|
|
//*************************************************************
// File name: profile.c
//
// Description: Fixes hard coded paths in the registry for
// special folder locations. Also fixes security
// on a few registry keys.
//
// Microsoft Confidential
// Copyright (c) Microsoft Corporation 1996
// All rights reserved
//
//*************************************************************
#include <windows.h>
#include <shlobj.h>
#include <shlwapi.h>
#include <tchar.h>
#include "shmgdefs.h"
#include "res.h"
//*************************************************************
//
// ApplySecurityToRegistryTree()
//
// Purpose: Applies the passed security descriptor to the passed
// key and all its descendants. Only the parts of
// the descriptor inddicated in the security
// info value are actually applied to each registry key.
//
// Parameters: RootKey - Registry key
// pSD - Security Descriptor
//
// Return: ERROR_SUCCESS if successful
//
// Comments:
//
// History: Date Author Comment
// 7/19/95 ericflo Created
// 6/16/96 bobday Stolen directly from USERENV
//
//*************************************************************
DWORD ApplySecurityToRegistryTree(HKEY RootKey, PSECURITY_DESCRIPTOR pSD)
{ DWORD Error; DWORD SubKeyIndex; LPTSTR SubKeyName; HKEY SubKey; DWORD cchSubKeySize = MAX_PATH + 1;
//
// First apply security
//
Error = RegSetKeySecurity(RootKey, DACL_SECURITY_INFORMATION, pSD);
if (Error != ERROR_SUCCESS) { return Error; }
//
// Open each sub-key and apply security to its sub-tree
//
SubKeyIndex = 0;
SubKeyName = GlobalAlloc (GPTR, cchSubKeySize * sizeof(TCHAR));
if (!SubKeyName) { return GetLastError(); }
while (TRUE) {
//
// Get the next sub-key name
//
Error = RegEnumKey(RootKey, SubKeyIndex, SubKeyName, cchSubKeySize);
if (Error != ERROR_SUCCESS) {
if (Error == ERROR_NO_MORE_ITEMS) {
//
// Successful end of enumeration
//
Error = ERROR_SUCCESS;
} else {
}
break; }
//
// Open the sub-key
//
Error = RegOpenKeyEx(RootKey, SubKeyName, 0, WRITE_DAC | KEY_ENUMERATE_SUB_KEYS | READ_CONTROL, &SubKey);
if (Error != ERROR_SUCCESS) { break; }
//
// Apply security to the sub-tree
//
Error = ApplySecurityToRegistryTree(SubKey, pSD);
//
// We're finished with the sub-key
//
RegCloseKey(SubKey);
//
// See if we set the security on the sub-tree successfully.
//
if (Error != ERROR_SUCCESS) { break; }
//
// Go enumerate the next sub-key
//
SubKeyIndex ++; }
GlobalFree (SubKeyName);
return Error;
}
//*************************************************************
//
// MakeKeyOrTreeSecure()
//
// Purpose: Sets the attributes on the registry key and possibly sub-keys
// such that Administrators and the OS can delete it and Everyone
// else has read permission only (OR general read/write access)
//
// Parameters: RootKey - Key to set security on
// fWrite - Allow write (or just read)
//
// Return: (BOOL) TRUE if successful
// FALSE if an error occurs
//
// Comments:
//
// History: Date Author Comment
// 11/6/95 ericflo Created
// 06/16/96 bobday Ported from MakeFileSecure in USERENV
//
//*************************************************************
BOOL MakeKeyOrTreeSecure (HKEY RootKey, BOOL fWrite){ SECURITY_DESCRIPTOR sd; SID_IDENTIFIER_AUTHORITY authNT = SECURITY_NT_AUTHORITY; SID_IDENTIFIER_AUTHORITY authWorld = SECURITY_WORLD_SID_AUTHORITY; PACL pAcl = NULL; PSID psidSystem = NULL, psidAdmin = NULL, psidEveryone = NULL; DWORD cbAcl, aceIndex; ACE_HEADER * lpAceHeader; BOOL bRetVal = FALSE; DWORD Error; DWORD dwAccess;
if (fWrite) { dwAccess = KEY_ALL_ACCESS; } else { dwAccess = KEY_READ; }
