Discussion:
SE_REGISTRY_WOW64_64KEY?
(too old to reply)
Martijn Laan
2005-02-18 20:28:25 UTC
Permalink
Hi,

Does someone know how on 64 bit Windows I can set the security on a 64
bit registry key from a 32 bit application? I would have expected
something like a SE_REGISTRY_WOW64_64KEY on the SetNamedSecurityInfo
function but it isn't there.

Also see the thread started by news://msnews.microsoft.com:119/***@TK2MSFTNGP14.phx.gbl
for a couple of tried options that don't work.

Oh, and please do not tell me to call an external 64 bit app :)

Greetings,
Martijn Laan
Rhett Gong [MSFT]
2005-02-21 05:21:38 UTC
Permalink
Hi Martijn,
Post by Martijn Laan
Does someone know how on 64 bit Windows I can set the security on a 64
bit registry key from a 32 bit application?
As we know, WOW64 has two logical views of the Windows registry, all 32bit
app registry access calls will be redirected to the 32bit view of the
registry whill 64-bit Windows application sees 64-bit view, this is a
restriction in 64-bit Windows for 32bit application.
If you don't want the external64bit app way, so far as I know, there is no
other supported way to do this.

Thanks,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Martijn Laan
2005-02-21 08:19:07 UTC
Permalink
Hi,
Post by Rhett Gong [MSFT]
As we know, WOW64 has two logical views of the Windows registry, all 32bit
app registry access calls will be redirected to the 32bit view of the
registry whill 64-bit Windows application sees 64-bit view, this is a
restriction in 64-bit Windows for 32bit application.
Thanks but actually, there's no such general restriction. A key in the
64-bit view can be created/accessed from a 32 bit app just fine, using
the KEY_WOW64_64KEY flag with the RegCreateKeyEx/RegOpenKeyEx function.
However, the problem is that after creating the key, its security can't
be set because SetNamedSecurityInfo is missing a SE_REGISTRY_WOW64_64KEY
(even though it does have SE_REGISTRY_WOW64_32KEY to counterpart
KEY_WOW64_32KEY).

Maybe you could reinvestigate this?

Greetings,
Martijn Laan
Rhett Gong [MSFT]
2005-02-23 06:16:16 UTC
Permalink
I've requested a 64bit machine, I will update you later after doing some
tests on it.

Thanks,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Martijn Laan
2005-02-23 08:17:06 UTC
Permalink
Hi,
Post by Rhett Gong [MSFT]
I've requested a 64bit machine, I will update you later after doing some
tests on it.
Excellent! Thank you.

Greetings,
Martijn Laan
Rhett Gong [MSFT]
2005-02-23 12:03:50 UTC
Permalink
To make a test, I create following 3 keys under HKCU:
//-------------------------------------------
LONG result1 = RegCreateKeyEx(HKEY_CURRENT_USER,
"MyTestKey1\\subkey",
NULL,
NULL,
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS|KEY_WOW64_64KEY,
NULL,
&hKey1,
&dispo);

LONG result2 = RegCreateKeyEx(HKEY_CURRENT_USER,
"MyTestKey2\\subkey",
NULL,
NULL,
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS|KEY_WOW64_32KEY,
NULL,
&hKey2,
&dispo);

LONG result3 = RegCreateKeyEx(HKEY_CURRENT_USER,
"MyTestKey3\\subkey",
NULL,
NULL,
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS,
NULL,
&hKey3,
&dispo);
//-----------------------------------------
Before sebsequent actions, I change the hKey1's dacl from regedit. And then
I get hKey1's dacl by calling GetSecurityInfo.
Then I call SetNamedSecurityInfo on hKey2&hKey3 as following:
//---------------------------------------------------------------
DWORD err = SetNamedSecurityInfo("CURRENT_USER\\MyTestKey2\\subkey",
SE_REGISTRY_KEY,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
dacl, // hKey1's dacl
NULL);

err = SetNamedSecurityInfo("CURRENT_USER\\MyTestKey3\\subkey",
SE_REGISTRY_KEY,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
dacl, // hKey1's dacl
NULL);
//-------------------------------------------------
checking regedit or printing out the SD shows the same result as for hKey1.

