Search code examples
c#registry

C# & Windows 10 changing registry access rules for key in HKLM

Can someone help me - I have developed an console app which is used to create my own registry keys inside HKLM and then modifies access right to this key in order to allow every users NT account being able to read/write to this key.

In app.manifest I have this statement to force administrator right to run it:

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

On Windows 7 64 bit everything works fine, problem was detected on Windows 10 64 bit - the app is creating registry keys as expected, but when it tries to modify its access rules, it fails.

My code for modifying the access rules for key:

private static bool SetFullAccessForKey(string regKey)
{
    try
    {
        SecurityIdentifier sid = new     SecurityIdentifier(WellKnownSidType.WorldSid, null);
        NTAccount account = sid.Translate(typeof(NTAccount)) as NTAccount;

        using (RegistryKey rk = Registry.LocalMachine.OpenSubKey(regKey, RegistryKeyPermissionCheck.ReadWriteSubTree))
        {
            RegistrySecurity rs = rk.GetAccessControl();

            RegistryAccessRule rar = new RegistryAccessRule(
               account.ToString(),
               RegistryRights.FullControl,
               InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
               PropagationFlags.None,
               AccessControlType.Allow);

            rs.AddAccessRule(rar);
            rk.SetAccessControl(rs);
        }
            return true;
        }
        catch
        {
            return false;
        }
}

Can someone please help me here, what could be wrong here? As I said, on Windows 7 64 everything works as expected.

Thanks for help!

EDITED 04-01-2017: some more details about exception that I am getting when SetFullAccessForKey(...) is executed:

System.InvalidOperationException: This access control list is not in canonical form and therefore cannot be modified.
at System.Security.AccessControl.CommonAcl.ThrowIfNotCanonical()
at System.Security.AccessControl.CommonAcl.AddQualifiedAce(SecurityIdentifier sid, AceQualifier qualifier, Int32 accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
at System.Security.AccessControl.DiscretionaryAcl.AddAccess(AccessControlType accessType, SecurityIdentifier sid, Int32 accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified)
at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule)
at System.Security.AccessControl.RegistrySecurity.AddAccessRule(RegistryAccessRule rule)
at regconfigtest.RegistryTools.SetFullAccessForKey(String regKey)

Thanks for any help with this one!

Solution

  • I can confirm that solution presented here:

    How do you programmatically fix a non-canonical ACL?

    has fixed my issue! Now it works fine on all: Win7, Win8 and Win10.