2. NSIS Discussion
  3. AccessControl SetRegKeyOwner failing

Archive: AccessControl SetRegKeyOwner failing


arrow15
12th July 2007 20:28 UTC

AccessControl SetRegKeyOwner failing
Hi.

So basically, I'm trying to use AccessControl to gain control of several registry keys before changing their permissions to FullAccess for Everyone, then deleting them. Windows Vista forces every user, including administrators to first take control of a registry key before they can make any modifications to it, if they do not already have explicit write control.

I've been successful with GrantOnRegKey:

AccessControl::GrantOnRegKey HKLM $KeyPath "Everyone" "FullAccess"
This works perfectly.

I haven't had the same success with SetRegKeyOwner.
AccessControl::SetRegKeyOwner HKLM $KeyPath "user"
When I pop the errors off the stack for a few of these SetRegKeyOwner, GrantOnRegKey owner sequences, there are no errors for GrantOnRegKey, but for SetRegKeyOwner calls I get the following for the first:
Cannot apply new ownership.
Error code: 0
Then for the rest:
Cannot apply new ownership.
Error code: 997
Error code 997 is ERROR_IO_PENDING, which doesn't really make sense to me, as permissions changes work, and then the first error code reads as 0 (even though it shouldn't error on 0). The user name is correct, because if I put in a bad one, it gives me a bad trustee error.

Any ideas?...

arrow15
12th July 2007 22:59 UTC

Follow up:

So I tried manually changing the registry key's permissions to full control to everyone, and the change of ownership worked. So basically as I see it here's how things stand on Vista:

-To edit permissions of the registry key (no write owner control), I have to first have the user take control of the key from the administrators group

-To take control of the key from the administrators group, I must first take write owner control permissions.

:igor: :igor: :igor:

kichik
13th July 2007 09:57 UTC

I don't know why it fails, but you get the wrong error codes because of a bug in AccessControl. It uses GetLastError() to get the last error of SetNamedSecurityInfo, but SetNamedSecurityInfo uses the return value for specifying the error.

I've attached a fixed version. Let me know if it works before I upload it to the Wiki.

arrow15
13th July 2007 19:47 UTC

Yes, thank you, the new version's error codes are accurate. (That's what I suspected might be happening when I looked at the source code) I now get error code 5 (Access denied), which is far more believable, and seems to be what is going wrong. As for finding a solution, I'm still looking, and I'll post it if I find something. From what I've read though, many people consider this registry permissions / ownership business a bug with Vista, because it seems to basically trap you.

Thanks again.

Lyra78
27th December 2007 16:34 UTC

Hi everybody.
I tried kichik's version of the plug-in and the most recent (November 2007).
I realized that "GrantOnRegKey" doesn't work properly in the last version. Kichik's version works fine.

Does anyone know why kichik's changes seem to be lost in the last official version?

Thanks!

Afrow UK
27th December 2007 17:30 UTC

In what way does it not work correctly?

Stu

Lyra78
28th December 2007 07:48 UTC

Setting full access on a registry key in local machine doesn't work. It just sets this permission for administrators and power users, not for users. The previous version I mentioned works correctly.

Afrow UK
28th December 2007 13:04 UTC

Something else is wrong. The code to change a file or registry ACL has not changed between those two version with the exception of /noinherit.

Stu

Lyra78
28th December 2007 14:23 UTC

I'd like to try the intermediate version of AccessControl.dll (August 2007), but I'm not able to find it. Can you help me?

Anyway, that's what happens: in my installation I create a registry key in local machine, then I set full access for all users by "GrantOnRegKey" function. If I compile the script with the latest version of AccessControl.dll (in ProgramFiles\NSIS\Plugins), and execute the file, then in my registry I get just "reading permissions" for Users.
But if I compile with kichik's version installed, then I get the right permissions for all users of that registry key.
I executed both the compiled files on Windows XP and Vista, and found the same curious behaviour.

This is my code:
WriteRegStr HKLM "Software\${COMPANY}\$REG_KEY" "$REG_VALUE" "$REG_DATA"
AccessControl::GrantOnRegKey \
HKLM "Software\${COMPANY}\$REG_KEY" "(S-1-5-32-545)" "FullAccess"

Thanks for help.

Afrow UK
31st December 2007 11:15 UTC

Any error messages on the stack?

Stu

Afrow UK
7th January 2008 19:59 UTC

There was a bug.
http://nsis.sourceforge.net/File:AccessControl.zip

Stu

Lyra78
8th January 2008 09:58 UTC

That's why there weren't any errors on the stack! :-)

Thanks for the correction: now it works fine!

Fork me on GitHub