All geek questions in one place

Ignoring .Net crash while reading registry keys (LinkLabel SecurityException)

My application should impersonate the service account that I am running with my own LogonUser call. However, it seems that random components in the .Net library are trying to access registry keys that the account does not have access to, resulting in a SecurityException .

In particular, when I load LinkLabel , it crashes trying to determine the default hyperlink color in IE:

  System.Security.SecurityException: Requested registry access is not allowed.
       at System.ThrowHelper.ThrowSecurityException (ExceptionResource resource)
       at Microsoft.Win32.RegistryKey.OpenSubKey (String name, Boolean writable)
       at Microsoft.Win32.RegistryKey.OpenSubKey (String name)
       at System.Windows.Forms.LinkUtilities.GetIEColor (String name)
       at System.Windows.Forms.LinkUtilities.get_IELinkColor ()
       at System.Windows.Forms.LinkLabel.get_LinkColor ()
       at System.Windows.Forms.LinkLabel.OnPaint (PaintEventArgs e)
       at System.Windows.Forms.Control.PaintWithErrorHandling (PaintEventArgs e, Int16 layer, Boolean disposeEventArgs)
       at System.Windows.Forms.Control.WmPaint (Message & m)
       at System.Windows.Forms.Control.WndProc (Message & m)
       at System.Windows.Forms.Label.WndProc (Message & m)
       at System.Windows.Forms.LinkLabel.WndProc (Message & msg)
       at System.Windows.Forms.Control.ControlNativeWindow.OnMessage (Message & m)
       at System.Windows.Forms.Control.ControlNativeWindow.WndProc (Message & m)
       at System.Windows.Forms.NativeWindow.Callback (IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
 The Zone of the assembly that failed was: MyComputer

No, the default color setting does not help.

I found this thread with the same problem, but I'm afraid I don't understand the solution:

The registry utilities downloaded using LoadUserProfile are stored in HKU, HKCU remains the hive of the user of the interactive login (the winlogon.exe is loaded).

So, if you need to get into a recently loaded bush, you need:
- install Regkey in Registry.Users
- Open the subsection using the SID string of the user account that you are issuing.

Does anyone know of any workarounds for this?

+4
source share
4 answers

The problem is that you pretend to be too long, and your code (indirectly through the .NET platform) gains access to more resources than you expected during the impersonation. This exception seems to be caused by the fact that your impersonation code is running in a GUI thread (STA).

You can:

  • Impersonate for a shorter period of time - only as long as you need to invoke the avatars, and then cancel as soon as you can. Even if in one of the statements you have to repeat impersonating the other. This is a typical avatar model.
  • Move the personifying code into the worker thread (MTA) and you should avoid this particular symptom. Now you have a problem with how to communicate with the avatar code, but it’s not a big deal.
  • If you really want the whole process to start as a system account (perhaps as the least privileged), the only supported solution that I know is that HKEY_CURRENT_USER will access the system account. This is done by calling LoadUserProfile, and then calling CreateProcessAsUser; but to create a new architecture to create a new avatar processing process.
+3
source

What are you trying to do?

Why would you pretend to be a service account? That doesn't sound like a good idea. I suggest you find another way to solve any problem that prompted you to do this.

If users need access to some resource, provide access to this user group.

Or create a COM server service to do the dirty work and configure it to run as a service account, but give your users permission to run.

In fact, you should not do this. You blow a hole the size of a battleship in Windows security.

0
source

It seems to me that the problem is that the service account does not have access to HKEY_CURRENT_USER. You can solve this problem by adding ACE to your HKEY_CURRENT_USER, which provides read access to the service account.

It is also terribly unsafe, by the way, if something is even worse. Use the Tony Lee option number 1 if you can make it work.

Try Regedit before you start writing code to do this.

0
source

For this particular problem, I simply created a shortcut (instead of a label for the label), made it blue and underlined, and set Cursor to Cursors.Hand . Then it behaves just like a link, except that the color of the link does not change according to the user theme (well, good).

I had other permission problems for saving files; see my comments on @Tony's answer above for a solution.

0
source

Source: https://habr.com/ru/post/1342913/

More articles:


All Articles