Access HKCU from an app with another set of credentials

Hi,

Take a look at the registrypermission class
http://msdn.microsoft.com/library/de...classtopic.asp

Ken
-----------------
"MSDN Account" <ni********@nospam.nospam> wrote in message
news:uh**************@TK2MSFTNGP12.phx.gbl...
I have looked at the documentation for 'Microsoft.Win32.Registry' and
'System.Security.Permissions.RegistryPermission' but am still stuck, hoping
some can give me a nudge in the right direction.

I would like to be able to modify the GPO Policy keys under HKCU for the
logged user from an application. Because they are read only to the user can
I prompt for an ID and PW (say a support tech) that can be used to access
the keys with read/write permissions?

Thanks Dan Rhoads

Hi

In addition to Ken's suggestion, what is the exact registry key you want to
change?
What is the registry key's permission setting? You may check it by
following the steps below.
1. run regedit
2. Navigate to the registry key node
3. right click on the key and select permissions, check it to see if you
have permission.

The HKCU is only valid for the current logon user, if another user logon,
the HKCU will be loaded for that user.
So also through we can call the logonuser API to run the currect process in
another user's credential, but this will also cause the OS to load another
user's HKCU.

If you still have any concern, please feel free to post here.

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Ken,

I have already been there, I will check again, maybe I missed what I was
lookoing for.

Dan R

"Ken Tucker [MVP]" <vb***@bellsouth.net> wrote in message
news:eP**************@tk2msftngp13.phx.gbl...

Hi,

Take a look at the registrypermission class
http://msdn.microsoft.com/library/de...classtopic.asp
Ken
-----------------
"MSDN Account" <ni********@nospam.nospam> wrote in message
news:uh**************@TK2MSFTNGP12.phx.gbl...
I have looked at the documentation for 'Microsoft.Win32.Registry' and
'System.Security.Permissions.RegistryPermission' but am still stuck, hoping some can give me a nudge in the right direction.

I would like to be able to modify the GPO Policy keys under HKCU for the
logged user from an application. Because they are read only to the user can I prompt for an ID and PW (say a support tech) that can be used to access
the keys with read/write permissions?

Thanks Dan Rhoads

Peter,

GPO keys are stored in to two locations in HCKU (ignoring HKLM for now).

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies
HKEY_CURRENT_USER\Software\Policies

These keys, and all sub keys are at a minimum full control to
<computername>\administrators and read only to the end user (provided the
user does not have membership in <computername>\administrators. The reason
it is read only to the end users is to prevent them from removing policy
from themselves.

Here is an example of usage am I looking for:
The GPO applied to the end user has the "Disable registry editing tools"
policy enable which prevents a support tech from opening REGEDIT with the
user logged to review the user's HKCU hive. I would like to ask the support
tech for his credentials, which are in <computername>\administrators, to use
to access the keys above (in the users hive) to delete the policy that
disables the registry editing tools. This would temporarily allow access to
the end users HKCU hive. A GPUPDATE (or SECEDIT) could be run to restore
any key(s) there were removed. We have a fairly locked down user
environment and allowing the support tech to temporally remove policies
would be helpful for them.

Thanks,
Dan Rhoads
""Peter Huang" [MSFT]" <v-******@online.microsoft.com> wrote in message
news:G2**************@TK2MSFTNGXA02.phx.gbl...

Hi

In addition to Ken's suggestion, what is the exact registry key you want to change?
What is the registry key's permission setting? You may check it by
following the steps below.
1. run regedit
2. Navigate to the registry key node
3. right click on the key and select permissions, check it to see if you
have permission.

The HKCU is only valid for the current logon user, if another user logon,
the HKCU will be loaded for that user.
So also through we can call the logonuser API to run the currect process in another user's credential, but this will also cause the OS to load another
user's HKCU.

If you still have any concern, please feel free to post here.

