At the start of my application i change the shell value of the registry to a custom shell and kill the explorer.exe (It is done outside the application), i want to allow a backdoor to return to the original shell and bring back the explorer.exe. brining the process back works fine for me but when i run my code to change the registry value no exception is thrown but the value doesn't change when i check in regedit,
this is my code (saw it here on a different question) :
RegistryKey regKey = Registry.LocalMachine.OpenSubKey(#"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", true);
regKey.SetValue("Shell", "explorer.exe", RegistryValueKind.String);
regKey.Close();
Please help
In your code, you are actually set the value of
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Because some registry keys are redirected by WOW64, please check MSDN to get more details.
Try this:
RegistryKey localMachine = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, RegistryView.Registry64);
RegistryKey regKey = localMachine .OpenSubKey(#"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", true);
regKey.SetValue("Shell", "explorer.exe", RegistryValueKind.String);
regKey.Close();
Related
I am trying to overwrite the below values in registry on existing value of "Default". Written the below code but it is not updating the value. also code is not giving any error.
[HKEY_CLASSES_ROOT\ugmportalfile\Shell\Open\Command]
#="\"%TPR%\start_manager.bat\""
RegistryKey regKey=Registry.ClassesRoot.OpenSubKey("ugmportalfile\\Shell\\Open\\Command", true);
//Microsoft.Win32.RegistryKey regKey;
regKey = Microsoft.Win32.Registry.ClassesRoot;
regKey.OpenSubKey(#"ugmportalfile\Shell\Open\Command");
regKey.SetValue("Default", #"%TPR%\start_manager.bat");
regKey.Close();
OpenSubKey does return a RegistryKey object, you are trying to modify a wrong key.
RegistryKey regKey = Microsoft.Win32.Registry.ClassesRoot;
RegistryKey subkey = regKey.OpenSubKey(#"ugmportalfile\Shell\Open\Command", true); // Could be also Microsoft.Win32.Registry.ClassesRoot..OpenSubKey(#"ugmportalfile\Shell\Open\Command", true);
subkey.SetValue("Default", #"%TPR%\start_manager.bat");
subkey.Close();
You could also consider using code blocks 'cause of IDisposable interface.
Edit: https://msdn.microsoft.com/en-us/library/xthy8s8d(v=vs.110).aspx
I am trying to do some registry editing. The below code is a MCVE of my problem:
RegistryKey key;
key = Registry.LocalMachine.OpenSubKey("DRIVERS", true);
key = key.CreateSubKey("Names");
key.SetValue("Name", "nick", RegistryValueKind.String);
key.Close();
That code works fine. The following (changed DRIVERS to SOFTWARE) does not:
RegistryKey key;
key = Registry.LocalMachine.OpenSubKey("SOFTWARE", true);
key = key.CreateSubKey("Names");
key.SetValue("Name", "nick", RegistryValueKind.String);
key.Close();
To me, the difference between the two blocks of code is trivial. What is the cause of this issue, and how can I get around it? I am already running the code as an admin.
My end goal is to modify the values in the "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" folder.
I know this is possible from Powershell - it should be possible from C# as well.
You can write to the 64-bit registry from a 32-bit process, but you need to explicitly request the 64-bit registry as follows (modified from your code in the Q).
var hklm = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, RegistryView.Registry64);
RegistryKey key = hklm.OpenSubKey("SOFTWARE", true);
key = key.CreateSubKey("Names");
key.SetValue("Name", "nick", RegistryValueKind.String);
key.Close();
OK, so i'm having this issue and i really just dont understand why. although i know i can just change the whole text i would just like to better understand why this is happening. so lets say im opening a subkey
RegistryKey regkey = RegistryKey.OpenRemoteBaseKey(RegistryHive.LocalMachine, workstation, RegistryView.Registry64).OpenSubKey(#"Software\Censored\Issuance\test\", true);
that will work fine i can set/get key values and such but then lets say i need to move to another subkey why cant i just do
regkey= regkey.opensubkey(#"\Software\something\somewhere\youknow");
then start setting or getting values from that new location? any help would be appreciated!
i tried to search for a similar post but didnt appear that anyone had asked about this before sorry if it's a dupe!
RegistryKey regkey = RegistryKey.OpenRemoteBaseKey(RegistryHive.LocalMachine, workstation, RegistryView.Registry64)
.OpenSubKey(#"Software\Censored\Issuance\test\", true);
regkey = regkey.opensubkey(#"Foo");
This will open the subkey Foo at Software\Censored\Issuance\test\Foo
To read from a key that is not a subkey
RegistryKey baseKey = RegistryKey.OpenRemoteBaseKey(RegistryHive.LocalMachine, workstation, RegistryView.Registry64);
RegistryKey regkey = baseKey.OpenSubKey(#"Software\Censored\Issuance\test\", true);
...
regkey = baseKey.OpenSubKey(#"Software\something\somewhere\youknow", true);
I want to modify a data in registry path SOFTWARE\Wow6432Node\Program\SubProgram using C# code in windows 7. I am able to read the value but I can't write into Registry.