Since you said you can't set the security information on the key created
with KEY_WOW64_32KEY, could you let me know what error code you get?

Thanks,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Martijn Laan
2005-02-23 12:36:26 UTC
Permalink
Hi,
Post by Rhett Gong [MSFT]
Since you said you can't set the security information on the key created
with KEY_WOW64_32KEY, could you let me know what error code you get?
Maybe I misunderstand you, but actually that's not what I said. What I
said is that I can't set the security information on the key created
with KEY_WOW64_64KEY.

In your example this looks to be the 'MyTestKey1\\subkey' key, exactly
the one you didn't call SetNamedSecurityInfo on.

If you try setting the security info on this key you should see it won't
work since you can't tell SetNamedSecurityInfo that the key you're
talking about is a key in the 64-bit view.

(And as I see it, the reason you can't tell SetNamedSecurityInfo that is
that the SE_REGISTRY_WOW64_64KEY flag is missing)

Thanks again & greetings,
Martijn Laan
Martijn Laan
2005-02-23 19:08:51 UTC
Permalink
Hi,
Post by Rhett Gong [MSFT]
LONG result1 = RegCreateKeyEx(HKEY_CURRENT_USER,
Just also noticed you're using HKCU. Please note that this is a bad
place to test since there is no separate 32 and 64 bit view of HKCU. You
should test under HKCR or HKLM\Software. See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/win64/win64/registry_redirector.asp

Below is an example. It results in an ERROR_FILE_NOT_FOUND because
SetNamedSecurityInfo is looking in the 32 bit view (i.e.
HKLM\SOFTWARE\Wow6432Node\MyTest64BitKey).

---

{
ACL acl;
HKEY hKey1;
DWORD dispo;
LONG result1;
DWORD result2;

// create an empty ACL
acl.AclRevision = ACL_REVISION;
acl.Sbz1 = 0;
acl.AclSize = sizeof(acl);
acl.AceCount = 0;
acl.Sbz2 = 0;

result1 = RegCreateKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\MyTest64BitKey",
0,
NULL,
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS|KEY_WOW64_64KEY,
NULL,
&hKey1,
&dispo);

result2 = SetNamedSecurityInfo(
"MACHINE\\SOFTWARE\\MyTest64BitKey",
SE_REGISTRY_KEY,
DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
NULL,
NULL,
&acl,
NULL);
// result2 == ERROR_FILE_NOT_FOUND
}

---

Greetings,
Martijn Laan
Rhett Gong [MSFT]
2005-02-24 10:19:53 UTC
Permalink
I add following code to your code snippet. The code is compiled under
32bitXP without any 64bit settings. I then copy the binary to a 64bitXP,
after running it I do not get any output from the code ---- this means
SetNamedSecurityInfo is correctly peformed. I aslo check permission from
the regedit. it does clear out the permission box.
//---------------------------------------------
if( result2 != ERROR_SUCCESS)
{
if( result2 == ERROR_FILE_NOT_FOUND)
cout<< "ERROR_FILE_NOT_FOUND\n";
else
cout<<"other errors.\n";
}
//------------------------------------------
My XP is running on a AMD64 platform.

Thanks,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Martijn Laan
2005-02-24 10:48:38 UTC
Permalink
Hi,
Post by Rhett Gong [MSFT]
I add following code to your code snippet. The code is compiled under
32bitXP without any 64bit settings. I then copy the binary to a 64bitXP,
after running it I do not get any output from the code ---- this means
SetNamedSecurityInfo is correctly peformed.
Hmmm, are you using some kind of special XP? (as opposed to 'Windows XP
Professional x64 Edition - RC2 (English)' from MSDN)

What if you add a:

result1_32 = RegCreateKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\MyTest64BitKey",
0,
NULL,
REG_OPTION_NON_VOLATILE,
KEY_ALL_ACCESS,
NULL,
&hKey1_32,
&dispo);

to also create a 32 bit key with the same name. Does
SetNamedSecurityInfo for you then set the security on both keys?? Or
does it pick one? What if it picks the 32 bit one but I want to change
the 64 bit one?

