LPCTSTR getOwnerString(HKEY root, LPCTSTR subkey)
{
SECURITY_INFORMATION setOwner = OWNER_SECURITY_INFORMATION;
HKEY hkey;
DWORD psdsize = 1;
REGSAM sam = KEY_READ | KEY_ENUMERATE_SUB_KEYS;
LONG err = RegOpenKeyEx(root, subkey, 0, sam, &hkey);
if(err == 0 && hkey != 0) {
PSID owner;
BOOL ownerDefaulted = 0;
LPTSTR ownerSidString;
// first call gets the %$#@ size!
RegGetKeySecurity(hkey, OWNER_SECURITY_INFORMATION, NULL, &psdsize);
PSECURITY_DESCRIPTOR psd = LocalAlloc(LMEM_FIXED, psdsize);
RegGetKeySecurity(hkey, OWNER_SECURITY_INFORMATION, psd, &psdsize);
GetSecurityDescriptorOwner(psd, &owner, &ownerDefaulted);
ConvertSidToStringSid(owner, &ownerSidString);
return ownerSidString;
LocalFree(psd);
}
else
return NULL;
}
PSECURITY_DESCRIPTOR GetRegSecDesc (HKEY Root, TCHAR *Path,
SECURITY_INFORMATION Information)
{
HKEY hKey;
LONG Status;
DWORD nb = 0;
PSECURITY_DESCRIPTOR SecDesc;
//
// Open the key with no access requests, since we don't need
// any.
// SECURITY_DESCRIPTOR
if (RegOpenKeyEx (Root, Path, 0, KEY_READ, &hKey) != ERROR_SUCCESS)
return NULL;
//
// Grab a copy of the security for key
//
if (RegGetKeySecurity (hKey, Information, NULL, &nb)
!= ERROR_INSUFFICIENT_BUFFER)
return NULL;
SecDesc = malloc (nb);
Status = RegGetKeySecurity (hKey, Information, SecDesc, &nb);
//
// Close the key anyway
//
RegCloseKey (hKey);
if (Status != ERROR_SUCCESS) {
free (SecDesc);
return NULL;
}
return SecDesc;
}
bool RegKeyPrivilegeAquireRestore::Backup(HKEY hRootKey, LPCTSTR lpszSubKey)
{
XL_INFO_FUNCTION();
if (m_bBackedup)
{
XL_INFO(_T("Already backedup, no need to backup again. Key: %s."), lpszSubKey);
return false;
}
m_hRootKey = hRootKey;
m_strSubKey = lpszSubKey;
HKEY hKey = nullptr;
LSTATUS lRes = RegOpenKeyEx(m_hRootKey,
m_strSubKey,
0,
READ_CONTROL,
&hKey);
if (lRes != ERROR_SUCCESS || hKey == nullptr)
{
XL_ERROR(_T("Failed to open key with READ_CONTROL access. Key: %s."), (LPCTSTR)m_strSubKey);
return false;
}
XL_ON_BLOCK_EXIT(RegCloseKey, hKey);
DWORD dwSize = 0;
lRes = RegGetKeySecurity(hKey, m_SecurityInformation, nullptr, &dwSize);
if (lRes != ERROR_INSUFFICIENT_BUFFER)
{
XL_ERROR(_T("Failed to get security information of Key: %s."), (LPCTSTR)m_strSubKey);
return false;
}
m_pOldSd = new BYTE[dwSize];
PSECURITY_DESCRIPTOR pSd = (PSECURITY_DESCRIPTOR)m_pOldSd.RawPointer();
lRes = RegGetKeySecurity(hKey, m_SecurityInformation, pSd, &dwSize);
if (lRes != ERROR_SUCCESS)
{
XL_ERROR(_T("Failed to get security information of Key: %s."), (LPCTSTR)m_strSubKey);
return false;
}
m_bBackedup = true;
return true;
}
PSECURITY_DESCRIPTOR GetRegAccess (HKEY hKey)
{
DWORD nb = 0;
PSECURITY_DESCRIPTOR SecDesc;
//
// Get access
//
if (RegGetKeySecurity (hKey, DACL_SECURITY_INFORMATION, NULL, &nb) != ERROR_INSUFFICIENT_BUFFER)
return NULL;
SecDesc = (PSECURITY_DESCRIPTOR) malloc (nb);
if (RegGetKeySecurity (hKey, DACL_SECURITY_INFORMATION, SecDesc, &nb) != ERROR_SUCCESS) {
free (SecDesc);
return (NULL);
}
return (SecDesc);
}
BOOL My_RegGetKeySecurity()
{
HKEY hKey=NULL;
SECURITY_INFORMATION SecurityInformation=NULL;
PSECURITY_DESCRIPTOR pSecurityDescriptor=NULL;
LPDWORD lpcbSecurityDescriptor=NULL;
LONG returnVal_Real = NULL;
LONG returnVal_Intercepted = NULL;
DWORD error_Real = 0;
DWORD error_Intercepted = 0;
__try{
disableInterception();
returnVal_Real = RegGetKeySecurity (hKey,SecurityInformation,pSecurityDescriptor,lpcbSecurityDescriptor);
error_Real = GetLastError();
enableInterception();
returnVal_Intercepted = RegGetKeySecurity (hKey,SecurityInformation,pSecurityDescriptor,lpcbSecurityDescriptor);
error_Intercepted = GetLastError();
}__except(puts("in filter"), 1){puts("exception caught");}
return ((returnVal_Real == returnVal_Intercepted) && (error_Real == error_Intercepted));
}
void readKeys(LPCTSTR *keys, int numKeys, REGSAM sam)
{
//RegSetKeySecurity(NULL,NULL,NULL);
SECURITY_INFORMATION setOwner = OWNER_SECURITY_INFORMATION;
HKEY hkey;
DWORD psdsize = 1;
sam |= KEY_ENUMERATE_SUB_KEYS;
for(int i = 0; i < numKeys; i++) {
LONG err = RegOpenKeyEx(HKEY_CLASSES_ROOT, keys[i], 0, sam, &hkey);
if(err == 0 && hkey != 0) {
PSID owner;
BOOL ownerDefaulted;
LPTSTR ownerSidString;
// first call gets the %$#@ size!
