ISAPI and regedit

[Sebastiana 0]

Good morning everyone, I have a problem with my ISAPI on the new Windows Server 2022. Why doesn't it allow me to access the registry files to read a specific key? From this key I read paths to read certain files. What do you recommend?

Thank you

[PeterBelow 238]

What root key do you use? HKEY_CURRENT_USER depends on the user running the process in question (IIS probably) and that may not be what you expect. And which access rights do you specify when you try to open the key in question?

[Sebastiana 0]

Hi, I implemented this code and call the function with   Dir2 := ReadRegEntry('SOFTWARE\DBTFICIO\ProvaIsapi', 'Directory');

 

 

function ReadRegEntry(strSubKey,strValueName: string): string;
 var
  Key: HKey;
  Buffer: array[0..1023] of char;
  Size: cardinal;
 begin
  Result := 'ERROR';
  Size := SizeOf(Buffer);
  If RegOpenKeyEx(HKEY_LOCAL_MACHINE, PChar(strSubKey),0,KEY_READ,Key) = ERROR_SUCCESS Then
    if RegQueryValueEx(Key,PChar(strValueName),nil,nil, @Buffer,@Size) = ERROR_SUCCESS then
      Result := Buffer;
  RegCloseKey(Key);
 end;
 

The user is both IIS_Iusrs and Iusr.

Help me😓

Thank you

 

[DelphiUdIT 176]

4 minutes ago, Sebastiana said:

RegOpenKeyEx(HKEY_LOCAL_MACHINE, PChar(strSubKey),0,KEY_READ,Key) = ERROR_SUCCESS

RegQueryValueEx(Key,PChar(strValueName),nil,nil, @Buffer,@Size) = ERROR_SUCCESS

What kind of ERROR report these function ? May be that information can help you.

[Sebastiana 0]

as a message it gives me only Error or nothing

[Sebastiana 0]

this call is not successful, only the first one works, this : RegOpenKeyEx(HKEY_LOCAL_MACHINE, PChar(strSubKey),0,KEY_READ,Key) = ERROR_SUCCESS

[Kas Ob. 121]

@Sebastiana from https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopenkeyexa

If your service or application impersonates different users, do not use this function with HKEY_CURRENT_USER. Instead, call the RegOpenCurrentUser function.

And your ISAPI is running under different user most likely the is the limited IIS_IUSRS, you need to use RegOpenCurrentUser https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopencurrentuser

https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights

[Sebastiana 0]

Thanks for the tip but I don't understand how to use the new feature. I've also never had this problem.

I am forced to read the regedit because we cannot recompile some software developed with very old versions of Delphi.

Thank you, I accept all possible suggestions

 

[DelphiUdIT 176]

23 minutes ago, Sebastiana said:

this call is not successful, only the first one works, this : RegOpenKeyEx(HKEY_LOCAL_MACHINE, PChar(strSubKey),0,KEY_READ,Key) = ERROR_SUCCESS

Value := RegQueryValueEx(Key,PChar(strValueName),nil,nil, @Buffer,@Size);

This function return a value. Log this value, that can show you what is the EXACTLY the problem.

 

From line 11867 in WinApi.Windows.pas (Delphi Athens 12 patch 1) you'll find what's means that code.

 

Probably is like @Kas Ob. say, you cannot read HKLM registry from ISAPI.

 

If that is the problem, you must transfer all the key you need from HKLM to HKCU (or the right root key).

 

P.S.: another solution is that you give full access right to the registry key that is interested to your read, use "regedit" for this and with right mouse click on the key choose "Autorizzazioni" (I think you are Italian 😉).

 

 

 

Edited February 29 by DelphiUdIT

[Angus Robertson 574]

This is a simple function I wrote 20 years ago, should work to read strings from HLM keys with any login or none, only writing HLM is protected.