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Dan,

I am sorry that I ahve made a mistake about the LogonUser.
Based on my test, we can use the LogonUser and WindowsIdentity to
impersonate the current thread running at another high rights account .e.g
the administrator.
<PermissionSetAttribute(SecurityAction.Demand, Name:="FullTrust")> _
Private Sub Impersonate()
Dim tokenHandle As New IntPtr(0)
Dim dupeTokenHandle As New IntPtr(0)
Try
Dim userName, domainName As String
domainName = Environment.MachineName
userName = "Test"
Const LOGON32_PROVIDER_DEFAULT As Integer = 0
Const LOGON32_LOGON_INTERACTIVE As Integer = 2
Const SecurityImpersonation As Integer = 2
tokenHandle = IntPtr.Zero
dupeTokenHandle = IntPtr.Zero
Dim returnValue As Boolean = LogonUser(userName, domainName,
"Password01!", LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
tokenHandle)
Console.WriteLine("LogonUser called.")
If False = returnValue Then
Dim ret As Integer = Marshal.GetLastWin32Error()
Console.WriteLine("LogonUser failed with error code : {0}",
ret)
Console.WriteLine(ControlChars.Cr + "Error: [{0}] {1}" +
ControlChars.Cr, ret, GetErrorMessage(ret))
Return
End If

Dim success As String
If returnValue Then success = "Yes" Else success = "No"
Console.WriteLine(("Did LogonUser succeed? " + success))
Console.WriteLine(("Value of Windows NT token: " +
tokenHandle.ToString()))

' Check the identity.
Console.WriteLine(("Before impersonation: " +
WindowsIdentity.GetCurrent().Name))

Dim retVal As Boolean = DuplicateToken(tokenHandle,
SecurityImpersonation, dupeTokenHandle)
If False = retVal Then
CloseHandle(tokenHandle)
Console.WriteLine("Exception thrown in trying to duplicate
token.")
Return
End If

' TThe token that is passed to the following constructor must
' be a primary token in order to use it for impersonation.
Dim newId As New WindowsIdentity(dupeTokenHandle)
Dim impersonatedUser As WindowsImpersonationContext =
newId.Impersonate()

' Check the identity.
System.Diagnostics.Debug.WriteLine(("After impersonation: " +
WindowsIdentity.GetCurrent().Name))
Test()
' Stop impersonating the user.
impersonatedUser.Undo()

' Check the identity.
System.Diagnostics.Debug.WriteLine(("After Undo: " +
WindowsIdentity.GetCurrent().Name))
' Free the tokens.
If Not System.IntPtr.op_Equality(tokenHandle, IntPtr.Zero) Then
CloseHandle(tokenHandle)
End If
If Not System.IntPtr.op_Equality(dupeTokenHandle, IntPtr.Zero)
Then
CloseHandle(dupeTokenHandle)
End If
Catch ex As Exception
Console.WriteLine(("Exception occurred. " + ex.Message))
End Try
End Sub

Private Sub Test()
Dim subkey As RegistryKey =
Registry.CurrentUser.OpenSubKey("Software\Microsof t\Windows\CurrentVersion\P
olicies\Explorer\Test", True)
subkey.SetValue("Hello", 1)
End Sub

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click
Try
Test() 'The line will fail, because the current user account
has not permission.
Catch ex As Exception
MsgBox(ex.ToString())
End Try

Impersonate() 'Impersonate to another user to do the registry key
write..
End Sub

Also here is a detailed link about the issue, you may take at look.
How to impersonate a user in .NET (VB.NET, C#)
http://msdn.microsoft.com/library/de...us/cpref/html/
frlrfSystemSecurityPrincipalWindowsIdentityClassIm personateTopic2.asp
Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Peter,

No need to apologize, I could have been clearer in my first post. More
importantly THANK YOU! This was the nudge (you gave me more than I hoped
for!) I was looking for.

