Discussion:
SetNamedSecurityInfo: How to set security on 64-bit keys?
(too old to reply)
Jordan Russell
2005-02-10 06:49:07 UTC
Permalink
Hi,

I can't seem to figure out how to set the security on a 64-bit key from
a 32-bit application (running on WOW64).

Unless I'm missing something, the SE_OBJECT_TYPE type includes only two
object types related to the registry:

SE_REGISTRY_KEY
SE_REGISTRY_WOW64_32KEY

Both of these map to the 32-bit view of the registry in my tests.

Why is there no "SE_REGISTRY_WOW64_64KEY" object type?

Is one planned, or is there some other way to convince the function to
set a 64-bit key?

Thanks,

Jordan Russell
OShah
2005-02-13 17:21:58 UTC
Permalink
Post by Jordan Russell
Hi,
I can't seem to figure out how to set the security on a 64-bit key from
a 32-bit application (running on WOW64).
Unless I'm missing something, the SE_OBJECT_TYPE type includes only two
SE_REGISTRY_KEY
SE_REGISTRY_WOW64_32KEY
Both of these map to the 32-bit view of the registry in my tests.
Why is there no "SE_REGISTRY_WOW64_64KEY" object type?
Is one planned, or is there some other way to convince the function to
set a 64-bit key?
Thanks,
Jordan Russell
SetNamedSecurityInfo() has a bit more limited application as to what
objects it can secure compared with the rest of the security APIs. A
couple of workarounds, (but you've probably already thought of them):

-Use SetSecurityInfo (or SetKernelObjectSecurity/RegSetKeySecurity)
instead.
If you can't open up the HKEY with WRITE_DAC | WRITE_OWNER rights, then
you won't be able to set the security anyway.

All SetNamedSecurityInfo does is open the objects (using the Native
functions; more likely to bypass security), and then calls setsecurityinfo
on it.


-Get a 64 bit application to set the registry. (this will require you to
ship a separate application with your executable).


BTW, Cool piece of software, Inno Setup.
--
------------------------------------------------------------------------
oshah [shexec32]
Control Panel -> System -> Advanced -> Error Reporting -> Choose Programs
-> Do not report errors for these programs:

Acrobat.exe
waol.exe

------------------------------------------------------------------------
Jordan Russell
2005-02-13 21:18:04 UTC
Permalink
Post by OShah
-Use SetSecurityInfo
Sadly, SetSecurityInfo doesn't work either. Even when I pass
SetSecurityInfo a 64-bit key handle (obtained via RegOpenKeyEx &
KEY_WOW64_64KEY), the function sets the security on the key of the same
name in the 32-bit view.

Debugging SetSecurityInfo reveals that it opens a new handle to the key
that is passed in (RegOpenKeyEx(key, NULL, ...)), presumably to attain
the necessary access rights. Trouble is, if you open a new handle to a
64-bit key without specifying the KEY_WOW64_64KEY flag again, you get
back a handle to the 32-bit view as mentioned here:

http://blogs.msdn.com/junfeng/archive/2004/04/05/107433.aspx
Post by OShah
(or SetKernelObjectSecurity/RegSetKeySecurity)
RegSetKeySecurity would probably work, but then I'd have to reinvent the
wheel and handle inheritance propogation etc. myself.
Post by OShah
-Get a 64 bit application to set the registry. (this will require you to
ship a separate application with your executable).
Kind of seems like that's my only option. :-(
Post by OShah
BTW, Cool piece of software, Inno Setup.
Thanks. I'm actually in the process of retrofitting 64-bit key support
into Inno Setup, and this is the only obstacle I've encountered.
--
Jordan Russell
Loading...