none
"Requested registry access is not allowed" when current user is in local 'Users Group' RRS feed

  • Question

  • Code written in C#; Windows Application, developed in VS 2008, Targeting .Net Framework 3.5
    Symptom is observed in Windows 2003 & Windows Vista.

     

    RegistryKey keySoftware = Registry.LocalMachine.OpenSubKey("SOFTWARE", true);
    RegistryKey keyAppRoot = keySoftware.OpenSubKey(@"MySubKeyL1\subkeyL2", ckROpenWrite.Checked);
    // presume subkey already exists

    Exception:

    System.Security.SecurityException was unhandled

      Message="Requested registry access is not allowed."

      Source="mscorlib"

      StackTrace:

           at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)

           at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)

    The code segment works when the current user is in the (Windows) Local Administrators Group, but fails when user is in the Local Users Group (removed from admin group).

    Problem persists even after:
    The 'Users Group' is been granted full privilege to the SubKey (set amd verified in regedit).
    The (strong named) assembly/executable is assigned fulltrust (enterprise, machine, user) via caspol.exe.

    What am I missing?

    Tuesday, August 18, 2009 5:49 PM

Answers

  • One possibility:

    If the user has full privilege to the subkey, but NOT read access to HKML\Software, the first line you posted will throw with a security exception.


    Reed Copsey, Jr. - http://reedcopsey.com
    • Marked as answer by Intel IT IPES Tuesday, August 18, 2009 10:23 PM
    Tuesday, August 18, 2009 6:35 PM
    Moderator

All replies

  • One possibility:

    If the user has full privilege to the subkey, but NOT read access to HKML\Software, the first line you posted will throw with a security exception.


    Reed Copsey, Jr. - http://reedcopsey.com
    • Marked as answer by Intel IT IPES Tuesday, August 18, 2009 10:23 PM
    Tuesday, August 18, 2009 6:35 PM
    Moderator
  • What's the state of ckROpenWrite?  You can read but can't write to HKLM from restricted user accounts.  They should only ever write to HKCU.  The error you get is a Windows error, not a .NET security error.

    Hans Passant.
    Tuesday, August 18, 2009 7:38 PM
    Moderator
  • Thanks for the quick reply. ckROpenWrite is a checkbox control on the (test program) app to easily test both cases. Same exception is thrown for both cases (true or false).   I also validated that the keys can be read by the user in 'Users Group' while in regedit. Is that a reliable indication of permissions honored by the CLR?
    Tuesday, August 18, 2009 8:31 PM
  • Which line (in the stack trace) is causing the exception?  Try stepping through it in the debugger (if you can duplicate this in your dev box), since that will narrow down the specific access issue.

    However, in general, you're trying to do something that's not supposed to work.  Normal, restricted users should not be allowed to write to HKLM.  This is bound to be problematic.  Why are you not writing to HKEY_CURRENT_USER instead?

    Reed Copsey, Jr. - http://reedcopsey.com
    Tuesday, August 18, 2009 10:19 PM
    Moderator
  • sorry. You both answered my question the first time. I was so focused on the second call to OpenSubKey the first one  escaped my notice. Consider it closed. Thanks.
    Tuesday, August 18, 2009 10:23 PM
  • You'd better close it yourself, no idea which answer helped you unwedge.

    Hans Passant.
    Tuesday, August 18, 2009 11:52 PM
    Moderator