We're providing an ADMX-file with our (32bit) application so it can be centrally configured via group policies. Do I have to explicitly provide policies for the Wow6432Node registry keys in case the app is installed on a 64bit client OS or does the policy system handle this itself?
The ADMX-file currently provides both Preferences (i.e. values under [HKLM/HKCU]\Software\Company\Product) and "fully-managed" Policies (i.e. for [HKLM/HKCU]\Software\Policies\Company\Product).
For policies the answer is no (i.e. no Wow6432 node).
For preferences the answer is - "it depends".
I will explain the difference. Some keys in registry are redirected into Wow6432 node for 32-bit applications, some others are not. The MSDN page lists shared and redirected keys. [HKLM/HKCU]\Software\Policies key (and everything underneath) is expluded from redirection, it is the same for both 64 and 32 bit processes. This means that for policies you only need to provide one key.
Unlike Software\Policies key, Software\ is redirected. The keys you need would depend on bitness of your product. If you only install 64 bit version of your app on 64 bit OS, you can configure one, if you support 32 bit app running on 64 bit OS, you need two.
Related
I have got a problem with Windows Integrity Mechanism.
I'm using a software called Overwolf
And noticed that one of it's process is running at high integrity level, but not running width admin right.
After some google, still did not get clear.
So, how to run a program with high integrity level but just as a normal user?
Well, I think I get the answer.
First, need to set link flag when build the program, set UAC Bypass UI Protection to :/uiAccess='true', and UAC excution level to: /level='asInvoker'
Second, the program must be signed width a trusted Certification.
At last, the program binary must be placed at system or program file directory.
Is installing Centos using standard installation for webserver relative safe? (without considering the CMS safety and only for Wordpress). The contents are:
- Virtualmin & Webmin:
- APC caching
- Apache, MySQL and Php
Everything is installed with default settings.
I installed Centos server at home and access it 100% from local network.
If it is not safe then what is the minimum requirement for safety?
'Safe' is too relative a term really. CentOS 6, Virtualmin and Webmin all have security bugs filed against them, some of which can even be exploited automatically by scripts and packages like Metasploit.
That said, no system will ever be perfectly secure unless you bury it underground with no net connection, so here are some good initial steps to take to improve security a little:
Turn off services and daemons that you don't need. For instance, it could be that you won't be using FTP, and will use SFTP for file transfer. If so, turn off the ones you aren't using.
Enforce a policy of unique and secure passwords of a decent length
install system updates, especially security updates.
Modify IPtables settings to disallow access to unused ports. Look into further iptables settings that can help
Consider key-based logins, 2 or 3 factor authentication etc. and weigh the pros and cons (google authenticator PAM module is very easy to install, for example).
That's a good start off, a key thing is to keep an eye on the server, try to monitor if unusual bandwidth, or logins are being used.
No box is a fortress, but you can at the very least discourage opportunists.
Specifics:
VC++ 7; Program works on XP, but crashes on Win7; developed using VS2003.NET (old I know but it's what I have to work with and it works fine thank you very much)
I've got a program that runs great on XP (32-bit). However, I've recently tested it with Win7 and all kinds of choas breaks loose. My strong suspicion is how my program deals with registry keys.
NOTE: The program does not create or destroy keys, only queries for keys and returns interesting values. ("Interesting" described below)
In the simplest form, the program reads data from a SCSI attached device, and saves the data to a file on the host PC. The program queries the registry for SCSI adapters and returns the adapter IDs which the program uses to access the device.
To me, it doesn't look like the registry structure has changed from XP to Win7 but not 100% sure. Any insight on that would be great :)
Also, I read at: http://www.techsupportalert.com/content/how-windows7-vista64-support-32bit-applications.htm that the way Win7 does things is like a reflection. Does this change how I should query for the key? If so, any information on how to structure the query would be great.
I think what I need to know is:
Is it as simple as changing the hKey (or lpValueName) in the RegQueryValueEx method?
Or does this mean I need to change some other aspect of the RegQueryValueEx method?
Or something else entirely?
Thank you in advance!
It's worth running your application through the Application Verifier on your own machine first. Of particular interest is the LuaPriv section which will highlight instances where your application is doing operations that don't play well in Vista or Win-7. This should catch any time where you might be consulting registry locations that differ from in XP.
