none
After manually and programatically assign all the rights to IIS_User, why do I get the same sddl string but different binary data in registry RRS feed

  • Question

  • It is dangerous to execute codes below to modify the registry, please note.

    My code:

        DiscretionaryAcl acl;
        
        var localSystem =new NTAccount(ComAccessRights.IISUSERStr).Translate(typeof(SecurityIdentifier)) as SecurityIdentifier;
        
        var value = Registry.GetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole", "DefaultLaunchPermission", null); // b2
        
        CommonSecurityDescriptor cd = new CommonSecurityDescriptor(false, false, value as byte[], 0);
        
        string debugstr = "All:" + cd.GetSddlForm(AccessControlSections.All) + " Access:" + cd.GetSddlForm(AccessControlSections.Access); //debugstr[2]
        
        acl.AddAccess(AccessControlType.Allow, localSystem, 31, InheritanceFlags.None, PropagationFlags.None);
        
        cd.DiscretionaryAcl = acl;
        
        debugstr = "All:" + cd.GetSddlForm(AccessControlSections.All) + " Access:" + cd.GetSddlForm(AccessControlSections.Access); //debugstr[1]
        
        cd.GetBinaryForm(binaryform, 0);
        
        Registry.SetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole", "test", binaryform, RegistryValueKind.Binary);//b1(save data in a different key, so as to proectect the OS)

    Firstly, I do nothing only see the registry while I also check the configuration window to make sure that I did not assign any rights to IIS_USER before. Secondly, I execute the codes above and obtain the sddl strings from the debugstr[2], also I write down the binary data in the registry at that time (let's call it b1). 

    After that step, I assign all the rights to IIS_User manually, then  and then execute the codes step by step until executed achieving debugstr[1] only

    I found that b1 is different from b2 while debugstr[1] and debugstr[2] is the same.

    I do Win+R->input dcomcnfg->unfold node component service until you see node my computer->right click node my computer->property->Tab com security->Block Launch and activation... -> edit default.. to add user and  assign rights manually.

    If anyone can help me to solve the problem to make b1=b2 while debugstr[1]=debugstr[2]?

    nothing is impossible



    • Edited by ocean chow Tuesday, March 11, 2014 7:06 AM
    Friday, March 7, 2014 8:58 AM

All replies

  • Hi Ocean,

    I am trying to involve someone familiar with this issue to come into this thread. Thank you for your understanding.

    Regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, March 10, 2014 2:54 AM
    Moderator
  • Hi Ocean,

    I am trying to involve someone familiar with this issue to come into this thread. Thank you for your understanding.

    Regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thanks for your words, I will be patient for the answer.

    nothing is impossible

    Tuesday, March 11, 2014 7:08 AM