//
// Get the system sid
//
if (!AllocateAndInitializeSid(&authNT, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &psidSystem)) { goto Exit; }
//
// Get the Admin sid
//
if (!AllocateAndInitializeSid(&authNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &psidAdmin)) { goto Exit; }
//
// Get the World sid
//
if (!AllocateAndInitializeSid(&authWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &psidEveryone)) {
goto Exit; }
//
// Allocate space for the ACL
//
cbAcl = (3 * GetLengthSid (psidSystem)) + (3 * GetLengthSid (psidAdmin)) + sizeof(ACL) + (6 * (sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)));
pAcl = (PACL) GlobalAlloc(GMEM_FIXED, cbAcl); if (!pAcl) { goto Exit; }
if (!InitializeAcl(pAcl, cbAcl, ACL_REVISION)) { goto Exit; }
//
// Add Aces. Non-inheritable ACEs first
//
aceIndex = 0; if (!AddAccessAllowedAce(pAcl, ACL_REVISION, KEY_ALL_ACCESS, psidSystem)) { goto Exit; }
aceIndex++; if (!AddAccessAllowedAce(pAcl, ACL_REVISION, KEY_ALL_ACCESS, psidAdmin)) { goto Exit; }
aceIndex++; if (!AddAccessAllowedAce(pAcl, ACL_REVISION, dwAccess, psidEveryone)) { goto Exit; }
//
// Now the inheritable ACEs
//
if (fWrite) { dwAccess = GENERIC_ALL; } else { dwAccess = GENERIC_READ; }
aceIndex++; if (!AddAccessAllowedAce(pAcl, ACL_REVISION, GENERIC_ALL, psidSystem)) { goto Exit; }
if (!GetAce(pAcl, aceIndex, &lpAceHeader)) { goto Exit; }
lpAceHeader->AceFlags |= (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE);
aceIndex++; if (!AddAccessAllowedAce(pAcl, ACL_REVISION, GENERIC_ALL, psidAdmin)) { goto Exit; }
if (!GetAce(pAcl, aceIndex, &lpAceHeader)) { goto Exit; }
lpAceHeader->AceFlags |= (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE);
aceIndex++; if (!AddAccessAllowedAce(pAcl, ACL_REVISION, dwAccess, psidEveryone)) { goto Exit; }
if (!GetAce(pAcl, aceIndex, &lpAceHeader)) { goto Exit; }
lpAceHeader->AceFlags |= (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE);
//
// Put together the security descriptor
//
if (!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION)) { goto Exit; }
if (!SetSecurityDescriptorDacl(&sd, TRUE, pAcl, FALSE)) { goto Exit; }
//
// Set the security
//
Error = ApplySecurityToRegistryTree(RootKey, &sd);
if (Error == ERROR_SUCCESS) { bRetVal = TRUE; }
Exit:
if (psidSystem) { FreeSid(psidSystem); }
if (psidAdmin) { FreeSid(psidAdmin); }
if (psidEveryone) { FreeSid(psidEveryone); }
if (pAcl) { GlobalFree (pAcl); }
return bRetVal;}
void FixUserProfileSecurity( void ){ HKEY hkeyPolicies; DWORD Error;
Error = RegOpenKeyEx( HKEY_CURRENT_USER, TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Policies"), 0, WRITE_DAC | KEY_ENUMERATE_SUB_KEYS | READ_CONTROL, &hkeyPolicies);
if (Error == ERROR_SUCCESS) { MakeKeyOrTreeSecure(hkeyPolicies, FALSE); RegCloseKey(hkeyPolicies); }}
void FixPoliciesSecurity( void ){ HKEY hkeyPolicies; DWORD Error, dwDisp;
Error = RegCreateKeyEx( HKEY_CURRENT_USER, TEXT("Software\\Policies"), 0, NULL, REG_OPTION_NON_VOLATILE, WRITE_DAC | KEY_ENUMERATE_SUB_KEYS | READ_CONTROL, NULL, &hkeyPolicies, &dwDisp);
if (Error == ERROR_SUCCESS) { MakeKeyOrTreeSecure(hkeyPolicies, FALSE); RegCloseKey(hkeyPolicies); }}
void SetSystemBitOnCAPIDir(void){ HRESULT hr; TCHAR szPath[MAX_PATH]; TCHAR szAppData[MAX_PATH]; DWORD FileAttributes;
if (S_OK == SHGetFolderPath(NULL, CSIDL_APPDATA, NULL, SHGFP_TYPE_CURRENT, szAppData)){
//
// It is better to use tcscpy and tcscat. This is just a temp fix and it is build with
// Unicode anyway. Not worth to include extra header file.