Dan Rhoads

""Peter Huang" [MSFT]" <v-******@online.microsoft.com> wrote in message
news:Uq**************@TK2MSFTNGXA01.phx.gbl...

Hi Dan,

I am sorry that I ahve made a mistake about the LogonUser.
Based on my test, we can use the LogonUser and WindowsIdentity to
impersonate the current thread running at another high rights account .e.g
the administrator.
<PermissionSetAttribute(SecurityAction.Demand, Name:="FullTrust")> _
Private Sub Impersonate()
Dim tokenHandle As New IntPtr(0)
Dim dupeTokenHandle As New IntPtr(0)
Try
Dim userName, domainName As String
domainName = Environment.MachineName
userName = "Test"
Const LOGON32_PROVIDER_DEFAULT As Integer = 0
Const LOGON32_LOGON_INTERACTIVE As Integer = 2
Const SecurityImpersonation As Integer = 2
tokenHandle = IntPtr.Zero
dupeTokenHandle = IntPtr.Zero
Dim returnValue As Boolean = LogonUser(userName, domainName,
"Password01!", LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
tokenHandle)
Console.WriteLine("LogonUser called.")
If False = returnValue Then
Dim ret As Integer = Marshal.GetLastWin32Error()
Console.WriteLine("LogonUser failed with error code : {0}", ret)
Console.WriteLine(ControlChars.Cr + "Error: [{0}] {1}" +
ControlChars.Cr, ret, GetErrorMessage(ret))
Return
End If

Dim success As String
If returnValue Then success = "Yes" Else success = "No"
Console.WriteLine(("Did LogonUser succeed? " + success))
Console.WriteLine(("Value of Windows NT token: " +
tokenHandle.ToString()))

' Check the identity.
Console.WriteLine(("Before impersonation: " +
WindowsIdentity.GetCurrent().Name))

Dim retVal As Boolean = DuplicateToken(tokenHandle,
SecurityImpersonation, dupeTokenHandle)
If False = retVal Then
CloseHandle(tokenHandle)
Console.WriteLine("Exception thrown in trying to duplicate
token.")
Return
End If

' TThe token that is passed to the following constructor must
' be a primary token in order to use it for impersonation.
Dim newId As New WindowsIdentity(dupeTokenHandle)
Dim impersonatedUser As WindowsImpersonationContext =
newId.Impersonate()

' Check the identity.
System.Diagnostics.Debug.WriteLine(("After impersonation: " +
WindowsIdentity.GetCurrent().Name))
Test()
' Stop impersonating the user.
impersonatedUser.Undo()

' Check the identity.
System.Diagnostics.Debug.WriteLine(("After Undo: " +
WindowsIdentity.GetCurrent().Name))
' Free the tokens.
If Not System.IntPtr.op_Equality(tokenHandle, IntPtr.Zero) Then CloseHandle(tokenHandle)
End If
If Not System.IntPtr.op_Equality(dupeTokenHandle, IntPtr.Zero)
Then
CloseHandle(dupeTokenHandle)
End If
Catch ex As Exception
Console.WriteLine(("Exception occurred. " + ex.Message))
End Try
End Sub

Private Sub Test()
Dim subkey As RegistryKey =
Registry.CurrentUser.OpenSubKey("Software\Microsof t\Windows\CurrentVersion\P olicies\Explorer\Test", True)
subkey.SetValue("Hello", 1)
End Sub

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click
Try
Test() 'The line will fail, because the current user account
has not permission.
Catch ex As Exception
MsgBox(ex.ToString())
End Try

Impersonate() 'Impersonate to another user to do the registry key
write..
End Sub

Also here is a detailed link about the issue, you may take at look.
How to impersonate a user in .NET (VB.NET, C#)
http://msdn.microsoft.com/library/de...us/cpref/html/ frlrfSystemSecurityPrincipalWindowsIdentityClassIm personateTopic2.asp
Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Peter,

Works perfect, thanks you!

