9 Replies - 1507 Views - Last Post: 16 May 2012 - 11:35 AM Rate Topic: -----

#1 chipicau  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 48
  • Joined: 15-May 12

Set registry owner

Posted 15 May 2012 - 10:50 AM

Hello, I have been a dreamincode.net follower for some weeks and I truly like it here, but I only took the time to register today, because I didn't find the answer anywhere.
I've read the rules, and I realize that I have to post some code so I can be returned with a "good version" of it concerning my problems. I truly agree with this rule.

I am developing a VB.NET application that is supposed to block the computer until the subject entered the correct password. It's not any malware or any kind of mean application, at least in my view, and it's only for me and a friend of mine whose youngest brother keeps changing things in his pc when he is not home.

My application works well, it is fullscreen and keeps the property TopMost true and blocks mouse input. But then there's a problem, where the subject could bring up the Windows Security Screen by pressing CTRL+ALT+DEL, open Task Manager and kill the process, so it would defeat the whole purpose of the application. So my application, changes some registry keys that disable the various options you can select in the Windows Security Screen.
Apart from that, everything works well, except that when I tested in my virtual machine that I use to test my applications, which gave me an error that I couldn't change registry key permissions. So I double-checked only to find out I was not the owner of the registry key, so I had to put myself owner manually and then it worked. The problem is that I need a way to do it programmatically, because applications cannot change the registry values if they don't have permission and they can't change the permissions if their owner is not the current user. I have researched for hours and haven't found anything about changing a registry key's owner, so I registered here to see if I could get some help.

Here's the code I am using:


    Private Declare Sub AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As System.IntPtr, ByVal DisableAllPrivileges As Boolean, ByRef NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Integer, ByVal PreviousState As System.IntPtr, ByVal ReturnLength As System.IntPtr)
    Private Declare Sub LookupAccountNameA Lib "advapi32.dll" (ByVal lpSystemName As String, ByVal lpAccountName As String, ByVal Sid As System.IntPtr, ByRef cbSid As Integer, ByVal lpReferencedDomainName As String, ByRef cchReferencedDomainName As Integer, ByRef peUse As Integer)
    Private Declare Sub SetNamedSecurityInfoA Lib "advapi32.dll" (ByVal pObjectName As String, ByVal ObjectType As Integer, ByVal SecurityInfo As Integer, ByVal psidOwner As System.IntPtr, ByVal psidGroup As System.IntPtr, ByVal pDacl As System.IntPtr, ByVal pSacl As System.IntPtr)

  <System.Runtime.InteropServices.StructLayout(System.Runtime.InteropServices.LayoutKind.Sequential, Pack:=4)>
    Private Structure LUID_AND_ATTRIBUTES
        Dim luid As Integer
        Dim attributes As Integer
    End Structure

    <System.Runtime.InteropServices.StructLayout(System.Runtime.InteropServices.LayoutKind.Sequential, Pack:=4)>
    Private Structure TOKEN_PRIVILEGES
        Dim privilegeCount As Integer
        Dim privilege1 As LUID_AND_ATTRIBUTES
        Dim privilege2 As LUID_AND_ATTRIBUTES
    End Structure

    Dim pNewOwner As System.IntPtr = System.Runtime.InteropServices.Marshal.AllocHGlobal(32)

    Private Sub Apply_Registry_Fixes()

        Dim tp As New TOKEN_PRIVILEGES
        tp.privilegeCount = 2
        tp.privilege1.luid = 9 'SE_RESTORE_PRIVILEGE
        tp.privilege1.attributes = 2
        tp.privilege2.luid = 18 'SE_TAKEOWNERSHIP_PRIVILEGE
        tp.privilege2.attributes = 2
        Dim hToken As System.IntPtr = System.Security.Principal.WindowsIdentity.GetCurrent(System.Security.Principal.TokenAccessLevels.AdjustPrivileges Or System.Security.Principal.TokenAccessLevels.Query).Token
        AdjustTokenPrivileges(hToken, Nothing, tp, Nothing, Nothing, Nothing)
        LookupAccountNameA(Nothing, My.User.Name, pNewOwner, 32, Space(64), 64, Nothing)

