Archive: more nt/2k permissions
more nt/2k permissions
anyone have a way to grant full permissions to a win2k/nt registry key? ie I want everybody to be able to use a key in HKLM/Software.
I hate to do something like shell regini, though I'm already having to shell CACLS to grant permissions on my DLLs.
Somebody must have made this work already.
Thanks
-Carl
Implementing in Win32
What you want is easy at a C code level, just the application of a null security descriptor to the registry key. If you don't have get a satisfactory answer to this I can knock up a minature extension dll with a single function in it to do the job for you (I assume you are looking for a simpler more immediate solution than this but I thought I'd offer anyway).
---
Ximon Eighteen
Programmer @ Advent Publishing Systems
email: ximon_eighteen@3b2.com
& msn: ximon_eighteen@hotmail.com
C Implementation
Right since there was no answer given to your problem I created a small (4k) extension dll to answer your woes.
Get it here: http://www.clantpa.co.uk/nsis/x18regkeyV0.0.zip [ ~8k ]
It contains a single function callable from an NSIS script. The function is called RemoveRegKeySecurity and expects a registry key name on the stack. The zip file contains more explicit documentation about how to specify the key name and what success or error codes you can expect in return.
This was written specifically for your problem so it doesn't contain any other functionality. If you want anything else or anyone else has a request then if its related I'll add it to that file in a new version, or else I'll just make another one. This is so I can bundle related functionality together.
I hope it works. I've made sure that the link and the uploaded zip file work perfectly (I had trouble with another one earlier today as you might have seen) and I think that the code works correctly. However since you have a real use for this code you will be the best judge.
I know how to create a null security descriptor and apply it to an object (in this case a registry key) and as far as I understand it this clears all security on the key (ie makes it fully accessible to everyone). However, I haven't got a means of testing this at the mo (I'm tired, maybe there is an obvious way, prolly just create a dummy user a log off and back on ;-)) so I've got my fingers crossed.
Feel free to get back to me about suggestions/criticisms/etc and definitely get back to me either by email or in here if you have a problem with the dll.
---
Ximon Eighteen
Programmer @ Advent Publishing Systems
email: ximon_eighteen@3b2.com
& msn: ximon_eighteen@hotmail.com
Wow, thanks SJ :D
That dll works great - my win2k installs run nice and smoothly now. Very nice to be able to do this from NSIS instead of creating a separate app.
Thanks again!
-Carl
Glad I could help. Did you say you were using a separate program to grant permissions on DLLs? If you don't want to be using other programs I could do something about that too if you like. If so just drop me a line to say what you'd need it to do and I'll tell you if I can do it or not.
That would be really cool - if you could have your dll do both registry key security permissions and file security permissions, it'd be what a lot of people (like me) need to make installs that work well in nt/2k. Right now I shell cacls on each dll which pops up a little black dos box momentarily each time. kinda messy
-Carl
Do you want it with knobs on?
Sorry for the specific nature of this post, I'm just trying to find out exactly what to implement for you (and anyone else).
cacls
Well, all I'm using right now is
CACLS bob.dll /e /g Users:R
by doing
ExecShell "" "CACLS" "$0 /e /g Users:R"
All I need to do functionally is make each file readable by anyone who uses the computer. Anything else is bonus :)
-Carl
K let's get it on
Okay I'll do this soon (turns out I need it too for something else so it really will be sooner rather than later)...
Instead of me keep posting in here you can keep an eye on this project on my new forum here (there's a note about this specifically here)
> Okay I'll do this soon
This would be the feature I will love, too.
However, please note, that Windows group names are different in different languages (the "Everyone" group in my language is "Wszyscy"), so support for SIDs (or LookupAccountSid function) would be very nice feature.
Actually what I need is to remove ACE "Everyone" from file to secure it after installation.
-- Piotr.
Thanks for pointing that out. The "Well Known" sids of which Everyone is one are a special case anyway that are accessed at a code level using bit masks rather than names so the exact spelling will not be an issue. If you hadn't mentioned it though I would possibly have introduced a language dependency without meaning to, I'll try and keep this in mind now when I do it.
If you want to follow any development that occurs on this (I'm quite busy but I will need it v. soon) then keep an eye on this : http://www.clantpa.co.uk/nsis/forum/viewtopic.php?t=7
Please post in that thread the exact details of any functionality you would like and I will do it as soon as I can.