Here is the code:
RegistryKey SUBKEY;
RegistryKey TAWKAY = RegistryKey.OpenRemoteBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, "");
string subkey = "SOFTWARE\\Wow6432Node\\Program\\SubProgram ";
if (TAWKAY.OpenSubKey(subkey) != null) // Get values from Registry
{
TAWKAY = RegistryKey.OpenRemoteBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, "");
SUBKEY = TAWKAY.OpenSubKey(subkey); // subkey opens
SUBKEY = TAWKAY.OpenSubKey(subkey,true); // subkey not open shows error Requested registry access is not allowed
SUBKEY.SetValue("Some name", "1234567890");
Console.WriteLine(SUBKEY.GetValue("Some name").ToString());
}
else
{
Console.WriteLine("Cannot open registry");
}
Console.Read();
If I set OpenSubKey(subkey, true), it shows an error message Requested registry access is not allowed
Is there any permission needed to write into registry?
Please help me to solve the issue
Wow6432Node is not a real path in the registry. It is an alias for 32 bit keys in 64 bit OS.
You must use RegistryView.Registry32 in order to specify you want to work with 32 bits.
RegistryKey reg32key = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry32);
RegistryKey reg_32bit_AppKey = reg32key.OpenSubKey(#"SOFTWARE\Program\SubProgram");
if (reg_32bit_AppKey != null)
{
// Here you can work with "SOFTWARE\\Wow6432Node\\Program\\SubProgram "
}
Modifying/deleting/adding keys in HKLM requires administrator rights.
In that case you want to do that you will need to change your applications manifest requestedExecutionLevel value to requireAdministrator
It is better to use "Reg" command inorder to perform any operation on registry.
Even though if you want to access the registry of remote machine you don't nedd credentials of that machine, having the machine name is sufficient.
For more information about "REG" command refer to the following link
http://technet.microsoft.com/en-us/library/cc732643(v=ws.10).aspx
I have a issue reading a registry value programmatically using C#.
I looked into many sites and help but could not find any helpful.
I am able to access and read registry when I run VS in eleveated mode, but face issue when I run VS with out elevated mode.
Initially I started with the below code
byte[] val = (byte[])Registry.GetValue("HKEY_LOCAL_MACHINE\\Software\\MyServices\\Identity\\ASPNET_SETREG", "ValueName", 0);
This worked fine with elevated mode, but fails in non elevated mode.
Placed the attribute on top of the function
[RegistryPermissionAttribute(SecurityAction.Demand,Unrestricted=true)]
This did not help. Then Tried
[System.Security.Permissions.SecurityPermission(System.Security.Permissions.SecurityAction.LinkDemand, Flags = System.Security.Permissions.SecurityPermissionFlag.AllFlags)]
Still did not work.
Now I Tried the below code...
RegistryKey key = Registry.LocalMachine;
RegistrySecurity rs = new RegistrySecurity();
rs = key.GetAccessControl();
string user = "DomainName\\Username";
rs.AddAccessRule(new RegistryAccessRule(user,
RegistryRights.ReadKey,
InheritanceFlags.None,
PropagationFlags.None,
AccessControlType.Allow));
key.SetAccessControl(rs);//Exception: "Attempted to perform an unauthorized operation."}
//RegistryKey key2 = key.OpenSubKey("Software\\MyServices\\Identity\\ASPNET_SETREG");
//RegistryKey key2 = key.OpenSubKey("Software\\MyServices\\Identity\\ASPNET_SETREG", false);
//RegistryKey key2 = key.OpenSubKey("Software\\MyServices\\Identity\\ASPNET_SETREG", RegistryKeyPermissionCheck.ReadSubTree);
RegistryKey key2 = key.OpenSubKey("Software\\MyServices\\Identity\\ASPNET_SETREG", RegistryKeyPermissionCheck.ReadSubTree, RegistryRights.ReadPermissions);
Commenting SetAccessControl and use any of the OpenSubkey option, I get Exception: "Requested registry access is not allowed."
I am badly stuckup and unable to proceed.
private RegistryKey keyR = Registry.CurrentUser.OpenSubKey("Software\\YourKey",true);
private RegistryKey keyW = Registry.CurrentUser.CreateSubKey("Software\\YourKey");
public string version
{
get { return keyR.GetValue("VERSION", "", RegistryValueOptions.DoNotExpandEnvironmentNames).ToString(); }
set { keyW.SetValue("VERSION", value, RegistryValueKind.String); }
}
I am using windows registry in this way. No problem...
The windows registry is basically a structured file system, and has permissions for keys and values.
You do not have the permissions set correctly on ...\MyServices\ or deeper keys - you have no permission to access those from your unprivileged process.
Either:
Those keys should be readable by anybody, so you should change the permissions to make them readable by everybody. Or -
Those keys were intentionally restricted for a good reason, and so they should not be readable by everybody, in which case your program should always run elevated.