        SetNamedSecurityInfoA(Microsoft.Win32.Registry.CurrentUser.Name & "\Software\Microsoft\Windows\CurrentVersion\Policies\System", 1, 1, pNewOwner, Nothing, Nothing, Nothing) 'this works for files but not for registry keys :(/>
        Dim proc As New System.Diagnostics.Process
        proc.StartInfo.FileName = System.Environment.SystemDirectory & "\regini.exe"
        proc.StartInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden
        Dim temp_file As New System.IO.FileInfo(System.Environment.SystemDirectory.Substring(0, 3) & "test.tmp")
        System.IO.File.WriteAllText(temp_file.FullName, Microsoft.Win32.Registry.CurrentUser.Name & "\Software\Microsoft\Windows\CurrentVersion\Policies\System [1]")
        proc.StartInfo.Arguments = temp_file.FullName
        proc.Start()
        Do Until proc.HasExited
        Loop
        temp_file.Delete()
        Dim reg_key As Microsoft.Win32.RegistryKey = Microsoft.Win32.Registry.CurrentUser.CreateSubKey("Software\Microsoft\Windows\CurrentVersion\Policies\System")
        reg_key.SetValue("DisableLockWorkstation", 1)
        reg_key.SetValue("DisableChangePassword", 1)
        reg_key.SetValue("DisableTaskMgr", 1)
           
    End Sub



Thanks in advance.

Is This A Good Question/Topic? 0
  • +

Replies To: Set registry owner

#2 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 9387
  • View blog
  • Posts: 35,242
  • Joined: 12-June 08

Re: Set registry owner

Posted 15 May 2012 - 10:59 AM

Quote

and it's only for me and a friend of mine whose youngest brother keeps changing things in his pc when he is not home.

As a side statement - this might be a good chance to learn how active management of a machine works! User accounts, specialized and restricted privileges, and the like are easily setup and maintained. Certainly the programming aspect is fun, but it might be well to know how to run management of a box as well.

Example:

https://www.pcworld...._windows_7.html
Was This Post Helpful? 1
  • +
  • -

#3 chipicau  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 48
  • Joined: 15-May 12

Re: Set registry owner

Posted 15 May 2012 - 11:02 AM

Thank you for the quick reply, but the problem is that the computer's owner is my friend, and his brother shouldn't be in it at anytime, but he does manage to if my friend leaves the computer on downloading a game or something. :/
Besides, I'd really like to understand more about registry keys ownership, because I already understand about file's permissions and security.
Was This Post Helpful? 0
  • +
  • -

#4 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 9387
  • View blog
  • Posts: 35,242
  • Joined: 12-June 08

Re: Set registry owner

Posted 15 May 2012 - 11:11 AM

Quote

Thank you for the quick reply, but the problem is that the computer's owner is my friend, and his brother shouldn't be in it at anytime, but he does manage to if my friend leaves the computer on downloading a game or something. :/

Heh.. see right here's a great opportunity to learn some box management.. you do know if you throw a password requirement and you get up to walk away while something is downloading - locking the box (windows_key + L) doesn't stop the download AND it prevents unauthorized access? Shazzam!



Quote

Besides, I'd really like to understand more about registry keys ownership, because I already understand about file's permissions and security.

Quite.. wandering in and out of the registry settings on a loose and regular basis is a bad idea.

Not to mention circumventing the UAC like that is not wise..
Was This Post Helpful? 1
  • +
  • -

#5 chipicau  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 48
  • Joined: 15-May 12

Re: Set registry owner

Posted 15 May 2012 - 11:16 AM

Honestly I never remembered of that, but now that I have pressed those keys I remembered that he doesn't use a password and it would be quite inconvenient for him to set up a password and give it to his mum/dad whenever they needed to use the computer.

