Registering a COM dll without administrator privileges 
Author Message
 Registering a COM dll without administrator privileges

A question for my fellow MVP gurus:

A potential client is very suspicous about the automatic registration of COM
objects that are downloaded and registered through the browser.
Specifically, unless the use has local administrator privileges, the
registration step fails because he lacks access rights to the registry.

Specifically,
http://www.*-*-*.com/ %3ben-us%3b190686 seems to
describe the issue.

What are the minimum registry access rights required?

The article describes that ATL7 seems to correct the problem, however, I've
tested a control built under Dev Studio.NET and the registration fails for a
regular local user.

I seem to recall reading somewhere that there is an alternate registry
location under HKEY_CURRENT_USER that can be used. Is this so?



Tue, 09 Aug 2005 06:23:29 GMT  
 Registering a COM dll without administrator privileges

Quote:
> I seem to recall reading somewhere that there is an alternate registry
> location under HKEY_CURRENT_USER that can be used. Is this so?

'Tis so in Win2K and above. See

http://msdn.microsoft.com/library/en-us/sysinfo/base/hkey_classes_roo...
http://msdn.microsoft.com/library/en-us/sysinfo/base/merged_view_of_h...

--
With best wishes,
    Igor Tandetnik

"For every complex problem, there is a solution that is simple, neat,
and wrong." H.L. Mencken



Tue, 09 Aug 2005 06:59:07 GMT  
 Registering a COM dll without administrator privileges
Much obliged, Igor. Just what I was after. Many thanks.


Tue, 09 Aug 2005 09:40:59 GMT  
 Registering a COM dll without administrator privileges
The saga continues....

I've modified the <Myclass>.rgs file from

HKCR
{
    <etc.>

Quote:
}

to

HKCU
{
    'Software'
    {
        'Classes'
        {
            <etc.>
        }
    }

Quote:
}

This part appears to register correctly by a user without local
administrator rights. However, later in the code the call to
AtlModuleRegisterTypeLib fails. It appears to fail at
::RegisterTypeLib(pTypeLib, bstrPath, szDir), which still needs
administrator rights.

Has anyone gone down this path before? Documentation seems very scanty.

Any suggestions regarding a fix?


Quote:
> Much obliged, Igor. Just what I was after. Many thanks.



Tue, 09 Aug 2005 16:00:23 GMT  
 Registering a COM dll without administrator privileges
I'm afraid there is no better way than to figure out exactly what
registry changes RegisterTypeLib makes for your type library, and move
them by hand into the .RGS script with appropriate modifications.
--
With best wishes,
    Igor Tandetnik

"For every complex problem, there is a solution that is simple, neat,
and wrong." H.L. Mencken


Quote:
> This part appears to register correctly by a user without local
> administrator rights. However, later in the code the call to
> AtlModuleRegisterTypeLib fails. It appears to fail at
> ::RegisterTypeLib(pTypeLib, bstrPath, szDir), which still needs
> administrator rights.



Tue, 09 Aug 2005 23:50:15 GMT  
 Registering a COM dll without administrator privileges
I have come to the same conclusion.

I'm getting the impression from my Google searches that NOBODY has really
seriously tackled this issue. I'll post to microsoft.private.mvp.visualc to
see if Microsoft takes an interest. This is clearly a problem when one has
15 COM objects to modify.

Thanks again, Igor.



Wed, 10 Aug 2005 01:25:52 GMT  
 Registering a COM dll without administrator privileges
For what it's worth now (and I apologise for replying to an old post,
but I thought it was relevant):

You can get around this problem on Windows 2000 and later by
overriding the DllRegisterServer and DllUnregisterServer methods
generated by ATL and using the new function RegOverridePredefKey, made
for this very purpose.

[module(type=dll, etc.) ]
class CPerUserRegisterDllMain
{
public:
        BOOL DllRegisterServer()
        {
                HKEY hKeyCurrentUser;

                RegOpenKeyEx(HKEY_CURRENT_USER, _T("Software\\Classes"), 0,
KEY_ALL_ACCESS, &hKeyCurrentUser);
                RegOverridePredefKey(HKEY_CLASSES_ROOT, hKeyCurrentUser);
                RegCloseKey(hKeyCurrentUser);

                return __super::DllRegisterServer();
        }

        BOOL DllUnregisterServer()
        {
                HKEY hKeyCurrentUser;

                RegOpenKeyEx(HKEY_CURRENT_USER, _T("Software\\Classes"), 0,
KEY_ALL_ACCESS, &hKeyCurrentUser);
                RegOverridePredefKey(HKEY_CLASSES_ROOT, hKeyCurrentUser);
                RegCloseKey(hKeyCurrentUser);

                return __super::DllUnregisterServer();
        }

Quote:
};

--
David McCabe
Quote:

> The saga continues....

