I created a new windows user using C# and I would like to restrict list of apps to run through setting registry using C#. But the user profile and its registry is not initialized yet, since the user has never login, it will not have registry hive loaded and I cannot make changes.
I have tried Process.start() and set LoadUserProfile=true. I can see that the folder for the user is created under C:\Users\ However, if I get the user's sid and check HKEY_USERS\ , there is no such entry. I learned that when a user login, windows will load the registry hive, and unload when log out. Therefore I need to load the registry hive without user login.
Reference:
Editing registry value for newly created user
Load registry hive from C# fails
Get sid
NTAccount user = new NTAccount(username);
SecurityIdentifier s = (SecurityIdentifier)user.Translate(typeof(SecurityIdentifier));
string sidString = s.ToString();
Load Registry
public class RegistryTest
{
[StructLayout(LayoutKind.Sequential)]
private struct LUID
{
public uint LowPart;
public int HighPart;
}
[StructLayout(LayoutKind.Sequential)]
private struct LUID_AND_ATTRIBUTES
{
public LUID pLuid;
public UInt32 Attributes;
}
[StructLayout(LayoutKind.Sequential, Pack = 1)]
private struct TokPriv1Luid
{
public int Count;
public LUID Luid;
public UInt32 Attr;
}
private const Int32 ANYSIZE_ARRAY = 1;
private const UInt32 SE_PRIVILEGE_ENABLED = 0x00000002;
private const UInt32 TOKEN_ADJUST_PRIVILEGES = 0x0020;
private const UInt32 TOKEN_QUERY = 0x0008;
private const uint HKEY_USERS = 0x80000003;
private const string SE_RESTORE_NAME = "SeRestorePrivilege";
private const string SE_BACKUP_NAME = "SeBackupPrivilege";
[DllImport("kernel32.dll")]
static extern IntPtr GetCurrentProcess();
[DllImport("advapi32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
static extern bool OpenProcessToken(IntPtr ProcessHandle, UInt32 DesiredAccess, out IntPtr TokenHandle);
[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
[return: MarshalAs(UnmanagedType.Bool)]
static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out LUID lpLuid);
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
static extern bool AdjustTokenPrivileges(
IntPtr htok,
bool disableAllPrivileges,
ref TokPriv1Luid newState,
int len,
IntPtr prev,
IntPtr relen);
[DllImport("advapi32.dll", SetLastError = true)]
static extern int RegLoadKey(UInt32 hKey, String lpSubKey, String lpFile);
[DllImport("advapi32.dll", SetLastError = true)]
static extern int RegUnLoadKey(UInt32 hKey, string lpSubKey);
private IntPtr _myToken;
private TokPriv1Luid _tokenPrivileges = new TokPriv1Luid();
private TokPriv1Luid _tokenPrivileges2 = new TokPriv1Luid();
private LUID _restoreLuid;
private LUID _backupLuid;
public RegistryTest(string sid)
{
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out _myToken))
Console.WriteLine("OpenProcess Error");
if (!LookupPrivilegeValue(null, SE_RESTORE_NAME, out _restoreLuid))
Console.WriteLine("LookupPrivilegeValue Error");
if (!LookupPrivilegeValue(null, SE_BACKUP_NAME, out _backupLuid))
Console.WriteLine("LookupPrivilegeValue Error");
_tokenPrivileges.Attr = SE_PRIVILEGE_ENABLED;
_tokenPrivileges.Luid = _restoreLuid;
_tokenPrivileges.Count = 1;
_tokenPrivileges2.Attr = SE_PRIVILEGE_ENABLED;
_tokenPrivileges2.Luid = _backupLuid;
_tokenPrivileges2.Count = 1;
if (!AdjustTokenPrivileges(_myToken, false, ref _tokenPrivileges, 0, IntPtr.Zero, IntPtr.Zero))
Console.WriteLine("AdjustTokenPrivileges Error: " + Marshal.GetLastWin32Error());
if (!AdjustTokenPrivileges(_myToken, false, ref _tokenPrivileges2, 0, IntPtr.Zero, IntPtr.Zero))
Console.WriteLine("AdjustTokenPrivileges Error: " + Marshal.GetLastWin32Error());
// --> RegLoadKey fails with return value 32<--
int retVal = RegLoadKey(HKEY_USERS, sid, @"C:\Users\Default\NTUSER.DAT");
if (retVal != 0)
Console.WriteLine("RegLoadKey Error:" + retVal);
}
}
The RegLoadKey API should return 0 but I got 32
I have find a way to do it, I load default registry hive in C:\Users\Default. After I change it to C:\Users\[username]\NTUSER.DAT and then the registry hive is loaded.
User contributions licensed under CC BY-SA 3.0