Greetings,
Martijn Laan
Rhett Gong [MSFT]
2005-02-25 08:25:14 UTC
Permalink
My version of XP is xpsp_sp2_rtm.040803-2158, build 2600.
Here is my result:
//-----------------------------------------------
test2 start...
KEY_WOW64_64KEY security info:
D:AI(A;ID;KR;;;BU)(A;CIIOID;GR;;;BU)(A;ID;CCDCLCSWRPSDRC;;;PU)(A;CIIOID;SDGW
GR;;
;PU)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;ID;KA
;;;L
A)(A;CIIOID;GA;;;CO)

KEY_WOW64_32KEY security info:
D:AI(A;ID;KR;;;BU)(A;CIIOID;GR;;;BU)(A;ID;CCDCLCSWRPSDRC;;;PU)(A;CIIOID;SDGW
GR;;
;PU)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;ID;KA
;;;L
A)(A;CIIOID;GA;;;CO)

after SetNamedSecurityInfo
KEY_WOW64_64KEY security info:
D:PAI

KEY_WOW64_32KEY security info:
D:PAI
test2 end...
//---------------------------------------------------
As you see, SetNamedSecurityInfo set the security on both keys in my side.

Thanks,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Martijn Laan
2005-02-25 08:58:59 UTC
Permalink
Hi,
Post by Rhett Gong [MSFT]
My version of XP is xpsp_sp2_rtm.040803-2158, build 2600.
Huh? What? That's ordinary 32 bit XP SP2!

XP x64 RC2 has version "Version 5.2 (Build
3790.srv03_sp1_rc2.050203-1635 : Service Pack 1, v.1433)".

Sorry but it sounds like they put a 32 bit Windows on your AMD64 and
somehow you didn't notice... 32 bit Windows exactly behaves as you
suggested. It doesn't even have a 64 bit view and just ignores the
KEY_WOW64_64KEY flag!

Could you retest on 64 bit Windows? Or maybe someone there who's more
familiar with 64 bit Windows could? (no offense meant)

Greetings,
Martijn Laan
Rhett Gong [MSFT]
2005-02-28 03:06:16 UTC
Permalink
I called our lab to prepare a 64bit machine for me to do a test, but seems
I missed reminding them of the OS version. I am really sorry for this.
I will call them again for the OS version and update you as soon as
possible.

Thanks very much for your patience,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Martijn Laan
2005-02-28 10:32:01 UTC
Permalink
Hi,
Post by Rhett Gong [MSFT]
I called our lab to prepare a 64bit machine for me to do a test, but seems
I missed reminding them of the OS version. I am really sorry for this.
I will call them again for the OS version and update you as soon as
possible.
Ok, thanks.

Greetings,
Martijn Laan
Rhett Gong [MSFT]
2005-03-01 09:45:13 UTC
Permalink
Hi Martijn,
With a XP64bit OS installed, I have reproduced this problem. And I've tried
using SetSecurityInfo() API with registry handle from RegCreateKeyEx, but
it does not help either. It seems there are more work required if we have
to change 64bit regkey from a 32bit app and it is also possible that this
can't be done. I need more time to investigate this, update you later.


Thanks and regards,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Martijn Laan
2005-03-01 11:25:14 UTC
Permalink
Hi,
Post by Rhett Gong [MSFT]
With a XP64bit OS installed, I have reproduced this problem. And I've tried
using SetSecurityInfo() API with registry handle from RegCreateKeyEx, but
it does not help either.
The thread I mentioned in my original post mentions SetSecurityInfo too
and why it possibly doesn't work:

Internally SetSecurityInfo seems to reopen the key with RegOpenKeyEx but
apparently it doesn't include the KEY_WOW64_64KEY even though we passed
a 64 bit key to it.

That's a bug right? (if it's true)

Greetings,
Martijn Laan
Rhett Gong [MSFT]
2005-03-03 08:55:03 UTC
Permalink
Hi Marijn,
It seems there is no way to do this from a 32bit application. I've contact
our developer to confirm this problem and will update you later.

