Win32 Registry permissions

runrig has asked for the wisdom of the Perl Monks concerning the following question:

I am trying to copy registry permissions from one key to another (and eventually to many others). key1 has full read/write permission for administrator and read permission for users, but key2 only has read permission for administrator (although I can change permission by manually running regedit) and no permission for users. This script doesn't seem to do anything (it prints the values, but does not change security that I can see). I also tried setting full read/write permission on key2 for the administrator group in regedit (though the other keys I want to change don't have it), but user permissions don't get added:

use strict;
use warnings;

use Win32::TieRegistry qw( Delimiter / KEY_READ KEY_WRITE );
use Win32 qw(
  DACL_SECURITY_INFORMATION
  SACL_SECURITY_INFORMATION
);


my $path = 'LMachine/Software/Classes';
my $key1 = 'opendocument.WriterDocument.1';
my $key2 = 'opendocument.WriterGlobalDocument.1';

my $r = $Registry->{"$path/$key1"};
print $r->{"/"},"\n";

my $sec;
$r->RegGetKeySecurity( DACL_SECURITY_INFORMATION, $sec, [] );

# Only have read access on this - but can manually run regedit
# and change permissions
my $r2 = $Registry->Open("$path/$key2", {Access => KEY_READ(), Delimit
+er=>"/"});
#my $r2 = $Registry->{"$path/$key2"};
print $r2->{"/"},"\n";
$r2->RegSetKeySecurity( DACL_SECURITY_INFORMATION, $sec );
[download]

Update: Just to mention where I'm trying to go with this, there's a bug when you upgrade OpenOffice which causes insufficient permissions on these keys for users (works ok for Admin accounts), so I'd like to fix all permissions for keys in this path with keys or values that start with 'openoffice.' or 'soffice.'.

Comment on Win32 Registry permissions Download Code

Replies are listed 'Best First'.
Re: Win32 Registry permissions by Anonymous Monk on Nov 14, 2006 at 12:25 UTC
A sometimes easily overlooked reason why setting permissions fail is because the effective UID of the perl script is different to the currenly logged on user, so where you might be able to edit a key via regedit, RegSetKeySecurity might be failing due to insufficient permissions. See here Have you also tried using the Win32API::Registry implementation of RegSetKeySecurity?	[reply]
Re: Win32 Registry permissions ($^E) by tye (Sage) on Nov 14, 2006 at 18:46 UTC
You don't report $^E so we are left to just guess what category the failure falls into. I think you would need WRITE_DAC access in order to write permission settings (and READ_CONTROL to read them). WRITE_DAC is included as part of KEY_ALL_ACCESS but not KEY_WRITE (READ_CONTROL is included in nearly every defined access mask). See WinNT.h (part of MS SDKs) for more about how these values relate to each other. - tye	[reply]
Re^2: Win32 Registry permissions ($^E) by runrig (Abbot) on Nov 15, 2006 at 08:09 UTC
You don't report $^E... D'oh. Sorry. It was "Access is denied" on the RegSetKeySecurity. It works now using KEY_ALL_ACCESS. And now, is there a way to automatically propagate permissions to subkeys, or do I need to individually set permissions on all of the subkeys?	[reply]
Re^3: Win32 Registry permissions (heritage) by tye (Sage) on Nov 15, 2006 at 08:34 UTC
I vaguely recall that keys (and directories) can be set to "whatever permissions my parent has" (and modified from there), but if those subkeys aren't already set that way, then you'd still have to go set them all. - tye	[reply]