(IIS/Win2000Pro) Granting Registry read rights to IIS user?

Question

Okay, so I'm running a small test webserver on my private network. I've got a machine running Windows 2000 Pro, and I'm trying to run an ASP.NET app through IIS.

I wrote it so that the webpage would use the registry to store certain settings (connection strings, potentially volatile locations of other web services, paths in the local filesystem where certain information is stored etc...) Of course, it worked fine when testing with VStudio.NET 2005, because the user running the app has elevated privileges. However, running it on IIS I get a "Access to the registry key 'HKEY_LOCAL_MACHINE\Software' is denied.", which suggests the IIS user doesn't have read access to that part of the registry (I only do reads through the website itself, never writes).

I was like "okay, simple enough, I'll just go give that user rights to that part of the registry through regedit." The problem is, I don't see an option anywhere in regedit to change security settings... at all. Which got me thinking... I don't think I've ever actually had to change security settings for registry hives/keys before, and I don't think I know how to do it.

Half an hour of searching the web later, I haven't found any usable information on this subject. What I'm wondering is... how DO you change security rights to portions of the registry? I'm stumped, and it seems my ability to find the answer on Google is failing me utterly... and since I just signed up here, I figured I'd see if anyone here knew. =)

Answer 1

You can set permissions at the folder level for which you want to grant user permissions read/write access.

In your case, right click on the "Software" folder and select "Permissions".

You'll probably know the rest from there.

EDIT: If you still run into issues, you may want to modify your web.config file and use impersonation to have your web application run as a certain user account. Then you can put a tighter reign on the controls.

Answer 2

RegEdt32.exe will allow you to set permissions to registry keys.

Simply right click on a Key (Folder) and click Permissions, then you can edit the permissions as you would an file system folder.

Answer 3

I did so, assuming that a Security setting would be available. I didn't see any "Security" option when I right-clicked on the Key. =( I triple-checked just to make sure... and I just tried it on my XP machine, and it does indeed have the "Permissions" section... but the Windows 2000 machine doesn't. (how's that for wierd?)

In my searching, I found:

http://www.experts-exchange.com/Programming/Languages/.NET/ASP.NET/Q_21563044.html

Which notes that RegEdit for Windows 2000 doesn't have the Security/Permissions settings... but it proposes no solution to the problem. (Whoever asked the question was using Windows XP so he was okay... but in my case, it's 2000)

Is there any way to make it happen specifically in 2000?

EDIT: Ahhhh... if worse come to worse, I suppose I can do the impersonation as mentioned below... though if I can't set security settings for the registry in 2000, I'm left with making that user have Administrative access (I assume?) to actually get those rights, which sadly defeats the purpose. =(

Answer 4

If your having touble with RegEdit in Windows 2000 you can try the following:

• Copy the Windows XP RegEdt32.exe to the Windows 2000 Machine
• Using a Windows XP Machine, connect to the Windows 2000 registry remotely: File > Connect Network Registry

Answer 5

Oh, let me try that! I didn't realize you could remotely connect to another registry.

(EDIT: I was wrong, it did work... it just took several minutes to respond to my request to change permissions remotely)

The remote connection idea did it! You're good! Thanks so much for your help! I never realized you could remote connect with RegEdit... you learn something new every day, they say! =) Thanks again for your assistance! =)

On another note though, about copying the XP version of RegEdit to Windows 2000... is that safe? I figured they would be coded in such a way as to be incompatible... but I could be assuming too much. =)

Answer 6

Just use RegEdt32.exe instead of Regedit.exe. Go to the desired key or folder, then open the security menu and click on 'permissions'.