2. NSIS Discussion
  3. Get SecurityError 1?

Archive: Get SecurityError 1?


ryanpager
29th July 2009 14:49 UTC

Get SecurityError 1?
Function adminrights

UserMgr::GetCurrentUserName
Pop $1
#MessageBox MB_OK "$1" #Uncomment if debugging is necessary
UserMgr::SetRegKeyAccess "$1" "HKCU" "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASIM Bridge\DisplayIcon" "=a"
UserMgr::SetRegKeyAccess "$1" "HKCU" "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASIM Bridge\DisplayName" "=a"
UserMgr::SetRegKeyAccess "$1" "HKCU" "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASIM Bridge\DisplayVersion" "=a"
UserMgr::SetRegKeyAccess "$1" "HKCU" "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASIM Bridge\NSIS:Language" "=a"
UserMgr::SetRegKeyAccess "$1" "HKCU" "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASIM Bridge\Publisher" "=a"
UserMgr::SetRegKeyAccess "$1" "HKCU" "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASIM Bridge\UninstallString" "=a"
UserMgr::SetRegKeyAccess "$1" "HKCU" "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASIM Bridge\URLInfoAbout" "=a"
Pop $0
MessageBox MB_OK "GrantAccess Result : $0"

FunctionEnd


When I call this function, the grant access result is: Get SecurityError 1...


What does this mean exactly?

Anders
29th July 2009 15:18 UTC

What are you trying to do exactly?

ryanpager
29th July 2009 15:19 UTC

It grabs the current username, and grants rights to write to the registry for those keys only

Anders
29th July 2009 15:37 UTC

current user can already write there. Besides, you can only apply ACL's to keys (folders), not values

ryanpager
29th July 2009 15:41 UTC

interesting, on the NSIS Help I followed the same format that they had in their example.

So if it comes back as Get Security Error 0 (if this is possible) it means they cant write there?

jpderuiter
29th July 2009 17:19 UTC

First of all, you need a Pop $0 after each UserMgr::SetRegKeyAccess.
Second, as Anders said, you can only apply ACL's to keys.
So you only need

UserMgr::SetRegKeyAccess "$1" "HKCU" "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASIM Bridge" "=a"

ryanpager
29th July 2009 17:50 UTC

Ok well this is now my total section:

!macro _UserIsAdminNT5 _a _b _t _f
Push $1
!insertmacro _LOGICLIB_TEMP
System::Call '*(&i1 1,&i1 2,&i5,&i1 5,&i4 32,&i4 544)i.r1' ;S-1-5-32-544
System::Call 'advapi32::CheckTokenMembership(i n,i r1,*i.s)i.s'
System::Free $1
Pop $1
Pop $_LOGICLIB_TEMP
IntCmpU $1 0 0 +2 +2
StrCpy $_LOGICLIB_TEMP 0
Pop $1
!insertmacro _!= $_LOGICLIB_TEMP 0 `${_t}` `${_f}`
!macroend
!define UserIsAdminNT5 `"" UserIsAdminNT5 ""`


(Courtesy of you Anders :) )

Function adminrights
${If} ${UserIsAdminNT5}
MessageBox MB_OK "User Type is Admin"
${Else}
MessageBox MB_OK "User Type is not Admin"
UserMgr::GetCurrentUserName #Gets User Account Name
Pop $1
#MessageBox MB_OK "$1" #Uncomment if debugging is necessary

UserMgr::SetRegKeyAccess "$1" "HKCU" "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASIM Bridge\" "=a"
Pop $0
MessageBox MB_OK "GrantAccess Result : $0"
${EndIf}
FunctionEnd


Its still popping that error....but is it only doing that because the user (myself right now) is an admin?

Afrow UK
29th July 2009 18:04 UTC

Not sure why you want to put the current user on the ACL for a registry key under HKEY_CURRENT_USER. As Anders says, the current user will already have full access, and anyway a user needs to already have ownership and write access to put themselves on an ACL (unless you enable the SE_RESTORE_NAME and SE_TAKE_OWNERSHIP_NAME privileges).

Stu

jpderuiter
29th July 2009 18:31 UTC

I think the error message is "ERROR GetSecurityInfo 1", right?

Error 1 means ERROR_INVALID_FUNCTION...
Not sure why this error occures, but I found that granting a non existing registry key causes this error.

ryanpager
29th July 2009 18:32 UTC

Im trying to make it so that if a user isnt able to write the registry keys for the uninstaller that they will be changed so that it allows them to.

It was supposed to be HKLM, i was messing around with it and forgot to change it back.

If the user cant write the uninstaller registry keys there will be a problem no?

Anders
29th July 2009 18:38 UTC

you should only write to HKLM if you are installing as admin (If you require admin rights to install, you should use requestexecutionlevel admin in your script and use the userinfo plugin in .onInit and display a messagebox and quit if the user is not admin)

ryanpager
29th July 2009 18:42 UTC

Thats exactly the point...I dont want it to be admin only. I need it to be available to all users.

I figured writing to the HKCU would get around this?

Afrow UK
29th July 2009 18:54 UTC

Uninstall registry needs to be under HKLM and unless you have administrator privileges you can't write there.

Stu

Anders
29th July 2009 19:25 UTC

People seem to have a hard time grasping this:

Single user install: (don't have to be admin)
write to $localappdata and HKCU

All users install: (must be admin)
write to $programfiles and HKLM

ryanpager
29th July 2009 19:58 UTC

Right but the install has to go on the root C:\ directory (or whatever local disk is).

Would I still need to do HKLM, or could I do HKCU?

Afrow UK
30th July 2009 00:24 UTC

If you want your application available to all users then you don't write anything to HKCU. If your application writes anything to HKCU after install then you use EnumUsersReg to load each user hive to delete your registry keys.

Having said that there's a difference between installing as admin and installing for admins. Maybe you have that confused? Only administrator users (non limited accounts) can install applications for all users.

Your install can only be run by an administrator user anyway. Limited users can't write to the root or any folders on it and can't write to HKLM.

Stu

Fork me on GitHub