How do I control access to the registry? [FROM#]
I have a C # service running LocalSystem (Serv.exe is called) and I need this service to monitor registry access.
In particular, whenever a call to HKEY_CURRENT_USER \ Software *. * is executed by any of the processes it starts, I need to catch this call (either change or just access) so that I can redirect accordingly - I know about the CHANGE event, but what about registry access to get the value?
Rationale (if anyone has better suggestions I would be more welcome) - The service runs under LocalSystem which has its own HKEY_CURRENT_USER, but this service is used to install software in the background of a logged in user - so when that software is installed, it might try to affect the HKEY_CURRENT_USER of the user itself (which is good) - so I need to make sure that these changes are reflected in the USER and not the LocalSystem account.
Any advice, help, suggestions would be greatly appreciated. Thank,
source to share
Use Sysinternals Process Monitor if you just want to see what's going on.
The redirection is complex; you will need to link the API with a library like Detours , but the license to use it in production increases. However, Process Monitor is still useful to make sure your APIs are working correctly.
Should the processes started by your service continue to run as LocalSystem? If not, try CreateProcessAsUser to get the process created under the appropriate account.
If your needs are simpler, for example to have a light-heartedly written application run without write access to HKLM, the Application Compatibility Toolkit might be the ticket.
Unfortunately, the installation is the worst case for everyone. You might have to resort to a clumsy hack where your service adds a user to the Administrators group, run the installer with CreateProcessAsUser, and then remove the user from the Administrators group again after starting the process, similar to the Aaron Margosis MakeMeAdmin script .
If the installer is that bad, you might be lucky to collect the required HKCU registry settings (use Process Monitor or reg export
HKCU before and after installation and decompose them) into a file .reg
and copy some type of startup script that imports registry entries on login (and leaves a groove. so that it doesn't restart for the same user and overwrite their settings). I've used this approach for special applications that insist on keeping everything in HKCU.
If you don't mind digging into the undocumented depths, your service running LocalSystem might
source to share