Thanks for your patience,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Rhett Gong [MSFT]
2005-03-04 03:04:15 UTC
Permalink
Hi Marijn,
We can use RegSetKeySecurity to change the security information of a 64bit
regkey. You may add following code snippet to your code to confirm it. I've
made a test and it does the work.
//--------------------------
SECURITY_DESCRIPTOR sd;
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd,TRUE, &acl, FALSE);
result2 = RegSetKeySecurity(hKey1, DACL_SECURITY_INFORMATION, &sd );
//----------------------------

Thanks,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Martijn Laan
2005-03-04 08:27:32 UTC
Permalink
Hi,
Post by Rhett Gong [MSFT]
We can use RegSetKeySecurity to change the security information of a 64bit
regkey. You may add following code snippet to your code to confirm it. I've
made a test and it does the work.
Thanks but RegSetKeySecurity actually not very usefull (as already
mention in the 'other thread' too). It doesn't apply inheritance nor
does it merge existing security settings with the ones we're applying.
So this is in no way a replacement for the missing
SE_REGISTRY_WOW64_64KEY or the bad behaved SetSecurityInfo.

Greetings,
Martijn Laan
Rhett Gong [MSFT]
2005-03-07 01:40:56 UTC
Permalink
Unfortunately, I've confirmed that this is a bug in SetSecurityInfo, and
currently there is direct way to achieve this.


Thanks,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Martijn Laan
2005-03-07 09:57:16 UTC
Permalink
Hi,
Post by Rhett Gong [MSFT]
Unfortunately, I've confirmed that this is a bug in SetSecurityInfo, and
currently there is direct way to achieve this.
Will this get fixed in the final XP x64 version?

Greetings,
Martijn Laan
Rhett Gong [MSFT]
2005-03-08 05:28:08 UTC
Permalink
I've had a bug filed for this problem. however, I can't gurantee that will
be fixed in the final version.

Thanks and regards,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Martijn Laan
2005-03-08 18:05:58 UTC
Permalink
Hi,
Post by Rhett Gong [MSFT]
I've had a bug filed for this problem. however, I can't gurantee that will
be fixed in the final version.
Ok, guess I'll just have to hope for the best then :(

Greetings,
Martijn Laan
Rhett Gong [MSFT]
2005-03-09 01:56:21 UTC
Permalink
I will try my best.
But if it is not fixed in the final release and this an impact to your
business, you can also equest a hotfix on this problem by contacting us at
1-(800)936-5800 or by choosing one of the options listed at
http://support.microsoft.com/gp/csshome. It should be free of charge for a
hotfix.

Thanks,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Martijn Laan
2005-03-09 08:41:59 UTC
Permalink
This post might be inappropriate. Click to display it.
Rhett Gong [MSFT]
2005-03-10 02:21:39 UTC
Permalink
Post by Martijn Laan
I don't control the target pc's so even if there was a hotfix I can't
really depend on it being installed.
I agree with you.
Currently, it seems that the safer way is to do this in a 64bit application
externally.


Thanks for your understanding.
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Rhett Gong [MSFT]
2005-03-23 03:02:39 UTC
Permalink
If you feel there is anything more I can do, please feel free to let me
know.

Thanks,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Martijn Laan
2005-03-17 09:07:30 UTC
Permalink
Hi,
Post by Rhett Gong [MSFT]
It seems there is no way to do this from a 32bit application. I've contact
our developer to confirm this problem and will update you later.
FYI, there seems to be a similar problem with setting security on files
in the 64 bit system dir from a 32bit application. SetNamedSecurityInfo
fails when file system redirection is on. It seems like setting security
was kind of forgotten when all the 64 bit stuff was done :(

Greetings,
Martijn Laan
Martijn Laan
2005-03-17 09:12:16 UTC
Permalink
Hi,
SetNamedSecurityInfo fails when file system redirection is on.
Sorry, meant to say *off*, not on.

Greetings,
Martijn Laan
Rhett Gong [MSFT]
2005-03-18 02:47:06 UTC
Permalink
Seems the code for SetNamedSecurityInfo is not touched for a long time.
Thanks very much for your reporting, and it's this kind of feedback that
let us know what things we need to improve.

Best regards,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Rhett Gong [MSFT]
2005-03-21 02:13:21 UTC
Permalink
And if you have more concerns or feel there is anything more I can assist
you, please feel free to let me know.

Best regards,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
Loading...