> I've modified the <Myclass>.rgs file from

> HKCR
> {
>     <etc.>
> }

> to

> HKCU
> {
>     'Software'
>     {
>         'Classes'
>         {
>             <etc.>
>         }
>     }
> }

> This part appears to register correctly by a user without local
> administrator rights. However, later in the code the call to
> AtlModuleRegisterTypeLib fails. It appears to fail at
> ::RegisterTypeLib(pTypeLib, bstrPath, szDir), which still needs
> administrator rights.

> Has anyone gone down this path before? Documentation seems very scanty.

> Any suggestions regarding a fix?



> > Much obliged, Igor. Just what I was after. Many thanks.



Wed, 07 Sep 2005 07:54:59 GMT  
 Registering a COM dll without administrator privileges

--------------------

Quote:

>Subject: Re: Registering a COM dll without administrator privileges
>Date: Fri, 21 Feb 2003 09:25:52 -0800
>Lines: 10

>I have come to the same conclusion.

>I'm getting the impression from my Google searches that NOBODY has really
>seriously tackled this issue. I'll post to microsoft.private.mvp.visualc to
>see if Microsoft takes an interest. This is clearly a problem when one has
>15 COM objects to modify.

>Thanks again, Igor.

We're looking into ways to solve this problem at development time. However,
we have not been able to get traction on this as a real issue for
production applications. Do people feel strongly about this?

--
Pranish Kumar

Microsoft Visual C++ Team
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm



Sat, 17 Sep 2005 03:56:15 GMT  
 Registering a COM dll without administrator privileges
I have found this to be a definite problem, Pranish.

Our company actually lost the bid on a contract on this issue alone. We
stipulated that our downloadable COM objects could only be installed if the
end user had local administrator privileges. This tilted the decision in
favour of a Unix-J2EE solution, even though we had a ready product vs. a
longer development cycle for the winning proposal.

Our company targets the corporate financial sector, many of whom favour
Unix-based platforms and J2EE solutions. We often have to fight preconceived
notions about Microsoft technology. I would have liked to have made our COM
objects a bit more friendly for such environments. (We probably will one
day, but the coding effort for 15 or 30 controls is not insignificant given
our current resources.)

Cheers,

Brian Muth (MVP)



Sat, 17 Sep 2005 05:21:11 GMT  
 Registering a COM dll without administrator privileges
This is really surprising that there are no posts.

Does this mean everyone sets up their network such that users have local
administrator rights? I can't believe it!



Sun, 18 Sep 2005 02:52:52 GMT  
 Registering a COM dll without administrator privileges
Brian,

The way I see it, I don't personally need it, since I live on the server
side.

But the fact that it seems to be impossible/very hard given today's
circumstances is a bit disconcerting.

The security initiative would do good in respecting COM for a while longer,
I guess - given the popularity of this group, many people are still building
components/controls in ATL, and if only half of them end up on clients,
there's going to be a problem, since people are more security conscious now
than they were back in -98.

Kim


Quote:
> This is really surprising that there are no posts.

> Does this mean everyone sets up their network such that users have local
> administrator rights? I can't believe it!



Sun, 18 Sep 2005 03:11:23 GMT  
 Registering a COM dll without administrator privileges

Quote:

> This is really surprising that there are no posts.

> Does this mean everyone sets up their network such that users have local
> administrator rights? I can't believe it!

It's not been an issue for our software.  I think the clients who are
more restrictive also tend to do their own special installation
packaging, which allows them to evade the issue.  For our internal
users, they're moving to making the users members of the Power Users
group -- I'm not sure which priveleges that confers, but I can say
that it's enough for them to install our software (which includes
registration of several OCX controls and registration of at least
one VB ActiveX dll) without incident.

--
Craig Powers
MVP - Visual C++



Sun, 18 Sep 2005 03:20:17 GMT  
 Registering a COM dll without administrator privileges
Doesn't this pretty much invalidate the whole concept of a secure registry?
Unless I missed something, what's to keep malicious code from using this
same approach?

