<2017 April>
SunMonTueWedThuFriSat
2627282930311
2345678
9101112131415
16171819202122
23242526272829
30123456

On this page...

Search

Links

Member of...


ASP Insiders

MVP Visual Developer ASP/ASP.NET

Enter CodeZone

Blog Categories

Microsoft

Blogroll

Deutsche Resourcen

Management

Sign In
 

#  Thursday, 11 May 2006

On Tuesday I was presenting a Windows Vista security session, which included UAC (user account control) and respective demos. One part was showing UAC data redirection, and for this blog post I will stick with the registry side of things.

Why this redirection in the first place? Well, old legacy applications do tend to assume that you are running as admin on your box. Thus, those apps simply store "stuff" in the HKLM hive of the registry, instead of HKCU. To allow such misguided apps to run on Vista smoothly, UAC automagically redirects write operations from the actual HKLM location to a VirtualStore branch of the current user's profile.

Let's look at an example of a classic no-no:

try
{
  RegistryKey MyTest = Registry.LocalMachine.OpenSubKey("Software\\Microsoft\\Microsoft SDKs\\.NETFramework\\v2.0", true);
  MyTest.SetValue("InstallationFolder", ContentsText.Text, RegistryValueKind.String);
  MyTest.Close();
  ResultsLabel.Text = "Successfully written to registry!";
}
catch (Exception ex)
{
  ResultsLabel.Text = "Unable to write to registry: " + ex.Message;
}

On XP, being non-admin, you would end up in the catch block. Not so on Vista. With Vista, this will work out ok, and the data will be stored like this:

Nice indeed. Or is it actually nice? Let's look at the code for reading the value again:

try
{
  RegistryKey MyTest = Registry.LocalMachine.OpenSubKey("Software\\Microsoft\\Microsoft SDKs\\.NETFramework\\v2.0", true);
  ContentsText.Text = MyTest.GetValue("InstallationFolder") as string;
  ResultsLabel.Text = "Successfully read from registry!";
}
catch (Exception ex)
{
  ResultsLabel.Text = "Unable to read from registry: " + ex.Message;
}

So what's your guess where the value will come from - the original HKLM location or the redirected HKCU VirtualStore location? Right, the VirtualStore is the winner.

Now, I intentionally picked an existing value in the registry to "overwrite". Imagine somebody writing a "fuzzer" to go over every single value in HKLM and write back gibberish for every value it finds. The original application will now too see this gibberish instead of the original good values.

Time will tell whether virtualizing based on user and not application will create more havoc than do good. Because thanks to UAC malware needs no extra rights to botch up your registry...

Update Yes, sure, you can turn off this virtualization. Check out the blog entry User Account Control Windows Vista Policies.

Categories: Longhorn | Security
Thursday, 11 May 2006 14:42:03 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]

 



Comments are closed.

© Copyright 2017 Christoph Wille

newtelligence dasBlog 2.3.9074.18820
Subscribe to this weblog's RSS feed with SharpReader, Radio Userland, NewsGator or any other aggregator listening on port 5335 by clicking this button.   RSS 2.0|Atom 1.0  Send mail to the author(s)

 
Don't contact us via this (fleischfalle@alphasierrapapa.com) email address.