Can't read/write to Registry

Discussion in 'ASP .Net Web Services' started by Nikolay Petrov, Nov 18, 2004.

  1. Why I always get 'Requested registry access is not allowed' when i try to
    Read/Write to Windows Registry from ASP service. I use ASP NET account?
    Also granted full permissions to required Registry keys.
    What is the problem?

    TIA
     
    Nikolay Petrov, Nov 18, 2004
    #1
    1. Advertising

  2. Your code is in the CodeGroup Internet/Intranet cause it's ASP.NET - that
    blocks the access.

    --
    Daniel Fisher(lennybacon)
    MCP ASP.NET C#
    Blog: http://www.lennybacon.com/


    "Nikolay Petrov" <> wrote in message
    news:...
    > Why I always get 'Requested registry access is not allowed' when i try to
    > Read/Write to Windows Registry from ASP service. I use ASP NET account?
    > Also granted full permissions to required Registry keys.
    > What is the problem?
    >
    > TIA
    >
     
    Daniel Fisher\(lennybacon\), Nov 18, 2004
    #2
    1. Advertising

  3. I hear about Code Groups for first time. What are they?
    Any workaround to my prob?


    "Daniel Fisher(lennybacon)" <info@(removethis)lennybacon.com> wrote in
    message news:%...
    > Your code is in the CodeGroup Internet/Intranet cause it's ASP.NET - that
    > blocks the access.
    >
    > --
    > Daniel Fisher(lennybacon)
    > MCP ASP.NET C#
    > Blog: http://www.lennybacon.com/
    >
    >
    > "Nikolay Petrov" <> wrote in message
    > news:...
    >> Why I always get 'Requested registry access is not allowed' when i try to
    >> Read/Write to Windows Registry from ASP service. I use ASP NET account?
    >> Also granted full permissions to required Registry keys.
    >> What is the problem?
    >>
    >> TIA
    >>

    >
    >
     
    Nikolay Petrov, Nov 18, 2004
    #3
  4. Nikolay Petrov

    Dan Rogers Guest

    Hi,

    In general you don't want a web exposed method to read/write from the
    registry. The potential for bottlenecking around the registry access is
    high, and registry access is considered too slow for transactional updates.
    The code access group for internet facing code creates a sand box that
    protects the system from exposure to attacks thru the internet. Disabling
    this protection is not recommended.

    If you need to make periodic adjustments of this type, you may wish to
    create a COM+ component (no transactions) that updates the registry key and
    runs as a different machine account. This is the simplest way to
    circumvent the protections without turning them off. If you do decide that
    you need this functionality to be driven from a web facing request, I
    advise you to never expose this to an unprotected (firewalled, intranet)
    environment, and strongly recommend that this not be considered
    "production" quality design.

    Best regards

    Dan Rogers
    Microsoft Corporation
    --------------------
    >From: "Nikolay Petrov" <>
    >References: <>

    <#>
    >Subject: Re: Can't read/write to Registry
    >Date: Thu, 18 Nov 2004 20:23:56 +0200
    >Lines: 28
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    >X-RFC2646: Format=Flowed; Response
    >Message-ID: <#>
    >Newsgroups:

    microsoft.public.dotnet.framework.aspnet,microsoft.public.dotnet.framework.a
    spnet.security,microsoft.public.dotnet.framework.aspnet.webservices,microsof
    t.public.dotnet.framework.webservices,microsoft.public.dotnet.security
    >NNTP-Posting-Host: 212.95.179.134
    >Path:

    cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10
    ..phx.gbl
    >Xref: cpmsftngxa10.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:12329
    microsoft.public.dotnet.framework.aspnet.webservices:26690
    microsoft.public.dotnet.framework.webservices:7541
    microsoft.public.dotnet.security:8221
    microsoft.public.dotnet.framework.aspnet:277133
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
    >
    >I hear about Code Groups for first time. What are they?
    >Any workaround to my prob?
    >
    >
    >"Daniel Fisher(lennybacon)" <info@(removethis)lennybacon.com> wrote in
    >message news:%...
    >> Your code is in the CodeGroup Internet/Intranet cause it's ASP.NET -

    that
    >> blocks the access.
    >>
    >> --
    >> Daniel Fisher(lennybacon)
    >> MCP ASP.NET C#
    >> Blog: http://www.lennybacon.com/
    >>
    >>
    >> "Nikolay Petrov" <> wrote in message
    >> news:...
    >>> Why I always get 'Requested registry access is not allowed' when i try

    to
    >>> Read/Write to Windows Registry from ASP service. I use ASP NET account?
    >>> Also granted full permissions to required Registry keys.
    >>> What is the problem?
    >>>
    >>> TIA
    >>>

    >>
    >>

    >
    >
    >
     
    Dan Rogers, Nov 18, 2004
    #4
  5. Nikolay Petrov

    Frank Guest

    I'm trying to create an application log from Visual Studio and ran into the
    'Requested registry access is not allowed' error.

    I'm not sure how much of this is required, but it got things working:

    - Using the WIndows User Account manager I added ASPNET to the power users
    group.

