2. NSIS Discussion
  3. In 64bit installer AccessControl fail to set registry permission

Archive: In 64bit installer AccessControl fail to set registry permission


rijukk
17th January 2012 16:00 UTC

In 64bit installer AccessControl fail to set registry permission
I was using NSIS AccessControl plug-in to grant registry access permission

AccessControl::GrantOnRegKey HKLM "Software\Demo" "(S-1-5-20)" "FullAccess" ;"NETWORK SERVICE"
It was working perfect, now I upgraded my installer to 64bit using "x64.nsh"'s ${RunningX64}
and SetRegView 64

Now
AccessControl::GrantOnRegKey HKLM "Software\Demo" "(S-1-5-20)" "FullAccess"
it fail to grant permission; however i create a key in redirected node (Wow6432Node) like HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Demo. It providing proper grant permission.

Any help will be greatly appreciated

Thank you,
Riju

T.Slappy
18th January 2012 06:09 UTC

Are you running 32bit application on x64 machine?
If yes then this situation is correct because 32bit applications use Wow6432Node in Registry.

Your assumption is wrong:

by I upgraded my installer to 64bit using "x64.nsh"'s ${RunningX64}
Creating 64bit installer is possible only by recompiling NSIS as 64bit application.

rijukk
18th January 2012 07:40 UTC

Hi T. Slappy,

I am upgrading the installer script with guideline provided in this link
http://bojan-komazec.blogspot.com/20...t-windows.html



I am able to read\write registry from HKLM\Software\Demo after using "SetRegView 64".

; disable registry redirection (enable access to 64-bit portion of registry)
SetRegView 64
Only registry fails on
AccessControl::GrantOnRegKey HKLM "SOFTWARE\Demo" "(S-1-5-20)" "FullAccess"
my installer is working perfectly in 64bit PC without any other issues


Thank you,
Riju

MSG
18th January 2012 09:59 UTC

Could it be that the AccessControl plugin cannot handle x64 registry yet?

MSG
18th January 2012 10:01 UTC

Could it be that the AccessControl plugin doesn't support x64 registry yet?

Afrow UK
18th January 2012 19:12 UTC

AccessControl plug-in needs updating to handle SetRegView. I will do it when I have some time (maybe tomorrow).

Stu

rijukk
19th January 2012 05:59 UTC

Hi Stu,

So nice of you :)

Thank you,
Riju

rijukk
23rd January 2012 05:23 UTC

What i read from internet in order to accomplish this; we need to use advapi32.dll's RegSetKeySecurity in the AccessControl plugin.

Afrow UK
25th January 2012 23:48 UTC

It took a little longer than expected due to SetNamedSecurityInfo/GetNamedSecurityInfo complete lack of support for KEY_WOW64_64KEY (as you pointed out) so a lot of the code had to be changed quite drastically. It may also mean the plug-in will no longer work on Windows 2000, but we may have to live with that.

v1.0.5.0 - 25th January 2012 ~ Afrow UK

Edit: I removed IsUserTheAdministrator because you can quite easily test for that yourself using the new NameToSid. Just check the result of NameToSid ends with -500.

Stu

Anders
26th January 2012 00:47 UTC

Originally posted by Afrow UK
It may also mean the plug-in will no longer work on Windows 2000, but we may have to live with that.
IMHO the Ansi version needs to support NT4/Win95 (I don't know what the old behavior was but it can just return ok on 9x) and the unicode build 2000+ (It is unclear at this point if NT4 will be supported as unicode)

Afrow UK
26th January 2012 11:11 UTC

When was ConvertSidToStringSid/ConvertStringSidToSid added to Windows? The plug-in has been using those for some time. Now it's using RegOpenKeyEx as well.

Stu

Anders
26th January 2012 11:59 UTC

RegOpenKeyEx was added in Win95/NT4 IIRC and I don't remember off the top of my head but I'm guessing ConvertSidToStringSid was added in 2000 (You cannot trust MSDN, you must check the dll exports)

Afrow UK
26th January 2012 12:46 UTC

How about RegSetKeySecurity? I will look into writing replacements for ConvertSidToStringSid/ConvertStringSidToSid.

Stu

Afrow UK
26th January 2012 17:56 UTC

v1.0.6.0 - 26th January 2012 - Afrow UK

Note that RegSetKeySecurity/RegGetKeySecurity is only used when SetRegView 64 is set.

http://nsis.sourceforge.net/AccessControl_plug-in

Stu

MSG
26th January 2012 18:52 UTC

Hate to be a nagger, but... Wasn't NT4 also unicode? Not that I feel strongly about NT4 support one way or the other, but yeah.

Afrow UK
26th January 2012 19:55 UTC

As Anders says I don't think Unicode NSIS supports below Windows 2000 anyway so there is no point the Unicode plug-in doing so.

Edit: If someone needs the Unicode build for NT4 they can just rebuild with ACCESS_CONTROL_NT4 preprocessor directive. Otherwise the Unicode build links to the native Windows 2000+ API's to save on code size.

Stu

Anders
26th January 2012 22:07 UTC

I did not check out the code yet but I hope you are only going down the wow64 path on NT5.2+, I don't know what happens if you pass the WOW64 flag to older registry functions...

Afrow UK
27th January 2012 00:15 UTC

According to MSDN KEY_WOW64_64KEY is ignored on 32-bit Windows (and Windows 2000) so I assume that means older versions of Windows too. The registry functions are only used if SetRegView 64 is set but I suppose a test for a 64-bit OS would be good too.

Stu

rijukk
2nd February 2012 16:19 UTC

Thank you Stu... i will test it tomorrow and let you know the feedbacks

Riju

kalverson
8th February 2012 20:01 UTC

Originally posted by T.Slappy
Are you running 32bit application on x64 machine?
If yes then this situation is correct because 32bit applications use Wow6432Node in Registry.

Your assumption is wrong:

Creating 64bit installer is possible only by recompiling NSIS as 64bit application.
Is there a NSIS 64 bit compiled engine/install available somewhere for download?

Afrow UK
8th February 2012 20:43 UTC

No. Why do you need it?

Stu

Anders
9th February 2012 15:27 UTC

Originally posted by Afrow UK
No. Why do you need it?

Stu
Server Core :(

Fork me on GitHub