One thing to be aware of is that if you are reading registry entries created by another application then it's possible that they might be in a different place, eg in the 32-bit or 64-bit views, or virtualised to the per-user location (this will typically happen if a process ran thinking it could write anywhere, but didn't have admin privileges, so Windows will sandbox the registry writes into the virtualised area).
Where can I create/modify/delete registry keys to share data between users in the Windows 7 registry? Both of the users are non administrators and it shouldn't require admin privileges.
The application I'm working on uses the registry to write a key from userA and then userB can read/modify/delete it. Neither user has admin privileges and it won't be possible to change this.
Is there an official MSDN guide to how to use the registry in Windows 7? Any links describing proper use of the registry would be useful.
You cannot access HKLM without elevation, so you simply cannot do what you described.
I suggest some of the following:
1. Choose other data storage, eg. database, file, etc. that all your users can access.
2. Create a windows service running as LocalSystem (that gives RW access to HKLM) and make your apps talk to the service via named pipes/COM/a socket.
The registry is for writing configuration settings, not for sharing data between users, you're really using it for the wrong purpose.
However, if you have to, the only place in the registry that would make sense even a little would be in the HKEY_LOCAL_MACHINE hive, in Software\yourapp, but I'm fairly sure that there is nowhere in there that's writeable by normal users by default.
If you are able to, you could create that key and then change the permissions for the users group so that they have full access.
This wiki article might help in seeing how the registry is best used.
On Windows 7, access to HKLM is only for apps running as admin. If you have no manifest on the app, it will virtualize, meaning write to a different per-user storage.
I think you should use a config file in a per-application location that is not per-user, like %PROGRAMDATA%, and have your setup/install (which probably does run as admin) write a single key that tells where this file is. The non admin users can then easily read and write the file while using the application.
The registry is not really the right way to do this. Can you give us some more details about what you're actually trying to do?
Are the users logged in at the same time? In this case, some kind of interprocess-communication (IPC) mechanism might work. For example: named pipes, shared memory, sockets, etc.
If not, will you have a process running at all times (i.e. a service)? This could be used as a sort of drop-box mechanism.
If you've got an installer, you could create a directory that's accessible to both users (put them in the same group, for simplicity's sake). Then you could drop message files in there.
In short: the registry is really designed for long-lived configuration settings. Short-lived communications really ought to be done some other way.
I posted this question a while ago regarding where to store non-user specific application data on Linux.
As you can see, I intended to use "/Library/Application Support” on Mac and perhaps "/var/lib" or "/usr/share" on Linux.
On an existing application (currently Windows only) we use “\ProgramData” on Vista & Windows 7 and “\Documents and Settings\All Users“ on Windows XP (both obtained using System.getenv("ALLUSERSPROFILE"), which does not work on Mac or Linux).
The problem I am finding with the Mac & Linux locations (unlike the Windows ones) is that they are not accessible by non-root/admin users, which sort of defeats the purpose of using them.
What is the best practice is this case? We could simply store the application data in the user's home directory. I wouldn't actually be dead against this, as it seems reasonable for the application to appear completely 'new' when a new user tries using it. The main problem this gives us is that each user would have to enter the serial number in order to activate the application (the activation info is part of the 'application data' we need to store). This isn't really ideal.
That said, if there is no real alternative then I suppose it will have to do.
What do you mean by non-user specific application data?
Read-only resources needed by application, such as localization strings or button icons:
on Mac they are stored in application bundle itself, in Resources subfolder
on Linux, they can be stored near application binary, in /opt/<app>/etc for instance.
Read/write properties, such as serial number:
you can consider this information as user-specific application data, so it should go somewhere in $HOME directory
you can consider this information as computer-wide application data, in which case its setting should be perfomed during software installation process, i.e., with administrative privileges.
/Users/Shared/ is writable for everyone. That said, if you need to support computer-wide licenses, the best place for serial numbers, IMHO, is indeed /Library/Application Support. You would have to use Authorization Services once to ask for an admin password and save the serial number there. If a user fails to enter the admin password, save the serial number in ~/Library/Application Support instead.