    - In the registry at
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application I
    did rt. mouse | permissions | Advanced | selected Power Users | Edit |
    selected Set Value and Create Subkey | save everything

    - In C:\Windows\Microsoft.NET\Framework\v1.1.4322\CONFIG\mmachine.config
    modified the identify impersonate element to <identity impersonate="true"
    userName="myAdminUser" password="myAdminPswd"/>

    Given all the various 'solutions' I've read and how many work/don't its
    pretty clear that when MS just turned on all their security they exposed an
    utter mess. It is pretty clear that it is horribly designed and documented.
    It also seems pretty clear that as I have to disable/modify security in
    various places to get thigns working (including MS apps) that I'm just
    opening the holes back up. The replies from the MS people make it clear that
    they don't understand it much better. What a mess!
     
    Frank, Dec 3, 2004
    #5
  6. Nikolay Petrov

    Dan Rogers Guest

    Hi Frank,

    Thanks for sharing your feelings on this. A great deal of thought went
    into defining the changes that were made, and in every case where an impact
    to existing behavior was made, a great deal of thought was given. In this
    particular case, there is definitely a difference of opinion as to what is
    a reasonable practice, from a secure application point of view.

    If you were to ask my advice about "should I add my ASPNET user to the
    power users group, and then change the permissions on the registry and on
    the event logging service to allow an anonymous and unsecured user to
    update my system's core control files", I think my answer would be "what
    are you crazy?". But that's just the response I'd give to a friend or
    professional colleague with whom I was comforatable enough that I know they
    wouldn't interpret my reaction as a personal attack. For the remainder of
    the people, my response would be "We cannot, in good faith, recommend that
    anyone ever consider doing this and considering it an adequate solution."

    The issues that you are opening up here are legion, but primarily
    associated with taking your application out of the sand box. Other issues
    will relate to perf in high volume scenarios. In general, using the
    registry as a data store is a bad idea - it is best suited for system
    settings that change infrequently, or for managing the local logged in
    users user experience.

    Other solutions for writing application log entries include using the
    managed code methods that let you write application log entries, so I'm not
    sure what prevented you from doing this.

    Sorry if I do not project confidence in the approach you have chosen. I
    respect your right to your own approach and conclusions.

    Best regards

    Dan Rogers
    Microsoft Corporation
    --------------------
    >Thread-Topic: Can't read/write to Registry
    >thread-index: AcTZXm1l13msAgfSQSWux/x+hMkYuQ==
    >X-WBNR-Posting-Host: 66.68.170.38
    >From: "=?Utf-8?B?RnJhbms=?=" <>
    >References: <>
    >Subject: RE: Can't read/write to Registry
    >Date: Fri, 3 Dec 2004 09:35:05 -0800
    >Lines: 26
    >Message-ID: <>
    >MIME-Version: 1.0
    >Content-Type: text/plain;
    > charset="Utf-8"
    >Content-Transfer-Encoding: 7bit
    >X-Newsreader: Microsoft CDO for Windows 2000
    >Content-Class: urn:content-classes:message
    >Importance: normal
    >Priority: normal
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    >Newsgroups:

    microsoft.public.dotnet.framework.aspnet,microsoft.public.dotnet.framework.a
    spnet.security,microsoft.public.dotnet.framework.aspnet.webservices,microsof
    t.public.dotnet.security
    >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
    >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    >Xref: cpmsftngxa10.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:12506
    microsoft.public.dotnet.framework.aspnet.webservices:27020
    microsoft.public.dotnet.security:8402
    microsoft.public.dotnet.framework.aspnet:280768
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
    >
    >I'm trying to create an application log from Visual Studio and ran into

    the
    >'Requested registry access is not allowed' error.
    >
    >I'm not sure how much of this is required, but it got things working:
    >
    > - Using the WIndows User Account manager I added ASPNET to the power

    users
    >group.
    >
    > - In the registry at
    >HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application

    I
    >did rt. mouse | permissions | Advanced | selected Power Users | Edit |
    >selected Set Value and Create Subkey | save everything
    >
    > - In C:\Windows\Microsoft.NET\Framework\v1.1.4322\CONFIG\mmachine.config
    >modified the identify impersonate element to <identity impersonate="true"
    >userName="myAdminUser" password="myAdminPswd"/>
    >
    >Given all the various 'solutions' I've read and how many work/don't its
    >pretty clear that when MS just turned on all their security they exposed

    an
    >utter mess. It is pretty clear that it is horribly designed and

    documented.
    >It also seems pretty clear that as I have to disable/modify security in
    >various places to get thigns working (including MS apps) that I'm just
    >opening the holes back up. The replies from the MS people make it clear

    that
    >they don't understand it much better. What a mess!
    >
    >
    >
     
    Dan Rogers, Dec 3, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. HK
    Replies:
    1
    Views:
    3,713
    Cowboy \(Gregory A. Beamer\)
    Apr 1, 2004
  2. Nikolay Petrov

    Can't read/write to Registry

    Nikolay Petrov, Nov 18, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    753
    =?Utf-8?B?RnJhbms=?=
    Dec 3, 2004
  3. Leny
    Replies:
    3
    Views:
    16,984
    Daniel
    Feb 1, 2005
  4. Nikolay Petrov

    Can't read/write to Registry

    Nikolay Petrov, Nov 18, 2004, in forum: ASP .Net Security
    Replies:
    4
    Views:
    129
    Frank
    Dec 3, 2004
  5. Replies:
    3
    Views:
    295
Loading...

Share This Page