7

I'm writing an application that needs to create a special user account hidden from login screens and the Control Panel users applet. By writing a DWORD value of 0 with the user name to the registry key below, I'm able to accomplish this goal:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

The problem is that under Windows 7 with UAC on, no matter what I try, I cannot programmatically write a value to the key above.

It is my understanding that writing to certain keys this is not allowed on Windows 7 with UAC on, unless you are running with Administrative privileges. I've added an application manifest requestedExecutionLevel level="requireAdministrator" uiAccess="false", I accept the UAC prompt when my program is run, my account is a member of Administrators, yet I am still unable to write to the above registry key.

What more do I need to do? How is it possible, in any application configuration, to write keys and values under HKEY_LOCAL_MACHINE\SOFTWARE?

Further information ... When my program runs, no errors are thrown and it seems to write values. My guess is that Windows is virtualizing the location to which I am writing. I need to write to the actual location, not a virtual one, if I am to hide this special user account.

Picrofo Software
  • 5,475
  • 3
  • 23
  • 37
sysrpl
  • 1,559
  • 3
  • 15
  • 24
  • They probably are trying to prevent exactly what your trying to do. A hidden account written by malware would be bad for instance. – asawyer Feb 09 '11 at 21:03
  • Yet this applies to the everything under HKEY_LOCAL_MACHINE\SOFTWARE, not just the specific key I mentioned. Oh, and you can still hide the account by using regedit, or see it using computer management/users. – sysrpl Feb 09 '11 at 21:06
  • Sorry it was just an off the cuff comment. If I had a good answer for you I'd have used the other box. I'm also very interested in what's acutally going on here. – asawyer Feb 09 '11 at 21:08
  • Maybe it's not the only place that need to be changed? 'cause as stated it would be too easy for malware software. – Ilya Dvorovoy Feb 09 '11 at 21:10
  • I swear I've read something like this on Raymon Chen's blog. – asawyer Feb 09 '11 at 21:20
  • You could provide a link then .) It's really interesting, but a quick search on this key leads not to "create a special user account hidden from login screens" but rather to hide/show already created accounts. I've just tried with regedit and added the value, but no users created... only a lonely value. – Ilya Dvorovoy Feb 09 '11 at 21:25

4 Answers4

17

Probably the program runs as 32-bit program on the 64-bit operation system? In the case I recommend you to search the values which you created under Wow6432Node subkey of the HKEY_LOCAL_MACHINE\SOFTWARE.

You can read more about such kind of virtualization here. You can use KEY_WOW64_32KEY flag in some API to be able to work with full registry without virtualization.

Oleg
  • 220,925
  • 34
  • 403
  • 798
  • Right, I already had figured out values were being written under Wow6432Node. The problem is, the user hiding code on windows doesn't see keys under that location. See http://social.answers.microsoft.com/Forums/en-SG/w7security/thread/e4d1c727-a0b3-4ce8-b95e-7f113b576ee6 and http://community.kaseya.com/xsp/f/21/p/223/646.aspx ... The first link was marked as solved through a private fix by install shield, and as such the fix it isn't redistributed openly. – sysrpl Feb 09 '11 at 22:24
  • @sysrpl: The problem can be easy solved if you will use additional `KEY_WOW64_32KEY` flag in `RegCreateKeyEx` or `RegOpenKeyEx`. Then you can use the `HKEY` handle to access any parts of the registry. I use the trick without any problem. If you need I could post a small C example which demonstrate it. – Oleg Feb 09 '11 at 22:34
  • @sysrpl: Do use need create registry key inside of setup? – Oleg Feb 09 '11 at 22:36
  • Okay, I had to "or" KEY_WOW64_64KEY in RegCreateKeyEx and RegOpenKeyEx to get it to work. Thanks. – sysrpl Feb 09 '11 at 22:40
  • You can find C# code which shows how to access it here: http://stackoverflow.com/a/13232372/1016343 – Matt Nov 28 '12 at 11:14
  • @Matt: I agree, that starting with .NET 4.0 one can use explicit 64-bit view or 32-bit view on the Registry without need to use pinvoke (marshaling to native). – Oleg Nov 28 '12 at 11:24
1

Write Value to Registry

string user = Environment.UserDomainName + "\\" + Environment.UserName;

RegistrySecurity rs = new RegistrySecurity();

rs.AddAccessRule(new RegistryAccessRule(user,
    RegistryRights.WriteKey | RegistryRights.ChangePermissions,
    InheritanceFlags.None, PropagationFlags.None, AccessControlType.Deny));

RegistryKey rk = null;
try
{
  rk = Registry.CurrentUser.CreateSubKey("SOFTWARE\\TEST", 
                                   RegistryKeyPermissionCheck.Default, rs);
  rk.SetValue("NAME", "IROSH);
  rk.SetValue("FROM", "SRI LANKA");
}
McDowell
  • 107,573
  • 31
  • 204
  • 267
Irosh Fernando
  • 11
  • 1
0

This could have something to do with the redirection they added in Vista. I would be curious if you tried to read that registry value from your code, if you would get back the value you were expecting. You may also want to fire up RegMon to see if you can see where the redirection may be forcing you.

John Koerner
  • 37,428
  • 8
  • 84
  • 134
-1
RegistryKey rk = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Run",true);
rk.SetValue("Name", "Value");
Huỳnh Hữu Ân
  • 113
  • 1
  • 4