how can I decode the REG_BINARY value HKLM\Software\Microsoft\Ole\DefaultLaunchPermission to see which users have permission?

Question

Hello,

I am trying to find a way to decode the REG_BINARY value for "HKLM\Software\Microsoft\Ole\DefaultLaunchPermission" to see which users have permissions by default, and if possible, a method in which I can also append other users by their username.

At work we make use of DCOM and for the most part we always give the same users permission but in some cases we are forced to accommodate our clients and add custom users/groups to suit their needs. Unfortunately the custom users we need to add are random usernames so I am unable to just add all the users and copy the value from the key like I have done with the default users we use 95% of the time.

I am currently working on a command-line executable application where I have a command to set permissions for pre-defined users but I would also like to be able to add an option to append a custom user(s) to add to the default permission along with our predefined default users list.

Currently, to set the default users list with my application I would just type:

MyTool.exe Policies

But I would like to be able to make it a bit more verbose, closer to how NET command is used for windows users, something like:

MyTool.exe Policies /ADD:"MyCustomUsername"

The problem is that the data stored in the REG_BINARY value doesn't seem to be easily decoded. I was able to decode the hex portion in python but I am left with some sort of binary data which I don't have a clue what to do with as I don't even know what kind of encoding was used in the first place to know what to use to decode it. :P

I have done quite a bit of googling but I think my lack of understanding the terminology around this topic has probably caused me to overlook the answer without recognizing it for what it is.

I guess my first real question would have to be what kind of encoding is used for the above key after it has been decoded from hex?

Or better yet, is it even possible to obtain/modify the key's value programmatically so that I can obtain a list of the users that are currently set, and if necessary, append additional users/groups?

I would prefer to keep this application written strictly in Python if possible (or WMI/WMIC), but if necessary I can attempt to implement other types of code into my python application if it means getting the job finally done! I guess it would also be useful to mention that this application is primarily used on Windows XP Professional and most Windows Server versions so I am not worried if any possible solution will not be compatible with earlier Windows OS version(s).

Any assistance, code or just some simple help with getting familiar with this topic, would be GREATLY appreciated!

Thanks in advance for any help you can provide!! :D

Answer 1

Well REG_BINARY isn't any particular format, it's just a way to tell the registry the data is a custom binary format. So you're right about needing to find out what's in there.

Also, what do you mean by converting the data from hex? Are you unpacking it? I doubt you're interpreting it correctly until you know what has been saved in there in the first place.

Once you find out what's in that registry field, python's struct module will be your best friend.

http://docs.python.org/library/struct.html

Further reading (you've probably already seen these)

• http://msdn.microsoft.com/en-us/library/ms687317(VS.85).aspx <--windows info on perms
• http://docs.python.org/library/_winreg.html <-- python registry access

Answer 2

We came across similar issues when installing a COM server that was hosted by our .NET service, i.e. we wanted to programmatically alter the the COM ACLs in our install logic. I think you'll find that it's just a binary ACL format that you can manipulate in .NET using the class:

System.Security.AccessControl.CommonSecurityDescriptor

So sorry I can't help you in getting a Python solution, but if your back is to the wall and you can manage .NET, some sample code would look like:

int launchMask = (int) (COM_RIGHTS.EXECUTE | COM_RIGHTS.EXECUTE_LOCAL | COM_RIGHTS.ACTIVATE_LOCAL);

SecurityIdentifier sidAdmins = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
SecurityIdentifier sidInteractive = new SecurityIdentifier(WellKnownSidType.InteractiveSid, null);

DiscretionaryAcl launchAcl = new DiscretionaryAcl(false, false, 3);
launchAcl.AddAccess(AccessControlType.Allow, sidAdmins, launchMask, InheritanceFlags.None, PropagationFlags.None);
launchAcl.AddAccess(AccessControlType.Allow, sidInteractive, launchMask, InheritanceFlags.None, PropagationFlags.None);

CommonSecurityDescriptor launchSD = new CommonSecurityDescriptor(false,
                                                                    false,
                                                                    ControlFlags.DiscretionaryAclPresent | ControlFlags.SelfRelative,
                                                                    sidAdmins,
                                                                    sidAdmins,
                                                                    null,
                                                                    launchAcl);


byte[] launchPermission = new byte[launchSD.BinaryLength];
launchSD.GetBinaryForm(launchPermission, 0);

You then take the launch permission byte array and write it to the registry. If .NET is a non-starter you can at least have a look at how the .NET classes work and see what win32 functions they use. You can either use the reflector tool to look at the relevant assembly, or MSFT actually publish the .NET source.

Answer 3

Hi donovan,

I am new to ACL and ACEs and in my C# assignment, I have to add 'EveryOne' and 'Anonymous Logon' users to the existing set of users in Default Access Permission (at 'My Computer' level). Could you please, help me. Thanks in Advance!