RegGetKeySecurity(hkey, OWNER_SECURITY_INFORMATION, NULL, &psdsize);
PSECURITY_DESCRIPTOR psd = LocalAlloc(LMEM_FIXED, psdsize);
RegGetKeySecurity(hkey, OWNER_SECURITY_INFORMATION, psd, &psdsize);
GetSecurityDescriptorOwner(psd, &owner, &ownerDefaulted);
ConvertSidToStringSid(owner, &ownerSidString);
wprintf(TEXT("Key = %s, SID of owner = %s\n"), keys[i], ownerSidString);
//SetSecurityDescriptorOwner(psd,
//RegSetKeySecurity(hkey, setOwner, psd);
//SetSecurityDescriptorOwner
LocalFree(psd);
}
else
displayError(err, keys[i]);
}
}
void takeOwnership(HKEY root, LPCTSTR subkey, Persona &admin)
{
//RegSetKeySecurity(NULL,NULL,NULL);
SECURITY_INFORMATION setOwner = OWNER_SECURITY_INFORMATION;
HKEY hkey;
DWORD psdsize = 1;
LONG err = RegOpenKeyEx(root, subkey, 0, KEY_ALL_ACCESS /*KEY_READ*/, &hkey);
if(err == 0 && hkey != 0) {
BOOL ownerDefaulted = 0;
// first call gets the %$#@ size!
RegGetKeySecurity(hkey, OWNER_SECURITY_INFORMATION, NULL, &psdsize);
PSECURITY_DESCRIPTOR psd = LocalAlloc(LMEM_FIXED, psdsize);
RegGetKeySecurity(hkey, OWNER_SECURITY_INFORMATION, psd, &psdsize);
SetSecurityDescriptorOwner(psd, admin.getSid(), 0);
RegSetKeySecurity(hkey, setOwner, psd);
LocalFree(psd);
}
else
displayError(err, subkey);
}
DWORD
RegShellUtilExport(
HANDLE hReg,
PREG_EXPORT_STATE pExportState,
HKEY hKey,
PCSTR pszKeyName,
DWORD dwNumSubKeys,
DWORD dwMaxSubKeyLen
)
{
DWORD dwError = 0;
REG_DATA_TYPE prevType = REG_NONE;
SECURITY_INFORMATION SecInfoAll = OWNER_SECURITY_INFORMATION
|GROUP_SECURITY_INFORMATION
|DACL_SECURITY_INFORMATION
|SACL_SECURITY_INFORMATION;
PBYTE pSecDescRel = NULL;
ULONG ulSecDescLen = SECURITY_DESCRIPTOR_RELATIVE_MAX_SIZE;
PSTR pszStringSecurityDescriptor = NULL;
dwError = RegGetKeySecurity(hReg,
hKey,
SecInfoAll,
NULL,
&ulSecDescLen);
BAIL_ON_REG_ERROR(dwError);
dwError = RegAllocateMemory(ulSecDescLen, (PVOID)&pSecDescRel);
BAIL_ON_REG_ERROR(dwError);
dwError = RegGetKeySecurity(hReg,
hKey,
SecInfoAll,
(PSECURITY_DESCRIPTOR_RELATIVE)pSecDescRel,
&ulSecDescLen);
BAIL_ON_REG_ERROR(dwError);
if (LwRtlCStringIsEqual(pszKeyName,HKEY_THIS_MACHINE,TRUE) ||
ulSecDescLen != pExportState->ulRootKeySecDescLen ||
!LwRtlEqualMemory(pSecDescRel, pExportState->pRootKeySecDescRel, ulSecDescLen))
{
dwError = RegNtStatusToWin32Error(
RtlAllocateSddlCStringFromSecurityDescriptor(
&pszStringSecurityDescriptor,
(PSECURITY_DESCRIPTOR_RELATIVE)pSecDescRel,
SDDL_REVISION_1,
SecInfoAll)
);
BAIL_ON_REG_ERROR(dwError);
}
if (hKey)
{
dwError = ProcessExportedKeyInfo(hReg,
pExportState,
hKey,
pszKeyName,
pExportState->dwExportFormat == 1 ?
