) Then CloseHandle(tok enHandle)
End If
If Not System.IntPtr.o p_Equality(dupe TokenHandle, IntPtr.Zero)
Then
CloseHandle(dup eTokenHandle)
End If
Catch ex As Exception
Console.WriteLi ne(("Exception occurred. " + ex.Message))
End Try
End Sub

Private Sub Test()
Dim subkey As RegistryKey =
Registry.Curren tUser.OpenSubKe y("Software\Mic rosoft\Windows\ CurrentVersion\ P olicies\Explore r\Test", True)
subkey.SetValue ("Hello", 1)
End Sub

Private Sub Button1_Click(B yVal sender As System.Object, ByVal e As
System.EventArg s) Handles Button1.Click
Try
Test() 'The line will fail, because the current user account
has not permission.
Catch ex As Exception
MsgBox(ex.ToStr ing())
End Try

Impersonate() 'Impersonate to another user to do the registry key
write..
End Sub

Also here is a detailed link about the issue, you may take at look.
How to impersonate a user in .NET (VB.NET, C#)
http://msdn.microsoft.com/library/de...us/cpref/html/ frlrfSystemSecu rityPrincipalWi ndowsIdentityCl assImpersonateT opic2.asp
Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Peter,

Works perfect, thanks you!

Dan Rhoads
""Peter Huang" [MSFT]" <v-******@online.m icrosoft.com> wrote in message
news:Uq******** ******@TK2MSFTN GXA01.phx.gbl.. .

Hi Dan,

I am sorry that I ahve made a mistake about the LogonUser.
Based on my test, we can use the LogonUser and WindowsIdentity to
impersonate the current thread running at another high rights account .e.g
the administrator.
<PermissionSetA ttribute(Securi tyAction.Demand , Name:="FullTrus t")> _
Private Sub Impersonate()
Dim tokenHandle As New IntPtr(0)
Dim dupeTokenHandle As New IntPtr(0)
Try
Dim userName, domainName As String
domainName = Environment.Mac hineName
userName = "Test"
Const LOGON32_PROVIDE R_DEFAULT As Integer = 0
Const LOGON32_LOGON_I NTERACTIVE As Integer = 2
Const SecurityImperso nation As Integer = 2
tokenHandle = IntPtr.Zero
dupeTokenHandle = IntPtr.Zero
Dim returnValue As Boolean = LogonUser(userN ame, domainName,
"Password01 !", LOGON32_LOGON_I NTERACTIVE, LOGON32_PROVIDE R_DEFAULT,
tokenHandle)
Console.WriteLi ne("LogonUser called.")
If False = returnValue Then
Dim ret As Integer = Marshal.GetLast Win32Error()
Console.WriteLi ne("LogonUser failed with error code : {0}", ret)
Console.WriteLi ne(ControlChars .Cr + "Error: [{0}] {1}" +
ControlChars.Cr , ret, GetErrorMessage (ret))
Return
End If

Dim success As String
If returnValue Then success = "Yes" Else success = "No"
Console.WriteLi ne(("Did LogonUser succeed? " + success))
Console.WriteLi ne(("Value of Windows NT token: " +
tokenHandle.ToS tring()))

' Check the identity.
Console.WriteLi ne(("Before impersonation: " +
WindowsIdentity .GetCurrent().N ame))

Dim retVal As Boolean = DuplicateToken( tokenHandle,
SecurityImperso nation, dupeTokenHandle )
If False = retVal Then
CloseHandle(tok enHandle)
Console.WriteLi ne("Exception thrown in trying to duplicate
token.")
Return
End If

' TThe token that is passed to the following constructor must
' be a primary token in order to use it for impersonation.
Dim newId As New WindowsIdentity (dupeTokenHandl e)
Dim impersonatedUse r As WindowsImperson ationContext =
newId.Impersona te()

' Check the identity.
System.Diagnost ics.Debug.Write Line(("After impersonation: " +
WindowsIdentity .GetCurrent().N ame))
Test()
' Stop impersonating the user.
impersonatedUse r.Undo()

' Check the identity.
System.Diagnost ics.Debug.Write Line(("After Undo: " +
WindowsIdentity .GetCurrent().N ame))
' Free the tokens.
If Not System.IntPtr.o p_Equality(toke nHandle, IntPtr.Zero) Then CloseHandle(tok enHandle)
End If
If Not System.IntPtr.o p_Equality(dupe TokenHandle, IntPtr.Zero)
Then
CloseHandle(dup eTokenHandle)
End If
Catch ex As Exception
Console.WriteLi ne(("Exception occurred. " + ex.Message))
End Try
End Sub

Private Sub Test()
Dim subkey As RegistryKey =
Registry.Curren tUser.OpenSubKe y("Software\Mic rosoft\Windows\ CurrentVersion\ P olicies\Explore r\Test", True)
subkey.SetValue ("Hello", 1)
End Sub

Private Sub Button1_Click(B yVal sender As System.Object, ByVal e As
System.EventArg s) Handles Button1.Click
Try
Test() 'The line will fail, because the current user account
has not permission.
Catch ex As Exception
MsgBox(ex.ToStr ing())
End Try

Impersonate() 'Impersonate to another user to do the registry key
write..
End Sub

Also here is a detailed link about the issue, you may take at look.
How to impersonate a user in .NET (VB.NET, C#)
http://msdn.microsoft.com/library/de...us/cpref/html/ frlrfSystemSecu rityPrincipalWi ndowsIdentityCl assImpersonateT opic2.asp
Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi

I am glad that my suggestion helped you.
Cheers!

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.