// We do not check error case here. This is just a best effort. If we got error, so what?
// MAX_PATH should be enough for these DIRs. Not worth to take care of \\?\ format.
//
if (SUCCEEDED(StringCchCopy(szPath, ARRAYSIZE(szPath), szAppData)) && SUCCEEDED(StringCchCat(szPath, ARRAYSIZE(szPath), TEXT("\\Microsoft\\Protect")))) { FileAttributes = GetFileAttributes(szPath); if ((FileAttributes != -1) && ((FileAttributes & FILE_ATTRIBUTE_SYSTEM) == 0)) { FileAttributes |= FILE_ATTRIBUTE_SYSTEM; SetFileAttributes(szPath, FileAttributes); } }
if (SUCCEEDED(StringCchCopy(szPath, ARRAYSIZE(szPath), szAppData)) && SUCCEEDED(StringCchCat(szPath, ARRAYSIZE(szPath), TEXT("\\Microsoft\\Crypto")))) { FileAttributes = GetFileAttributes(szPath); if ((FileAttributes != -1) && ((FileAttributes & FILE_ATTRIBUTE_SYSTEM) == 0)) { FileAttributes |= FILE_ATTRIBUTE_SYSTEM; SetFileAttributes(szPath, FileAttributes); } } }
}
void SetScreensaverOnFriendlyUI(){ if (IsOS(OS_FRIENDLYLOGONUI) && IsOS(OS_FASTUSERSWITCHING)) { HKEY hkey;
if (RegOpenKeyEx(HKEY_CURRENT_USER, TEXT("Control Panel\\Desktop"), 0, KEY_SET_VALUE, &hkey) == ERROR_SUCCESS) { TCHAR szTemp[MAX_PATH]; DWORD cbTemp = sizeof(szTemp);
RegSetValueEx(hkey, TEXT("ScreenSaveActive"), 0, REG_SZ, (BYTE*)TEXT("1"), sizeof(TEXT("1")));
if (SHRegGetValue(hkey, NULL, TEXT("SCRNSAVE.EXE"), SRRF_RT_REG_SZ | SRRF_RT_REG_EXPAND_SZ | SRRF_NOEXPAND, NULL, szTemp, &cbTemp) != ERROR_SUCCESS || szTemp[0] == TEXT('\0')) { // if the user dosen't already have a screensaver set, then choose one for them!
if (ExpandEnvironmentStrings(TEXT("%SystemRoot%\\System32\\logon.scr"), szTemp, ARRAYSIZE(szTemp))) { RegSetValueEx(hkey, TEXT("SCRNSAVE.EXE"), 0, REG_SZ, (BYTE*)szTemp, (lstrlen(szTemp) + 1) * sizeof(TCHAR)); } }
RegCloseKey(hkey); } }}
#define OTHERSIDS_EVERYONE 1
#define OTHERSIDS_POWERUSERS 2
BOOL MakeFileSecure (LPTSTR lpFile, DWORD dwOtherSids){ SECURITY_DESCRIPTOR sd; SECURITY_ATTRIBUTES sa; SID_IDENTIFIER_AUTHORITY authNT = SECURITY_NT_AUTHORITY; SID_IDENTIFIER_AUTHORITY authWORLD = SECURITY_WORLD_SID_AUTHORITY; PACL pAcl = NULL; PSID psidSystem = NULL, psidAdmin = NULL, psidUsers = NULL, psidPowerUsers = NULL; PSID psidEveryOne = NULL; DWORD cbAcl, aceIndex; ACE_HEADER * lpAceHeader; BOOL bRetVal = FALSE; BOOL bAddPowerUsersAce=TRUE; BOOL bAddEveryOneAce=FALSE; DWORD dwAccMask;
//
// Get the system sid
//
if (!AllocateAndInitializeSid(&authNT, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &psidSystem)) { goto Exit; }
//
// Get the Admin sid
//
if (!AllocateAndInitializeSid(&authNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &psidAdmin)) { goto Exit; }
//
// Get the users sid
//
if (!AllocateAndInitializeSid(&authNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS, 0, 0, 0, 0, 0, 0, &psidUsers)) {
goto Exit; }
//
// Allocate space for the ACL
//
cbAcl = (2 * GetLengthSid (psidSystem)) + (2 * GetLengthSid (psidAdmin)) + (2 * GetLengthSid (psidUsers)) + sizeof(ACL) + (6 * (sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)));
//
// Get the power users sid, if required.