Dan Rhoads
""Peter Huang" [MSFT]" <v-******@online.microsoft.com> wrote in message
news:Uq**************@TK2MSFTNGXA01.phx.gbl...

Hi Dan,

I am sorry that I ahve made a mistake about the LogonUser.
Based on my test, we can use the LogonUser and WindowsIdentity to
impersonate the current thread running at another high rights account .e.g
the administrator.
<PermissionSetAttribute(SecurityAction.Demand, Name:="FullTrust")> _
Private Sub Impersonate()
Dim tokenHandle As New IntPtr(0)
Dim dupeTokenHandle As New IntPtr(0)
Try
Dim userName, domainName As String
domainName = Environment.MachineName
userName = "Test"
Const LOGON32_PROVIDER_DEFAULT As Integer = 0
Const LOGON32_LOGON_INTERACTIVE As Integer = 2
Const SecurityImpersonation As Integer = 2
tokenHandle = IntPtr.Zero
dupeTokenHandle = IntPtr.Zero
Dim returnValue As Boolean = LogonUser(userName, domainName,
"Password01!", LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
tokenHandle)
Console.WriteLine("LogonUser called.")
If False = returnValue Then
Dim ret As Integer = Marshal.GetLastWin32Error()
Console.WriteLine("LogonUser failed with error code : {0}", ret)
Console.WriteLine(ControlChars.Cr + "Error: [{0}] {1}" +
ControlChars.Cr, ret, GetErrorMessage(ret))
Return
End If

Dim success As String
If returnValue Then success = "Yes" Else success = "No"
Console.WriteLine(("Did LogonUser succeed? " + success))
Console.WriteLine(("Value of Windows NT token: " +
tokenHandle.ToString()))

' Check the identity.
Console.WriteLine(("Before impersonation: " +
WindowsIdentity.GetCurrent().Name))

Dim retVal As Boolean = DuplicateToken(tokenHandle,
SecurityImpersonation, dupeTokenHandle)
If False = retVal Then
CloseHandle(tokenHandle)
Console.WriteLine("Exception thrown in trying to duplicate
token.")
Return
End If

' TThe token that is passed to the following constructor must
' be a primary token in order to use it for impersonation.
Dim newId As New WindowsIdentity(dupeTokenHandle)
Dim impersonatedUser As WindowsImpersonationContext =
newId.Impersonate()

' Check the identity.
System.Diagnostics.Debug.WriteLine(("After impersonation: " +
WindowsIdentity.GetCurrent().Name))
Test()
' Stop impersonating the user.
impersonatedUser.Undo()

' Check the identity.
System.Diagnostics.Debug.WriteLine(("After Undo: " +
WindowsIdentity.GetCurrent().Name))
' Free the tokens.
If Not System.IntPtr.op_Equality(tokenHandle, IntPtr.Zero) Then CloseHandle(tokenHandle)
End If
If Not System.IntPtr.op_Equality(dupeTokenHandle, IntPtr.Zero)
Then
CloseHandle(dupeTokenHandle)
End If
Catch ex As Exception
Console.WriteLine(("Exception occurred. " + ex.Message))
End Try
End Sub

Private Sub Test()
Dim subkey As RegistryKey =
Registry.CurrentUser.OpenSubKey("Software\Microsof t\Windows\CurrentVersion\P olicies\Explorer\Test", True)
subkey.SetValue("Hello", 1)
End Sub

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click
Try
Test() 'The line will fail, because the current user account
has not permission.
Catch ex As Exception
MsgBox(ex.ToString())
End Try

Impersonate() 'Impersonate to another user to do the registry key
write..
End Sub

Also here is a detailed link about the issue, you may take at look.
How to impersonate a user in .NET (VB.NET, C#)
http://msdn.microsoft.com/library/de...us/cpref/html/ frlrfSystemSecurityPrincipalWindowsIdentityClassIm personateTopic2.asp
Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi

I am glad that my suggestion helped you.
Cheers!

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.