Hi all
OK, not really an asm question, but I don't know where else to ask. (I have researched but cannot find the answer.)
So, when I am logged in, all settings are stored in HKEY_CURRENT_USER.
My question is, what API call do I use to write to HKEY_CURRENT_USER for a user that is not logged on? i.e. If I am administrator I should be able to update another users registry keys. My question relates to a local machine only, not a remote machine.
I cannot figure this out, but it should be possible, right?
Wongdai
OK, not really an asm question, but I don't know where else to ask. (I have researched but cannot find the answer.)
So, when I am logged in, all settings are stored in HKEY_CURRENT_USER.
My question is, what API call do I use to write to HKEY_CURRENT_USER for a user that is not logged on? i.e. If I am administrator I should be able to update another users registry keys. My question relates to a local machine only, not a remote machine.
I cannot figure this out, but it should be possible, right?
Wongdai
You've either got to save the settings into or try to edit the user's registry using their own account
There must be a better way. The information is stored away somewhere.
How about using the undocumented api NtLoadKey? Does that work?
Wongdai
How about using the undocumented api NtLoadKey? Does that work?
Wongdai
You don't need NtLoadKey, change the settings or whatever for the user under HKEY_USERS..
You'll probably need LookupAccountSid() or similar if you're going to modify under HKEY_USERS... unless somebody knows of a better/easier way to do user->sid mapping.
Thanks Fodder
I think you have put me on the right path. LookupAccountName seems to be the beastie I need, viz:
"The LookupAccountName function accepts the name of a system and an account as input. It retrieves a security identifier (SID) for the account and the name of the domain on which the account was found."
I am assuming then I can just use a regular key lookup as the SID it returns is one the high level keys in HK_USERS, and this would then be just like opening HKEY_CURRENT_USER if that user was logged on?
Thanks all for help
Wongdai
I think you have put me on the right path. LookupAccountName seems to be the beastie I need, viz:
"The LookupAccountName function accepts the name of a system and an account as input. It retrieves a security identifier (SID) for the account and the name of the domain on which the account was found."
I am assuming then I can just use a regular key lookup as the SID it returns is one the high level keys in HK_USERS, and this would then be just like opening HKEY_CURRENT_USER if that user was logged on?
Thanks all for help
Wongdai
If your writing software for the system, i.e. absence of a user, HKLM is what you use. That is where you find all the services settings. That's LM = Local Machine.
Regards, P1 8)
Regards, P1 8)
No, that won't work, as it changes the registry values for all users who log on to a particular machine. I only want to change registry values for a user who has a logon on the machine, but is not currently logged on. i.e. as an administrator change their registry values.
Wongdai
Wongdai
Check RegLoadKey, RegSaveKey and RegUnLoadKey APIs. They should work at least on XP.
You can try this with your RegEdit.exe.
1. Open regedit
2. Left click on HKEY_LOCAL_MACHINE to activate it
3. Open File Menu and choose Load Hive...
4. Browse to users ntuser.dat file and click open.
5. Now RegEdit asks a keyname ... enter something.
Now you have that users "HKEY_CURRENT_USER" regitry keys opened under, the key you specified at step 5.
To unload that hive click the name you entered at step 5 to active and then choose File\Unload Hive...
You can try this with your RegEdit.exe.
1. Open regedit
2. Left click on HKEY_LOCAL_MACHINE to activate it
3. Open File Menu and choose Load Hive...
4. Browse to users ntuser.dat file and click open.
5. Now RegEdit asks a keyname ... enter something.
Now you have that users "HKEY_CURRENT_USER" regitry keys opened under, the key you specified at step 5.
To unload that hive click the name you entered at step 5 to active and then choose File\Unload Hive...
Open a thread impersonating the user, then use RegOpenCurrentUser.
Regards, P1 8)
Regards, P1 8)