Does anyone know how to run a process as the SYSTEM user account?

I am doing some registry modifications that are being blocked when the code
is run as Administrator.

Ed

--------------------
From: "Edward E. Hopkins" <ed@signalquest.com>
Newsgroups: microsoft.public.win2000.registry
Subject: Process User Rights
Date: Tue, 06 Apr 2004 19:17:13 GMT

Does anyone know how to run a process as the SYSTEM user account?

I am doing some registry modifications that are being blocked when the code
is run as Administrator.

Ed
----

Ed,

Use the AT command to schedule CMD.EXE to run interactively. This will run under the System account. Once it is up run
Regedit.exe from this CMD window and it will also run under the System account. You can use the Processes tab on Task
Manager to confirm this.

Bill Peele
Microsoft Enterprise Support

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the
terms specified at http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread
from which they originated.

In microsoft.public.win2000.registry Edward E. Hopkins wrote:

> Does anyone know how to run a process as the SYSTEM user account?
>
> I am doing some registry modifications that are being blocked when
> the code is run as Administrator.

You could Schedule it to run as a job under the SYSTEM account.

I am slightly concerned (not knowing otherwise) about registry changes
that cannot be done under Administrator, simply because that is one of
the safety mechanisms in place to prevent horrible mistakes. <G>

You could also use Task Scheduler to just start an Interactive
CMD.EXE /K session.

> Does anyone know how to run a process as the SYSTEM user account?
>
> I am doing some registry modifications that are being blocked when the
code
> is run as Administrator.
>
> Ed
> ----
>
> Ed,
>
> Use the AT command to schedule CMD.EXE to run interactively. This will
run under the System account. Once it is up run
> Regedit.exe from this CMD window and it will also run under the System
account. You can use the Processes tab on Task
> Manager to confirm this.
>
> Bill Peele
> Microsoft Enterprise Support

That would be fine ... only that I am calling a DLL from InstallShield that
modified registry keys for some hardware device install/uninstalls. There
is no explicit uninstall INF or hardware drivers that I can find in the
various Microsoft MSDN SDK's and API's ... I find that if I manually remove
the driver keys that are created by the hardware device installation then
the device no longer appears in the hardware enum. However, these registry
keys, although owned by Administrator, have access rights for SYSTEM
(obviously to prevent accidental deletion).

Since we would like to be able to uninstall our device and we need to be
able to do this from within running C++ code what I am digging for is a
programmatic way to do this rather than a command-line way to do this.

Ed

> I am slightly concerned (not knowing otherwise) about registry changes
> that cannot be done under Administrator, simply because that is one of
> the safety mechanisms in place to prevent horrible mistakes. <G>

I've repeated the installation / uninstallation procedure and have
identified exactly which keys are created. I have tried removing them
manually and it has not damaged any other devices. If there were a more
standard API call to do this I would use it, but there does not appear to be
such an animal.

Ed

In microsoft.public.win2000.registry Edward E. Hopkins wrote:

>> Does anyone know how to run a process as the SYSTEM user account?
>>
>> I am doing some registry modifications that are being blocked
>> when the
> code
>> is run as Administrator.
>>
>> Ed
>> ----
>>
>> Ed,
>>
>> Use the AT command to schedule CMD.EXE to run interactively.
>> This will
> run under the System account. Once it is up run
>> Regedit.exe from this CMD window and it will also run under the
>> System
> account. You can use the Processes tab on Task
>> Manager to confirm this.
>>
>> Bill Peele
>> Microsoft Enterprise Support
>
> That would be fine ... only that I am calling a DLL from
> InstallShield that modified registry keys for some hardware device
> install/uninstalls. There is no explicit uninstall INF or
> hardware drivers that I can find in the various Microsoft MSDN
> SDK's and API's ... I find that if I manually remove the driver
> keys that are created by the hardware device installation then the
> device no longer appears in the hardware enum. However, these
> registry keys, although owned by Administrator, have access rights
> for SYSTEM (obviously to prevent accidental deletion).
>
> Since we would like to be able to uninstall our device and we need
> to be able to do this from within running C++ code what I am
> digging for is a programmatic way to do this rather than a
> command-line way to do this.

I do have "command-line" ideas (regini.exe for one), but
unfortunately none using the APIs. Can we assume you've been to
various developers groups (or MSDN) for assistance?

I am guessing, but it seems you know exactly what you need to do and
where (change and propagate registry ACLs in order to enable deletion
of a key), but not how (programmatic) to do it. And it does not
appear to me to be a "key locked by a process" issue but one of
default permissions. Good luck.