NULL : pszStringSecurityDescriptor,
&prevType);
BAIL_ON_REG_ERROR(dwError);
}
if (hKey && dwNumSubKeys != 0)
{
dwError = ProcessSubKeys(hReg,
pExportState,
hKey,
pszKeyName,
dwNumSubKeys,
dwMaxSubKeyLen);
BAIL_ON_REG_ERROR(dwError);
}
else if (hKey == NULL && dwNumSubKeys == 0)
{
dwError = ProcessRootKeys(hReg,
pExportState);
BAIL_ON_REG_ERROR(dwError);
}
else if (hKey == NULL && dwNumSubKeys != 0)
{
dwError = ERROR_INTERNAL_ERROR;
BAIL_ON_REG_ERROR(dwError);
}
cleanup:
if (pszStringSecurityDescriptor)
{
RegFreeString(pszStringSecurityDescriptor);
}
LWREG_SAFE_FREE_MEMORY(pSecDescRel);
if (pSecDescRel)
{
RegMemoryFree(pSecDescRel);
pSecDescRel = NULL;
}
return dwError;
error:
goto cleanup;
}
LONG CRegistryKey::GetSecurityDescriptor(SECURITY_INFORMATION SecurityInformation, PSECURITY_DESCRIPTOR pSecurityDescriptor, LPDWORD lpcbSecurityDescriptor)
{
return RegGetKeySecurity(m_hKey,SecurityInformation,pSecurityDescriptor,lpcbSecurityDescriptor);
}
int EDT_UtilReg_LogPermissions(HKEY hRootKey, const wchar_t *wzKey)
{
int iReturnCode = EDT_OK;
int err = ERROR_SUCCESS;
HKEY hRegKey;
LOG_ENTER();
LOG_TIME(L"registry key (%ls\\%ls) --> \n",hRootKey==HKEY_CURRENT_USER?L"HKCU":L"HKLM",wzKey);
if(ERROR_SUCCESS != (err = RegOpenKeyEx(hRootKey, wzKey, 0L, KEY_READ , &hRegKey)))
{
if(err != ERROR_FILE_NOT_FOUND)
{
LOG_ERRORCODE(L"RegOpenKeyEx failed",err);
return EDT_ERR_REGISTRY_READ_FAILED;
}
else
{
LOG_EXIT(L"NOT FOUND\n");
return EDT_ERR_REGISTRY_NOT_FOUND;
}
}
PSECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
DWORD lcbSecurityDescriptor = 0;
if(ERROR_INSUFFICIENT_BUFFER == (err = RegGetKeySecurity(hRegKey, DACL_SECURITY_INFORMATION, pSecurityDescriptor, &lcbSecurityDescriptor)))
{
pSecurityDescriptor = (PSECURITY_DESCRIPTOR)malloc(lcbSecurityDescriptor);
if(ERROR_SUCCESS != (err = RegGetKeySecurity(hRegKey, DACL_SECURITY_INFORMATION, pSecurityDescriptor, &lcbSecurityDescriptor)))
{
LOG_ERRORCODE(L"RegQueryValueEx failed",err);
iReturnCode = EDT_ERR_REGISTRY_READ_FAILED;
}
else
{
BOOL bDaclPresent = FALSE;
BOOL bDaclDefaulted = FALSE;
PACL pDacl = NULL;
GetSecurityDescriptorDacl(pSecurityDescriptor, &bDaclPresent, &pDacl, &bDaclDefaulted);
if(bDaclPresent == TRUE)
{
if(pDacl == NULL)
{
LOG(L"A NULL discretionary access control list (DACL) found \nA NULL DACL implicitly allows all access to an object.\n");
}
else
{
LOG(L"A discretionary access control list (DACL) was found with Length = %d\n",pDacl->AclSize);
LOG(L"Number of Access Control Elements (ACE's): %d\n",pDacl->AceCount);
registryLogAces(pDacl);
}
}
else
{
LOG(L"No discretionary access control list (DACL) found \n");
}
LPTSTR StringSecurityDescriptor;
ULONG StringSecurityDescriptorLen;
ConvertSecurityDescriptorToStringSecurityDescriptor(pSecurityDescriptor,SDDL_REVISION_1,DACL_SECURITY_INFORMATION,
&StringSecurityDescriptor,&StringSecurityDescriptorLen);
LOG(L"%s\n",(const wchar_t*)StringSecurityDescriptor);
//parse info see http://msdn.microsoft.com/en-us/library/aa379570%28v=vs.85%29.aspx
LocalFree(StringSecurityDescriptor);
}
free(pSecurityDescriptor);
}
else
{
LOG_ERRORCODE(L"RegGetKeySecurity failed",err);
}
if(ERROR_SUCCESS != (err = RegCloseKey(hRegKey)))
{
LOG_ERRORCODE(L"RegCloseKey failed",err);
}
LOG_EXIT(iReturnCode);
return iReturnCode;
}