Jeff


Quote:
> For what it's worth now (and I apologise for replying to an old post,
> but I thought it was relevant):

> You can get around this problem on Windows 2000 and later by
> overriding the DllRegisterServer and DllUnregisterServer methods
> generated by ATL and using the new function RegOverridePredefKey, made
> for this very purpose.

> [module(type=dll, etc.) ]
> class CPerUserRegisterDllMain
> {
> public:
> BOOL DllRegisterServer()
> {
> HKEY hKeyCurrentUser;

> RegOpenKeyEx(HKEY_CURRENT_USER, _T("Software\\Classes"), 0,
> KEY_ALL_ACCESS, &hKeyCurrentUser);
> RegOverridePredefKey(HKEY_CLASSES_ROOT, hKeyCurrentUser);
> RegCloseKey(hKeyCurrentUser);

> return __super::DllRegisterServer();
> }

> BOOL DllUnregisterServer()
> {
> HKEY hKeyCurrentUser;

> RegOpenKeyEx(HKEY_CURRENT_USER, _T("Software\\Classes"), 0,
> KEY_ALL_ACCESS, &hKeyCurrentUser);
> RegOverridePredefKey(HKEY_CLASSES_ROOT, hKeyCurrentUser);
> RegCloseKey(hKeyCurrentUser);

> return __super::DllUnregisterServer();
> }
> };

> --
> David McCabe




- Show quoted text -

Quote:
> > The saga continues....

> > I've modified the <Myclass>.rgs file from

> > HKCR
> > {
> >     <etc.>
> > }

> > to

> > HKCU
> > {
> >     'Software'
> >     {
> >         'Classes'
> >         {
> >             <etc.>
> >         }
> >     }
> > }

> > This part appears to register correctly by a user without local
> > administrator rights. However, later in the code the call to
> > AtlModuleRegisterTypeLib fails. It appears to fail at
> > ::RegisterTypeLib(pTypeLib, bstrPath, szDir), which still needs
> > administrator rights.

> > Has anyone gone down this path before? Documentation seems very scanty.

> > Any suggestions regarding a fix?



> > > Much obliged, Igor. Just what I was after. Many thanks.



Sun, 18 Sep 2005 06:45:15 GMT  
 Registering a COM dll without administrator privileges
How? This technique just allows the code that is hardcoded to use
HKEY_CLASSES_ROOT to write to some alternative key instead (and it still
needs sufficient access to write to this alternative key). It does not
open up HKEY_CLASSES_ROOT to underpriviledged code. In particular, COM
object installed by guest user cannot register itself machine wide so as
to get to run with elevated priviledges when an administrator logs in
later - it is only registered under HKEY_CURRENT_USER key of this guest
user.
--
With best wishes,
    Igor Tandetnik

"For every complex problem, there is a solution that is simple, neat,
and wrong." H.L. Mencken


Quote:
> Doesn't this pretty much invalidate the whole concept of a secure
registry?
> Unless I missed something, what's to keep malicious code from using
this
> same approach?

> Jeff



> > For what it's worth now (and I apologise for replying to an old
post,
> > but I thought it was relevant):

> > You can get around this problem on Windows 2000 and later by
> > overriding the DllRegisterServer and DllUnregisterServer methods
> > generated by ATL and using the new function RegOverridePredefKey,
made
> > for this very purpose.

> > [module(type=dll, etc.) ]
> > class CPerUserRegisterDllMain
> > {
> > public:
> > BOOL DllRegisterServer()
> > {
> > HKEY hKeyCurrentUser;

> > RegOpenKeyEx(HKEY_CURRENT_USER, _T("Software\\Classes"), 0,
> > KEY_ALL_ACCESS, &hKeyCurrentUser);
> > RegOverridePredefKey(HKEY_CLASSES_ROOT, hKeyCurrentUser);
> > RegCloseKey(hKeyCurrentUser);

> > return __super::DllRegisterServer();
> > }

> > BOOL DllUnregisterServer()
> > {
> > HKEY hKeyCurrentUser;

> > RegOpenKeyEx(HKEY_CURRENT_USER, _T("Software\\Classes"), 0,
> > KEY_ALL_ACCESS, &hKeyCurrentUser);
> > RegOverridePredefKey(HKEY_CLASSES_ROOT, hKeyCurrentUser);
> > RegCloseKey(hKeyCurrentUser);

> > return __super::DllUnregisterServer();
> > }
> > };

> > --
> > David McCabe



> > > The saga continues....