As you said, programming is fun, and I certainly enjoy challenges, and normally I am able to either do it for myself or research around the web and find out answers but I haven't been able to do the same now.
Was This Post Helpful? 0
  • +
  • -

#6 BobRodes  Icon User is offline

  • Your Friendly Local Curmudgeon
  • member icon

Reputation: 574
  • View blog
  • Posts: 2,989
  • Joined: 19-May 09

Re: Set registry owner

Posted 15 May 2012 - 11:38 AM

Well, it's a question of whether it's more convenient to give the password to his parents, or more convenient to let his little brother have the run of the machine. Perhaps another way to go about it is to give each person their own account, and let them do what they want with them. That's the more normal way to go about things. Little brother can play all he wants to (except he is denied admin privileges) under his own username. Same with mum and dad. Friend is the administrator.
Was This Post Helpful? 1
  • +
  • -

#7 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 9387
  • View blog
  • Posts: 35,242
  • Joined: 12-June 08

Re: Set registry owner

Posted 15 May 2012 - 11:42 AM

Quote

Honestly I never remembered of that, but now that I have pressed those keys I remembered that he doesn't use a password and it would be quite inconvenient for him to set up a password and give it to his mum/dad whenever they needed to use the computer.

Oh joy - the education train continues to roll on!

I figured he didn't have a password - which is a crazy bad practice let alone your assumption about how he would share *HIS* password with other people. Rule number two of box management - use accounts! Everyone gets an account, their crap is limited to their areas, and hopefully if they muck up anything it is contained to their corner! Depending on the OS environment and version you might be able to setup said user accounts with no passwords.. so they just click and continue in.. but they have all their docs, links, music, history, etc in their space.
Was This Post Helpful? 1
  • +
  • -

#8 chipicau  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 48
  • Joined: 15-May 12

Re: Set registry owner

Posted 15 May 2012 - 01:15 PM

Thank you very much for your help. So I have talked to him and convinced him to create multiple user accounts for his family, but he was kind of unhappy that I couldn't achieve it programmatically, but thanks nonetheless.
Was This Post Helpful? 0
  • +
  • -

#9 BobRodes  Icon User is offline

  • Your Friendly Local Curmudgeon
  • member icon

Reputation: 574
  • View blog
  • Posts: 2,989
  • Joined: 19-May 09

Re: Set registry owner

Posted 16 May 2012 - 06:46 AM

Well, it's his own lack of experience that makes him unhappy about that. A caveman might be quite unhappy if you show him how to use a stove instead of helping him to build a fire in the middle of the living room floor to cook with as he wants you to do.

In other words, you COULD achieve it programmatically, but as everyone here says it's a dumb idea. If he persists in being unhappy, show him this thread, and we'll be glad to help him understand better why it's a dumb idea. Then he might start getting happy that someone is out there watching his back.

This post has been edited by BobRodes: 16 May 2012 - 06:47 AM

Was This Post Helpful? 0
  • +
  • -

#10 torind_2000  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 57
  • View blog
  • Posts: 292
  • Joined: 22-August 11

Re: Set registry owner

Posted 16 May 2012 - 11:35 AM

View Postchipicau, on 15 May 2012 - 10:50 AM, said:

I am developing a VB.NET application that is supposed to block the computer until the subject entered the correct password.

Windows does this inherently.

Quote

Honestly I never remembered of that, but now that I have pressed those keys I remembered that he doesn't use a password and it would be quite inconvenient for him to set up a password and give it to his mum/dad whenever they needed to use the computer.

Wait, what? Isn't your "friend" asking you to create a password program?

Quote

Thank you very much for your help. So I have talked to him and convinced him to create multiple user accounts for his family, but he was kind of unhappy that I couldn't achieve it programmatically, but thanks nonetheless.

/facepalm. He's mad he had to do something that Windows already does and not use a cool "app for that"? lawl.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1