0

Can someone help me - I have developed an console app which is used to create my own registry keys inside HKLM and then modifies access right to this key in order to allow every users NT account being able to read/write to this key.

In app.manifest I have this statement to force administrator right to run it:

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

On Windows 7 64 bit everything works fine, problem was detected on Windows 10 64 bit - the app is creating registry keys as expected, but when it tries to modify its access rules, it fails.

My code for modifying the access rules for key:

private static bool SetFullAccessForKey(string regKey)
{
    try
    {
        SecurityIdentifier sid = new     SecurityIdentifier(WellKnownSidType.WorldSid, null);
        NTAccount account = sid.Translate(typeof(NTAccount)) as NTAccount;

        using (RegistryKey rk = Registry.LocalMachine.OpenSubKey(regKey, RegistryKeyPermissionCheck.ReadWriteSubTree))
        {
            RegistrySecurity rs = rk.GetAccessControl();

            RegistryAccessRule rar = new RegistryAccessRule(
               account.ToString(),
               RegistryRights.FullControl,
               InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
               PropagationFlags.None,
               AccessControlType.Allow);

            rs.AddAccessRule(rar);
            rk.SetAccessControl(rs);
        }
            return true;
        }
        catch
        {
            return false;
        }
}

Can someone please help me here, what could be wrong here? As I said, on Windows 7 64 everything works as expected.

Thanks for help!

EDITED 04-01-2017: some more details about exception that I am getting when SetFullAccessForKey(...) is executed:

System.InvalidOperationException: This access control list is not in canonical form and therefore cannot be modified.
at System.Security.AccessControl.CommonAcl.ThrowIfNotCanonical()
at System.Security.AccessControl.CommonAcl.AddQualifiedAce(SecurityIdentifier sid, AceQualifier qualifier, Int32 accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
at System.Security.AccessControl.DiscretionaryAcl.AddAccess(AccessControlType accessType, SecurityIdentifier sid, Int32 accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified)
at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule)
at System.Security.AccessControl.RegistrySecurity.AddAccessRule(RegistryAccessRule rule)
at regconfigtest.RegistryTools.SetFullAccessForKey(String regKey)

Thanks for any help with this one!

pitersmx
  • 935
  • 8
  • 27
  • Fails as in an exception is thrown? What exception do you get? (It'll be more helpful to do `catch (Exception ex)` instead of just `catch`) – Broots Waymb Jan 03 '17 at 17:15
  • Hi, at the moment I am not able to say exactly where and what kind of exception is thrown because I wasn't able to modify and test the code on windows 10 myself - i just received a feedback from customer. I will do such tests tomorrow and I will post the results. – pitersmx Jan 03 '17 at 17:24
  • @DangerZone, I have edited the question - I have added an exact Exception that is thrown. Thanks for any suggestions! – pitersmx Jan 04 '17 at 06:34
  • 1
    Probably this might be solution for me: http://stackoverflow.com/questions/8126827/how-do-you-programmatically-fix-a-non-canonical-acl I will test it and give you feedback. – pitersmx Jan 04 '17 at 06:39

1 Answers1

1

I can confirm that solution presented here:

How do you programmatically fix a non-canonical ACL?

has fixed my issue! Now it works fine on all: Win7, Win8 and Win10.

Community
  • 1
  • 1
pitersmx
  • 935
  • 8
  • 27