> > > I've modified the <Myclass>.rgs file from

> > > HKCR
> > > {
> > >     <etc.>
> > > }

> > > to

> > > HKCU
> > > {
> > >     'Software'
> > >     {
> > >         'Classes'
> > >         {
> > >             <etc.>
> > >         }
> > >     }
> > > }

> > > This part appears to register correctly by a user without local
> > > administrator rights. However, later in the code the call to
> > > AtlModuleRegisterTypeLib fails. It appears to fail at
> > > ::RegisterTypeLib(pTypeLib, bstrPath, szDir), which still needs
> > > administrator rights.

> > > Has anyone gone down this path before? Documentation seems very
scanty.

> > > Any suggestions regarding a fix?



> > > > Much obliged, Igor. Just what I was after. Many thanks.



Sun, 18 Sep 2005 06:59:31 GMT  
 Registering a COM dll without administrator privileges
Well, no, it'll write in HKCU, where anything started from the interactive user
can write anyway. Security is not compromised.

--
=====================================
Alexander Nickolov
Microsoft MVP [VC], MCSD

MVP VC FAQ: http://www.mvps.org/vcfaq
=====================================

Quote:

> Doesn't this pretty much invalidate the whole concept of a secure registry?
> Unless I missed something, what's to keep malicious code from using this
> same approach?

> Jeff



> > For what it's worth now (and I apologise for replying to an old post,
> > but I thought it was relevant):

> > You can get around this problem on Windows 2000 and later by
> > overriding the DllRegisterServer and DllUnregisterServer methods
> > generated by ATL and using the new function RegOverridePredefKey, made
> > for this very purpose.

> > [module(type=dll, etc.) ]
> > class CPerUserRegisterDllMain
> > {
> > public:
> > BOOL DllRegisterServer()
> > {
> > HKEY hKeyCurrentUser;

> > RegOpenKeyEx(HKEY_CURRENT_USER, _T("Software\\Classes"), 0,
> > KEY_ALL_ACCESS, &hKeyCurrentUser);
> > RegOverridePredefKey(HKEY_CLASSES_ROOT, hKeyCurrentUser);
> > RegCloseKey(hKeyCurrentUser);

> > return __super::DllRegisterServer();
> > }

> > BOOL DllUnregisterServer()
> > {
> > HKEY hKeyCurrentUser;

> > RegOpenKeyEx(HKEY_CURRENT_USER, _T("Software\\Classes"), 0,
> > KEY_ALL_ACCESS, &hKeyCurrentUser);
> > RegOverridePredefKey(HKEY_CLASSES_ROOT, hKeyCurrentUser);
> > RegCloseKey(hKeyCurrentUser);

> > return __super::DllUnregisterServer();
> > }
> > };

> > --
> > David McCabe



> > > The saga continues....

> > > I've modified the <Myclass>.rgs file from

> > > HKCR
> > > {
> > >     <etc.>
> > > }

> > > to

> > > HKCU
> > > {
> > >     'Software'
> > >     {
> > >         'Classes'
> > >         {
> > >             <etc.>
> > >         }
> > >     }
> > > }

> > > This part appears to register correctly by a user without local
> > > administrator rights. However, later in the code the call to
> > > AtlModuleRegisterTypeLib fails. It appears to fail at
> > > ::RegisterTypeLib(pTypeLib, bstrPath, szDir), which still needs
> > > administrator rights.

> > > Has anyone gone down this path before? Documentation seems very scanty.

> > > Any suggestions regarding a fix?



> > > > Much obliged, Igor. Just what I was after. Many thanks.



Sun, 18 Sep 2005 07:05:24 GMT  
 
 [ 15 post ] 

 Relevant Pages 

1. Are administrator rights needed to register a COM ?

2. Administrator privileges ...

3. Administrator privileges ...

4. Administrator privileges

5. User or Administrator privileges.

6. Execute code with administrator privileges

7. COM will not register without VC++ installed

8. Can I use a COM object without registering?

9. Problems registering an ATL dll on some computers without DevStudio installed on it

10. Register DLL Without an Visual Studio Installed

11. Security failed when use PerformanceCounter without administrator!

12. _CrtIsValidHeapPointer failure while registering a COM dll built with /clr option

 

 
Powered by phpBB® Forum Software