 

function MagGetRegHlmStr (const RegKey, RegValue: string): string ;
var
    IniFile: TRegistry ;
begin
    result := '' ;
    IniFile := TRegistry.Create ;
    Try
    with IniFile do begin
        try
            RootKey := HKEY_LOCAL_MACHINE;
            Access := KEY_QUERY_VALUE ;
            if OpenKey (RegKey, false) then begin
                if ValueExists (RegValue) then begin
                    if GetDataType (RegValue) = rdString then
                                   result := ReadString (RegValue) ;
                end;
            end ;
            CloseKey ;
        except
        end ;
    end ;
    finally
        if Assigned (IniFile) then IniFile.Free;
    end;
end ;

 

Angus

 

[Kas Ob. 121]

4 minutes ago, DelphiUdIT said:

Probably is like @Kas Ob. say, you cannot read HKLM registry from ISAPI.

He can and that is the problem, he can and there is a result but it is for different user as IIS (the host of the ISAPI) run in its own user, so most likely the error is the path doesn't exist or something.

IIS run starts and runs in separated own user privileges, hence the complete different registry local user, also it deliberately has limited file access to prevent ISAPI from doing nasty stuff, or when things got broken and hacked that ISAPI can't compromise the system in whole.

Also there is IIS isolation mode https://learn.microsoft.com/en-us/iis/manage/configuring-security/ensure-security-isolation-for-web-sites which spawn different hosting process with another different security context.

 

 @Sebastiana the best way to solve this right, is to ditch the registry and switch to either file ( in a guaranteed access directory for this ISAPI), or run a separated windows service to serve the registry to the ISAPI using some IPC, if there is an legacy code that is running on the same machine then it is possible to make it serve these data to the ISAPI, away form that it will be just ugly workarounds and most likely will break later due some changes in IIS or as always some hardening tools that change policies for IIS and running ISAPI's.

[DelphiUdIT 176]

3 minutes ago, Kas Ob. said:

He can and that is the problem, he can and there is a result but it is for different user as IIS (the host of the ISAPI) run in its own user, so most likely the error is the path doesn't exist or something.

She is try to reading the HKLM, this key is always present and is the same for all process (of course not in a virtual machine).

[Kas Ob. 121]

41 minutes ago, DelphiUdIT said:

She is try to reading the HKLM,

She, and i am sorry missed that, but HKLM does exist for all users, only if they have access to it, here form my registry 

Everyone can read form the root of HKLM, other users registry are in HK_USERS and the needed registry is there in one of them, the only problem is : unless the user for IIS is listed in one of the allowed groups, no ISAPI can read these users.

Also a fun fact : HKEY_CURRENT_USER is just a virtual copy (shadow) for one (and one only) of these listed in HKEY_USERS.

 

[DelphiUdIT 176]

26 minutes ago, Kas Ob. said:

She, and i am sorry missed that, but HKLM does exist for all users, only if they have access to it, here form my registry 

Everyone can read form the root of HKLM, other users registry are in HK_USERS and the needed registry is there in one of them, the only problem is : unless the user for IIS is listed in one of the allowed groups, no ISAPI can read these users.

Also a fun fact : HKEY_CURRENT_USER is just a virtual copy (shadow) for one (and one only) of these listed in HKEY_USERS.

 

 

1 hour ago, DelphiUdIT said:

P.S.: another solution is that you give full access right to the registry key that is interested to your read, use "regedit" for this and with right mouse click on the key choose "Autorizzazioni" (I think you are Italian ).

Like I told in prev. post ("Autorizzazioni" is like "Permissions" in Italian). But HKLM is accessible (the OPEN in READ mode seem to be OK from her), for this she must see the ERROR code in the query function  ... is about "key not found" ? or "access right" ? or ????
 

This is sure a new security counter measure from new Windows Server (or in the IIS) and should be interesting to know how the rights are on site.

[Sebastiana 0]

Thanks for the answers. I will do the necessary tests and checks and give you an answer.
In any case, I gave the right reading rights to the Regedit key for the IIS user and it doesn't work; this is the first time I've been forced to do this

 

[Sebastiana 0]

Ok, now I can say that if I don't change the rights in IIS or don't change where to read the registry keys nothing will work. I will look for a strategy for all those isapi that I can no longer compile 😞

Thank you 😞