Re: SfcIsKeyProtected (Windows Resource Protection)

Oh, that's OK. The MS doc is still in flux anyway, I guess. ON
windowssdk.msdn.microsoft.com it says the third parameter is reserved and
must be NULL. On the msdn.microsoft.com it has it as you list below.
However, it also says that it is ignored on x86 systems.

On your comment on SfcGetNextProtectedFile: I think MS changed their doc on
msdn.microsoft.com after I started asking about it. It didn't mention
anything about it when I started investigating. After our TAM checked in to
it, that note appeared on the page. The wording was almost identical to mine
from an email. The windowssdk.msdn.microsoft.com page still lists it as
supported.

Thanks again for your help.

"Idan (MS)" wrote:

I misinformed you on the REGSAM parameter. The valid values for it are:
NULL, KEY_WOW64_64KEY and KEY_WOW64_32KEY.

Also, If you don't want to use RegOpenKeyEx, you can use the function
the following way:
BOOL isProtected = SfcIsKeyProtected(HKEY_LOCAL_MACHINE,

L"SOFTWARE\Microsoft\Speech\UX",
NULL);

Idan (MS) wrote:
Also, SfcGetNextProtectedFile is no longer supported. It always returns
FALSE withe error code ERROR_NO_MORE_FILES.

Idan wrote:
First let's review SfcIsKeyProtected a bit. This function returns a
boolean value which indicate whether the registry key is WRP protected
or not. (if you want more info about the WRP feature let me know). All
base keys such as HKLM, HKCR are not WRP protected, therefore the value
0 (FALSE) is actually the right value.

the parameters of the functions are:
HKEY - a handle to a registry key. This is a required parameters, and
cannot be NULL. When you passed NULL you got error 6 which is
ERROR_INVALID_HANDLE and this is also by design.
LPCWSTR - a string containing a sub key of the opened registry key.
This parameter is optional and can be NULL.
REGSAM - this parametrer is used to check 32bit registry keys on 64bit
machine. I'd pass KEY_READ.

To check if a registry key is WRP, you can do the following:
1. open regedit.
2. right click on a registry key and choose 'Permissions..."
3. A key is WRP if TrustedInstaller service has full access to it and
all other users/groups have only read access. TI is the owner of the
key in most cases.
(check out HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\UX for example)

so if you want to the API to return true you have to do the following:
HKEY key;
LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE,
L"SOFTWARE\Microsoft\Speech\UX",
NULL,
READ_ACCESS,
&key);
BOOL isProtected = SfcIsKeyProtected(key,NULL,KEY_READ);

Let me know if you have other questions/problems.
Rubin.

Jim wrote:
Hi Rubin,

Thanks for responding - I can't find anything other than the MS doc on
SfcIsKeyProtected.

I was using Beta 2 Build 53?? and installed the most recent build the other
day. Neither of them worked and bothed behaved the same way. I'm away from
my office so I can't get access to see what the latest build number is.

SfcIsKeyProtected returns 0 with GetLastError returning 0 when I provide one
of the root keys (HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, HKEY_USER) and
anything for the SubKey. I tried "SOFTWARE",
"SOFTWARE\Microsoft\Windows\CurrentVersion", keys that don't exist, other
keys that do but shouldn't be protected. I tried passing NULL for the subkey
to check the root key and it returned the same codes. I tried calling
RegOpenKeyEx on a subkey and passing the returned HKEY as the root and it
still behaved the same. The only test I made that returned something
different was when I passed NULL for the root key, in which case the function
returned 0 and GetLastError returned 6.

Thanks,
Jim

"rubin.idan@xxxxxxxxx" wrote:

Hi Jim,

1. What build of Vista are you using?
2. How were you using SfcIsKeyProtected? (what were the parameters you
passed?)
3. What was the failure? (Did it return FALSE on a WRP protected key?
did it return an error message?)

Thanks,
Idan Rubin

Jim wrote:
Has anyone been able to get SfcIsKeyProtected or SfcGetNextProtectedFile to
work on Vista? I have been able to use SfcIsFileProtected but the other two
don't seem to work at all?

Are there any tricks to using them? Is the documentation wrong?

Thanks for any information.




.

Relevant Pages

  • Re: SfcIsKeyProtected (Windows Resource Protection)
    ... thank you very much for responding again. ... HKEY - a handle to a registry key. ... anything for the SubKey. ... to check the root key and it returned the same codes. ...
    (microsoft.public.platformsdk.security)
  • Re: SfcIsKeyProtected (Windows Resource Protection)
    ... FALSE withe error code ERROR_NO_MORE_FILES. ... HKEY - a handle to a registry key. ... to check the root key and it returned the same codes. ... Idan Rubin ...
    (microsoft.public.platformsdk.security)
  • Re: SfcIsKeyProtected (Windows Resource Protection)
    ... HKEY - a handle to a registry key. ... I tried passing NULL for the subkey ... to check the root key and it returned the same codes. ...
    (microsoft.public.platformsdk.security)
  • Re: SfcIsKeyProtected (Windows Resource Protection)
    ... I misinformed you on the REGSAM parameter. ... HKEY - a handle to a registry key. ... to check the root key and it returned the same codes. ... RegOpenKeyEx on a subkey and passing the returned HKEY as the root and it ...
    (microsoft.public.platformsdk.security)
  • Unable to delete registry key
    ... I have the following registry key: ... permissions on that subkey and so I'm not able to delete the parent key ... somehow engineered by they "nice" people over at SecuRom in some. ... (Exporing just that key only exports the parent key, without any subkeys, by ...
    (microsoft.public.windowsxp.general)