// Don't fail if you don't get because it might not be available on DCs??
//
bAddPowerUsersAce = TRUE; if (!AllocateAndInitializeSid(&authNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_POWER_USERS, 0, 0, 0, 0, 0, 0, &psidPowerUsers)) {
bAddPowerUsersAce = FALSE; }
if (bAddPowerUsersAce) cbAcl += (2 * GetLengthSid (psidPowerUsers)) + (2 * (sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)));
//
// Get the EveryOne sid, if required.
//
if (dwOtherSids & OTHERSIDS_EVERYONE) { bAddEveryOneAce = TRUE; if (!AllocateAndInitializeSid(&authWORLD, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &psidEveryOne)) {
goto Exit; } }
if (bAddEveryOneAce) cbAcl += (2 * GetLengthSid (psidEveryOne)) + (2 * (sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)));
pAcl = (PACL) GlobalAlloc(GMEM_FIXED, cbAcl); if (!pAcl) { goto Exit; }
if (!InitializeAcl(pAcl, cbAcl, ACL_REVISION)) { goto Exit; }
//
// Add Aces. Non-inheritable ACEs first
//
aceIndex = 0; if (!AddAccessAllowedAce(pAcl, ACL_REVISION, FILE_ALL_ACCESS, psidSystem)) { goto Exit; }
aceIndex++; if (!AddAccessAllowedAce(pAcl, ACL_REVISION, FILE_ALL_ACCESS, psidAdmin)) { goto Exit; }
aceIndex++; if (!AddAccessAllowedAce(pAcl, ACL_REVISION, FILE_ALL_ACCESS, /*GENERIC_READ | GENERIC_EXECUTE,*/ psidUsers)) { goto Exit; }
if (bAddPowerUsersAce) {
//
// By default give read permissions, otherwise give modify permissions
//
dwAccMask = (dwOtherSids & OTHERSIDS_POWERUSERS) ? (FILE_ALL_ACCESS ^ (WRITE_DAC | WRITE_OWNER)): (GENERIC_READ | GENERIC_EXECUTE);
aceIndex++; if (!AddAccessAllowedAce(pAcl, ACL_REVISION, FILE_ALL_ACCESS, /*dwAccMask,*/ psidPowerUsers)) { goto Exit; } }
if (bAddEveryOneAce) { aceIndex++; if (!AddAccessAllowedAce(pAcl, ACL_REVISION, FILE_ALL_ACCESS, /*GENERIC_READ | GENERIC_EXECUTE,*/ psidEveryOne)) { goto Exit; } }
//
// Now the inheritable ACEs
//
aceIndex++; if (!AddAccessAllowedAce(pAcl, ACL_REVISION, GENERIC_ALL, psidSystem)) { goto Exit; }
if (!GetAce(pAcl, aceIndex, &lpAceHeader)) { goto Exit; }
lpAceHeader->AceFlags |= (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE);
aceIndex++; if (!AddAccessAllowedAce(pAcl, ACL_REVISION, GENERIC_ALL, psidAdmin)) { goto Exit; }
if (!GetAce(pAcl, aceIndex, &lpAceHeader)) { goto Exit; }
lpAceHeader->AceFlags |= (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE);
aceIndex++; if (!AddAccessAllowedAce(pAcl, ACL_REVISION, FILE_ALL_ACCESS, /*GENERIC_READ | GENERIC_EXECUTE,*/ psidUsers)) { goto Exit; }
if (!GetAce(pAcl, aceIndex, &lpAceHeader)) { goto Exit; }
lpAceHeader->AceFlags |= (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE);