> > That would be fine ... only that I am calling a DLL from
> > InstallShield that modified registry keys for some hardware device
> > install/uninstalls. There is no explicit uninstall INF or
> > hardware drivers that I can find in the various Microsoft MSDN
> > SDK's and API's ... I find that if I manually remove the driver
> > keys that are created by the hardware device installation then the
> > device no longer appears in the hardware enum. However, these
> > registry keys, although owned by Administrator, have access rights
> > for SYSTEM (obviously to prevent accidental deletion).
> >
> > Since we would like to be able to uninstall our device and we need
> > to be able to do this from within running C++ code what I am
> > digging for is a programmatic way to do this rather than a
> > command-line way to do this.
>
> I do have "command-line" ideas (regini.exe for one), but
> unfortunately none using the APIs. Can we assume you've been to
> various developers groups (or MSDN) for assistance?

I have searched the MSDN library relatively thoroughly (for a software
developer with 8+ yrs exp)

>
> I am guessing, but it seems you know exactly what you need to do and
> where (change and propagate registry ACLs in order to enable deletion
> of a key), but not how (programmatic) to do it. And it does not
> appear to me to be a "key locked by a process" issue but one of
> default permissions. Good luck.


Yes that is correct ... however you cannot open the key with Administrator
in order to add Admin to the ACL user rights for that key object ... a
chicken and egg thing ... whereas if you were able to run the DLL or call
the DLL from a process that had SYSTEM rights then it would work ... hmmm
can you use the command line to call an EXE that is just a dummy to call the
DLL? The problem is that the uninstaller DLL is called directly from within
the InstallShield uninstaller routine (I used to do alot of install work).


Ed

In microsoft.public.win2000.registry Edward E. Hopkins wrote:

>> > That would be fine ... only that I am calling a DLL from
>> > InstallShield that modified registry keys for some hardware
>> > device install/uninstalls. There is no explicit uninstall INF
>> > or hardware drivers that I can find in the various Microsoft
>> > MSDN SDK's and API's ... I find that if I manually remove the
>> > driver keys that are created by the hardware device
>> > installation then the device no longer appears in the hardware
>> > enum. However, these registry keys, although owned by
>> > Administrator, have access rights for SYSTEM (obviously to
>> > prevent accidental deletion).
>> >
>> > Since we would like to be able to uninstall our device and we
>> > need to be able to do this from within running C++ code what I
>> > am digging for is a programmatic way to do this rather than a
>> > command-line way to do this.
>>
>> I do have "command-line" ideas (regini.exe for one), but
>> unfortunately none using the APIs. Can we assume you've been to
>> various developers groups (or MSDN) for assistance?
>
> I have searched the MSDN library relatively thoroughly (for a
> software developer with 8+ yrs exp)
>
>>
>> I am guessing, but it seems you know exactly what you need to do
>> and where (change and propagate registry ACLs in order to enable
>> deletion of a key), but not how (programmatic) to do it. And it
>> does not appear to me to be a "key locked by a process" issue but
>> one of default permissions. Good luck.
>
>
> Yes that is correct ... however you cannot open the key with
> Administrator in order to add Admin to the ACL user rights for
> that key object ... a chicken and egg thing ... whereas if you
> were able to run the DLL or call the DLL from a process that had
> SYSTEM rights then it would work ... hmmm can you use the command
> line to call an EXE that is just a dummy to call the DLL? The
> problem is that the uninstaller DLL is called directly from within
> the InstallShield uninstaller routine (I used to do alot of
> install work).

I doubt I can be helpful, but on the off chnace...

Point. rundll32.exe your.dll ???
I believe you might be able to spawn a process via "impersonation",
but uncertain about how to do that using SYSTEM.

Point. There must be a programmatic way to Take Ownership of the key
in question (as Admin) in order to subsequently apply a new ACE, in
order to ...

I am completely out of my depth, but occasionally the spontaneous
musings of the uninitiated trigger a new thought in someone else to
their benefit. <G>

One other thought. There is a SETACL.EXE open source project that
has a "setowner" function. Whether that if fact applies for registry
keys as well as file system I do not recall. Source is available.
You get the idea.

http://setacl.sourceforge.net/
http://sourceforge.net/projects/setacl/

Mark:

I appreciate your comments, yes you are correct sometimes just the
newsgroupian collaboration can effect solution triggers even if not in
actual function parameter lists ... now if someone could get rid of all my
SPAM mail I would be a happy man!

Ed

P.S. If I am getting tons of Microsoft security bulletins are they really
Microsoft bulletins or spoofing SPAM?


> I am completely out of my depth, but occasionally the spontaneous
> musings of the uninitiated trigger a new thought in someone else to
> their benefit. <G>
>
> One other thought. There is a SETACL.EXE open source project that
> has a "setowner" function. Whether that if fact applies for registry
> keys as well as file system I do not recall. Source is available.
> You get the idea.
>
> http://setacl.sourceforge.net/
> http://sourceforge.net/projects/setacl/