PDA

View Full Version : How to set registry rights?



jhoelterling
01-27-2013, 07:00 AM
I have several registry entries I need to write to from my application which are not "available" to asInvoker. (Reason being, the language I am using still requires the Borland Database engine). I've found that I can change registry rights with the command line utility "REGINI", which is available on Windows 7 & 8 (not sure about Vista). More information about it here:

http://blogs.msdn.com/b/alejacma/archive/2008/03/11/how-to-change-registry-permissions-with-regini-exe-vbscript.aspx

so, in my case, I've created a script RR.TXT which I run as:
regini rr.txt
this works like a charm from a DOS prompt with admin privileges. Afterwards, my app can run asInvoker without needing elevated privileges. (P.S.: RegEdit, going to the respective key, right-click and selecting "Permissions" allows to verify that the rights have been changed).

What is the best way to do these steps from inside SetupBuilder? I first want SB to create the keys, then change the registry permissions. Would I need to include RegIni.EXE in my install? Where do I need to put the RR.TXT script file? How would I run just this portion of my install asAdmin?

Thanks for any suggestions!

Jan

linder
01-27-2013, 08:23 AM
Jan,

First of all, you should never ever change the HKEY_LOCAL_MACHINE registry key privileges on UAC-aware systems. This might result in a support nightmare for you and opens a big security whole on your user's computer (and perhaps makes some lawyers very happy).

It is not allowed to write from an non-elevated running program to protected system resources (e.g. HKEY_LOCAL_MACHINE).

Here is a very dirty trick (for old legacy programs) that is not recommended at all (it modifies the HKEY_LOCAL_MACHINE key permissions):

http://www.lindersoft.com/forums/showthread.php?t=2379

In the end, it's your decision but it's completely against the rules and very dangerous! Don't do it! :)

Friedrich

jhoelterling
01-27-2013, 09:23 AM
Hi Friedrich,

thanks for the fast reply, and on a Sunday, no less! :)

Your point is well taken, but I am in a catch-22: without changing the rights, my application needs to run as Administrator, which gives the user WAY more rights than intended. So, if I can set security on the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Borland\Database Engine\Settings\SYSTEM\INIT
HKEY_LOCAL_MACHINE\Software\Borland\Database Engine\Settings\DRIVERS
then my application runs perfectly fine "asInvoker".

So, I consider changing the security on these specific keys as the lesser of two evils...

I tried to open the script you referred me to and got one error after another when opening in this in SB7 (the files are for SB6, which I don't have installed anymore). I saw a line in the script:
Access Control:Grant Registry Key Access "Software\JoeUserSoftware"

Is that what I need to do?

Alternatively, if I could figure out how to run the REGINI program from inside SB, I could also do it that way...

Thanks for your help,

Jan

linder
01-27-2013, 09:40 AM
Hi Jan,

You can open the old ".sb6" in SB7 (or SB8) and the IDE will convert and automatically fix the errors for you. You'll see a "Do you want to convert the script?" message box (click YES) followed by an "Inconsistency problem detected" message (click YES) and three "priority item #110x fixed" messages. After that, you can compile the old script :)

Yes, the following line modifies the registry permission:

Access Control:Grant Registry Key Access "Software\JoeUserSoftware"

Quick suggestion <g>: You should definitely warn your users (and perhaps ask for their permission) before doing this :)

Friedrich

jhoelterling
01-27-2013, 02:51 PM
... and it works perfectly now!

Thank you very much for your help on a Sunday!

Jan

linder
01-28-2013, 12:38 AM
You are very welcome, Jan :)

Friedrich

CMS Software
02-02-2013, 01:56 PM
... and it works perfectly now!
Jan

Jan - which version of dBase are you running? The current version (2.80) has UAC aware settings and can create Aliases on the fly inside your EXE program without calling the BDE. UAC settings can also be used to cause dBase 2.80 to place all "modifiable" system files in "safe" places where they can be modified by "asInvoker" users.

You can also avoid a LOT of UAC headaches by creating a DEO dBase app which builds just one small EXE "startup" file which resides inside ProgramFiles and all the other parts of your application reside on a server and are not configured as EXE files, thus preserving UAC settings while getting around the UAC frustrations.

-O. D.-