2. NSIS Discussion
  3. Set permission to write in registry

Archive: Set permission to write in registry


The Glimmerman
8th August 2006 11:31 UTC

Set permission to write in registry
I found this code in a tread.
It stores the defaultpassword in HKLM\SECURITY\Policy\Secrets\DefaultPassword.
The code works.
But my problem is when using this on a clean installation of XP.
The Administrator has no permission to write to HKLM\SECURITY\Policy\Secrets\DefaultPassword

How do i set the permission for the admin to write to this key?
(HKLM\SECURITY\Policy\Secrets\DefaultPassword)


!macro CreateLsaUnicodeString VAR STRING
StrLen ${VAR} "${STRING}"
IntOp ${VAR} ${VAR} * 2
System::Call '*(&i2 ${VAR}, &i2 ${VAR}, w `${STRING}`) i .s'
Pop ${VAR}
!macroend

# open lsa handle
System::Call '*${strLSA_OBJECT_ATTRIBUTES}(24,n,n,0,n,n).s'
Pop $R1
StrCpy $4 ${POLICY_CREATE_SECRET}
System::Call 'advapi32::LsaOpenPolicy(w n, i R1, i r4, *i .R0) i .R6'
System::Call 'advapi32::LsaNtStatusToWinError(i R6) i .R6'

!insertmacro CreateLsaUnicodeString $R2 DefaultPassword
!insertmacro CreateLsaUnicodeString $R3 $UserPassword

# create private data

System::Call 'advapi32::LsaStorePrivateData(i R0, i R2, i R3) i .R6'
System::Call 'advapi32::LsaNtStatusToWinError(i R6) i .R6'

# delete private data

System::Call 'advapi32::LsaStorePrivateData(i R0, i R2, i n) i .R6'
System::Call 'advapi32::LsaNtStatusToWinError(i R6) i .R6'

# close handle

System::Call 'advapi32::LsaClose(i R0)'

Afrow UK
8th August 2006 11:35 UTC

Can't you just use the AccessControl plugin?

-Stu

The Glimmerman
8th August 2006 11:38 UTC

I will test it out.
Thx Afrow

The Glimmerman
8th August 2006 12:01 UTC

Sorry *** SPAM ***

The Glimmerman
8th August 2006 12:13 UTC

It works great!! :D

Thx afrow

Afrow UK
8th August 2006 12:14 UTC

Like Everyone or Administrators?

-Stu

The Glimmerman
8th August 2006 12:16 UTC

Yes like that.
But my bad.

I didn't try before cry. :)

It works great.


  AccessControl::GrantOnRegKey \
    HKLM "Security" "Administrators" "FullAccess"


Good plugin.

CancerFace
10th August 2006 08:28 UTC

At what stage are you trying to write to that key in your installation? I am doing the same and I didn't have to give access to the user for that key. Are you sure you are storing a secret for the Administrator's account?

My guess is that you are trying to store the password of a non administrator account that you are creating. In that case, although the account running your code has admin privileges, the secret that you are trying to store belongs to the non-admin account. An easy way around this is to add the non-admin account to the admin group, store the secret, then remove the account from the admin group. No need to manually change permissions on the LSA keys (which by the way is not recommended!).
Hope this helps
CF

The Glimmerman
10th August 2006 12:44 UTC

That's right.
I'm logged in as administrator. The user that's created in my app is added to the administratorsgroup. And for that user the secret is stored.
So i'm curious how you did that.
Even the administratorsgroup has no rights on the secretkey.
To test if my code works, i had to manualy give permission to that key.

Extra Info
When my unattended install is ready, and the Admin is logging in for the first time, my app creates a user in the admin group en stores the secret.

CancerFace
10th August 2006 15:23 UTC

I am not sure where your code is failing, since I am also using the code shown in the thread that you quoted and it works fine, without having to give registry access to the user running the application. The only important thing is to add the user to the admin group before storing his/her secret. This is the part of my script that does the job (without the error-checking routines):

!macro CreateUnicodeString VAR STRING
StrLen ${VAR} "${STRING}"
IntOp ${VAR} ${VAR} * 2
System::Call /NOUNLOAD '*(&i2 ${VAR}, &i2 ${VAR}, w "${STRING}") i .s'
Pop ${VAR}
!macroend

!define POLICY_CREATE_SECRET            0x00000020
!define strLSA_OBJECT_ATTRIBUTES        '(i,i,w,i,i,i)i'
System::Call /NOUNLOAD '*${strLSA_OBJECT_ATTRIBUTES}(24,0,0,0,0,0).R1'
System::Call 'advapi32::LsaOpenPolicy(,i R1,i ${POLICY_CREATE_SECRET},*i .R5)i.R6'
!insertmacro CreateUnicodeString $R3 "DefaultPassword"
!insertmacro CreateUnicodeString $R4 "$Password"
System::Call 'advapi32::LsaStorePrivateData(i R5,i R3,i R4)i.R6'
System::Call 'advapi32::LsaClose(i R5)'
System::Free $R3
System::Free $R4

CF

The Glimmerman
10th August 2006 19:00 UTC

I got this and I use no "/NOUNLOAD"


System::Call '*${strLSA_OBJECT_ATTRIBUTES}(24,n,n,0,n,n).s'
StrCpy $4 ${POLICY_CREATE_SECRET}
System::Call 'advapi32::LsaOpenPolicy(w n, i R1, i r4, *i .R0) i .R6'

Maybe that's the problem.
I will test it.

CancerFace
11th August 2006 01:02 UTC

Nope, I doubt that the /NOUNLOAD is the problem. I should have removed it anyway, it doesn't make a difference.
CF

The Glimmerman
11th August 2006 15:26 UTC

But see the difference between my code and yours.

My code:
System::Call '*${strLSA_OBJECT_ATTRIBUTES}(24,n,n,0,n,n).s'

Your code:
System::Call /NOUNLOAD '*${strLSA_OBJECT_ATTRIBUTES}(24,0,0,0,0,0).R1'

Afrow UK
11th August 2006 15:29 UTC

.s is for the stack. You need a Pop $Var afterwards. .R1 will put the data straight into $R1.

-Stu

The Glimmerman
11th August 2006 19:11 UTC

Thx I was wondering what the s stands for.
I'm beginning to understand that system call dll stuff :P
(Early stage ofcource)

Thx afrow and CF for your help

Fork me on GitHub