if (bAddPowerUsersAce) { aceIndex++; dwAccMask = (dwOtherSids & OTHERSIDS_POWERUSERS) ? (FILE_ALL_ACCESS ^ (WRITE_DAC | WRITE_OWNER)): (GENERIC_READ | GENERIC_EXECUTE);
if (!AddAccessAllowedAce(pAcl, ACL_REVISION, FILE_ALL_ACCESS, /*dwAccMask,*/ psidPowerUsers)) { goto Exit; }
if (!GetAce(pAcl, aceIndex, &lpAceHeader)) { goto Exit; }
lpAceHeader->AceFlags |= (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE); }
if (bAddEveryOneAce) { aceIndex++;
if (!AddAccessAllowedAce(pAcl, ACL_REVISION, FILE_ALL_ACCESS, /*GENERIC_READ | GENERIC_EXECUTE,*/ psidEveryOne)) { goto Exit; }
if (!GetAce(pAcl, aceIndex, &lpAceHeader)) { goto Exit; }
lpAceHeader->AceFlags |= (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE); }
//
// Put together the security descriptor
//
if (!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION)) { goto Exit; }
if (!SetSecurityDescriptorDacl(&sd, TRUE, pAcl, FALSE)) { goto Exit; }
//
// Set the security
//
if (SetFileSecurity (lpFile, DACL_SECURITY_INFORMATION, &sd)) { bRetVal = TRUE; } else { }
Exit:
if (psidSystem) { FreeSid(psidSystem); }
if (psidAdmin) { FreeSid(psidAdmin); }
if (psidUsers) { FreeSid(psidUsers); }
if ((bAddPowerUsersAce) && (psidPowerUsers)) { FreeSid(psidPowerUsers); }
if ((bAddEveryOneAce) && (psidEveryOne)) { FreeSid(psidEveryOne); }
if (pAcl) { GlobalFree (pAcl); }
return bRetVal;}
#ifdef SHMG_DBG
void SHMGLogErrMsg(char *szErrMsg, DWORD dwError){ DWORD dwBytesWritten = 0; char szMsg[256]; static HANDLE hLogFile = 0;
if (!hLogFile) { hLogFile = CreateFile(_T("shmgrate.log"), GENERIC_WRITE, FILE_SHARE_WRITE, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0 ); } StringCchPrintf(szMsg, ARRAYSIZE(szMsg), "%s : (%X)\r\n", szErrMsg, dwError); WriteFile(hLogFile, szMsg, strlen(szMsg), &dwBytesWritten, 0);}
#endif
voidFixHtmlHelp( void ){ TCHAR AppDataPath[MAX_PATH*2]; TCHAR HtmlHelpPath[MAX_PATH];
SHMGLogErrMsg("FixHtmlHelp Called",0); if (SHGetFolderPath(NULL, CSIDL_COMMON_APPDATA, NULL, SHGFP_TYPE_CURRENT, AppDataPath) == S_OK && LoadString( GetModuleHandle(NULL), IDS_HTML_HELP_DIR, HtmlHelpPath, sizeof(HtmlHelpPath)/sizeof(WCHAR) ) > 0) { if (SUCCEEDED(StringCchCat(AppDataPath, ARRAYSIZE(AppDataPath), HtmlHelpPath))) { if (CreateDirectory( AppDataPath, NULL )) { if (!MakeFileSecure(AppDataPath,OTHERSIDS_EVERYONE|OTHERSIDS_POWERUSERS)) SHMGLogErrMsg("Could not apply security attributes", 0); } else SHMGLogErrMsg("Could not create the directory", GetLastError()); } else SHMGLogErrMsg("Could not compose the path -- path too long", 0); } else SHMGLogErrMsg("Could not get APPDATA path", GetLastError());}
|
