Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Apply Registry changes immediately (c++ question)

  1. #11
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Just a small note: I don't think that setting registrykeys during a logonscript is a good idea.

    Setting keys when the logonscript runs means the user in question has the appropriate rights to change them (remember the logonscript runs with the users credentials). Since anyone can read the logon scripts, anyone could also find out which keys get changed. Once they know that they could undo/modify any changes you made.

    Use the (group)policy editor to create a policy that dictates these changes. These cannot be modified by the user.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  2. #12
    SirDice - I would agree with you in principle, but my understanding of Shkuey's original question was that the registry changes were being performed from a C++ program. So reading the script would not give any indication of the keys being changed, as this would be in the executable.

  3. #13
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    If an application is not written to look for registry changes while running, the changes will not take affect until the program is restarted. This also applies to changes that only occur when the system is rebooted, or when a user logs on/off. There is no way to force this to happen.

    For instance, there are several keys in the reg that most people are familiar with CurrentControlSet. If you look, there are also keys called ControlSet, ControlSet1, etc...

    The way that these keys work is that for the most part the data that is contained in these keys is only looked at when the system is loaded(for the most part, there are many exceptions). This allows windows to do the last known good boot option. Instead of loading from currentcontrolset, it loads from controlset, or controlset1. So if you knew that your system worked fine when you loaded the system three times ago, you could rename controlset02 to currentcontrolset, boot the system. And you are good. This is in theory of course.

    For OS level changes most of this has to do with the kernel architecture of windows. In that you cannot dynamically reload or change settings in kernel mode settings. You have to reboot. Many people see this as a bug or a problem, but it is actually good security. It is the thing that keeps people from writing root kits for windows. Linux and most unix variants allow for the kernel to be recompiled, or portions of it, on the fly. Which allows for things such as root kits to be loaded without the system being rebooted.

    The bottom line though, is that if the application you are trying to alter via the registry does not have logic built into it to constantly check the registry for changes, there is very little you can do to force the change other than reboot/restart or logon/off. There might be specific commands for different apps to reload on the fly, but it will vary by application as to whether the ability is there or not.

    And to answer the question about changing reg keys at login. We do it all of the time with very good results. For instance, we recently found a problems with McAfee VirusScan 7.0. By default the NAI virusscan add-in for outlook is enabled. There is a bug in this add-in which eats up resources on your exchange server. The easiest way for us to fix the issue on 70k+ clients was to write a batch file that looks for the proper version of VS, and if it finds it, delete the reg keys that enables this plug-in. Very easy solution for a large change.

  4. #14
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by Schrodinger
    SirDice - I would agree with you in principle, but my understanding of Shkuey's original question was that the registry changes were being performed from a C++ program. So reading the script would not give any indication of the keys being changed, as this would be in the executable.
    You are correct. It's still easy however to do a simple strings on this executable. You would need to do some obfuscation to hide the keys in the executable. Or I could just copy the executable and disassemble it in the comfort of my own home. It may take a bit more time but it's still doable.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #15
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Originally posted here by SirDice


    You are correct. It's still easy however to do a simple strings on this executable. You would need to do some obfuscation to hide the keys in the executable. Or I could just copy the executable and disassemble it in the comfort of my own home. It may take a bit more time but it's still doable.
    But does it really matter if a user can see what registry keys you are setting? I don't think it does. The registry by default has the everyone group set to read only. In most cases, you cannot lock out sections of the registry to not allow read access as the programs that run in that users name may not work properly if they cannot read their corresponding reg keys. However, they user cannot change the values, so what difference does it make if they know how you are doing it? I don't think it does.

    The job isn't to be sneaky and make the user wonder how you are accomplishing something, just that the security works as intended and cannot be circumvented.

  6. #16
    SirDice - I accept that you are right, but I suspect shkuey is dealing with normal users. Providing security from users who have the technical knowledge and desire to take their startup script executables home and decompile them is a very different ball game.

  7. #17
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by mohaughn
    However, they user cannot change the values, so what difference does it make if they know how you are doing it? I don't think it does.
    The user IS able to change these keys. If you use a logonscript to set these keys the user MUST be able to change them. The logonscript runs with the users credentials. So it DOES matter.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #18
    Instead of modifying the registry directy, there are certain win32 API funtions that will allow you to edit certain keys and apply them instantly. I'm not sure but I beleive the function in "setreg()"? or "setkey()"?

    scat
    If the scatman can do it so can you.

  9. #19
    Senior Member
    Join Date
    Nov 2001
    Posts
    257
    Originally posted here by SirDice


    The user IS able to change these keys. If you use a logonscript to set these keys the user MUST be able to change them. The logonscript runs with the users credentials. So it DOES matter.
    The logon script calls an executable that sends a message to a service running under the system account that makes changes. The user does not neccisarily have rights to all the effected keys. Not only that, but there is no way the logon script or the executable it calls can be decompiled to reveal what changes were made.

    Not that it particularly matters, because the user can change everything right back each time they log in for all I care, I just have very specific rules for how it must be when a user first accesses the system.

    And thanks Scat, I had found the API calls (the specific one I needed was SystemParametersInfo()). So, problem was solved.
    -Shkuey
    Living life one line of error free code at a time.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •