7

I'm writing an application that needs to create a special user account hidden from login screens and the Control Panel users applet. By writing a DWORD value of 0 with the user name to the registry key below, I'm able to accomplish this goal:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

The problem is that under Windows 7 with UAC on, no matter what I try, I cannot programmatically write a value to the key above.

It is my understanding that writing to certain keys this is not allowed on Windows 7 with UAC on, unless you are running with Administrative privileges. I've added an application manifest requestedExecutionLevel level="requireAdministrator" uiAccess="false", I accept the UAC prompt when my program is run, my account is a member of Administrators, yet I am still unable to write to the above registry key.

What more do I need to do? How is it possible, in any application configuration, to write keys and values under HKEY_LOCAL_MACHINE\SOFTWARE?

Further information ... When my program runs, no errors are thrown and it seems to write values. My guess is that Windows is virtualizing the location to which I am writing. I need to write to the actual location, not a virtual one, if I am to hide this special user account.

Improve this question
6
  • They probably are trying to prevent exactly what your trying to do. A hidden account written by malware would be bad for instance. Commented Feb 9, 2011 at 21:03
  • Yet this applies to the everything under HKEY_LOCAL_MACHINE\SOFTWARE, not just the specific key I mentioned. Oh, and you can still hide the account by using regedit, or see it using computer management/users. Commented Feb 9, 2011 at 21:06
  • Sorry it was just an off the cuff comment. If I had a good answer for you I'd have used the other box. I'm also very interested in what's acutally going on here. Commented Feb 9, 2011 at 21:08
  • Maybe it's not the only place that need to be changed? 'cause as stated it would be too easy for malware software. Commented Feb 9, 2011 at 21:10
  • I swear I've read something like this on Raymon Chen's blog. Commented Feb 9, 2011 at 21:20

4 Answers 4

Reset to default
18

Probably the program runs as 32-bit program on the 64-bit operation system? In the case I recommend you to search the values which you created under Wow6432Node subkey of the HKEY_LOCAL_MACHINE\SOFTWARE.

You can read more about such kind of virtualization here. You can use KEY_WOW64_32KEY flag in some API to be able to work with full registry without virtualization.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Right, I already had figured out values were being written under Wow6432Node. The problem is, the user hiding code on windows doesn't see keys under that location. See social.answers.microsoft.com/Forums/en-SG/w7security/thread/… and community.kaseya.com/xsp/f/21/p/223/646.aspx ... The first link was marked as solved through a private fix by install shield, and as such the fix it isn't redistributed openly.
@sysrpl: The problem can be easy solved if you will use additional KEY_WOW64_32KEY flag in RegCreateKeyEx or RegOpenKeyEx. Then you can use the HKEY handle to access any parts of the registry. I use the trick without any problem. If you need I could post a small C example which demonstrate it.
@sysrpl: Do use need create registry key inside of setup?
Okay, I had to "or" KEY_WOW64_64KEY in RegCreateKeyEx and RegOpenKeyEx to get it to work. Thanks.
You can find C# code which shows how to access it here: stackoverflow.com/a/13232372/1016343
|
1

Write Value to Registry

string user = Environment.UserDomainName + "\\" + Environment.UserName; RegistrySecurity rs = new RegistrySecurity(); rs.AddAccessRule(new RegistryAccessRule(user, RegistryRights.WriteKey | RegistryRights.ChangePermissions, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Deny)); RegistryKey rk = null; try { rk = Registry.CurrentUser.CreateSubKey("SOFTWARE\\TEST", RegistryKeyPermissionCheck.Default, rs); rk.SetValue("NAME", "IROSH); rk.SetValue("FROM", "SRI LANKA"); }
Improve this answer

Comments

0

This could have something to do with the redirection they added in Vista. I would be curious if you tried to read that registry value from your code, if you would get back the value you were expecting. You may also want to fire up RegMon to see if you can see where the redirection may be forcing you.

Improve this answer

Comments

-1 
RegistryKey rk = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Run",true); rk.SetValue("Name", "Value");
Improve this answer

1 Comment

write some explanation for your code, to make your answer better

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.