Registry troubles

[czDrillard]

Hello everybody,

I posted this question to  winasmcommunity but that board seems to be gone again so I post it here.  I'm trying to open the registry key HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider\S-1-5-21-507921405-1960408961-725345543-1003 but this always results in ACCESS_DENIED_ERROR so I change permission levels using these api's:

GetCurrentProcess
OpenProcessToken
LookupPrivilegeValue
AdjustTokenPrivileges

The return values indicate that the privilege access has been successfully enabled but I still get access denied when I try to open the key.

Btw, I can change the permission with regedit then open the key but I need to do this programmatically.  Any ideas what I'm missing here or suggestions appreciated.

best regards,

czDrillard

[P1]

czDrillard,

There's a lot of API support for Pstores.  And a number of recovery helps with Microsoft.  The key you gave is "NT Non-unique" to the build of your system.   I am wondering, if you should be using the API versus modifing yourself.

What are you trying to do here ?

Regards,  P1  :8)

[czDrillard]

Thanks P1,

I want to open and delete autocomplete entries stored in that key.  For example all the google keywords etc.  And maybe eventually figure out thei encryption and display the contents of the key.best regards,

czDrillard

[P1]

czDrillard,

Here are where mine are:

Code Select Expand

[HKEY_CURRENT_USER\Software\Google\NavClient\1.1\History]

Regards,  P1  :8)

[czDrillard]

Hello P1 and thank you for your answer,  when I look in my registry I have no key listed under that path.  My question is how can I access Protected Storage key programmatically.  I've googled for this and found nothing.  However, I have found the google search words in Protected Stroage key :)

best regards,

czDrillard

[P1]

czDrillard,

The registry entry is for the Google toolbar.

I do not have those entries in my regestry.  Please do me a favor, export the whole key and post it or e-mail it to me.

Permit some time to do a little more research.

Regards,  P1  :8)  P1 (at) HofferPL (dot) com

[czDrillard]

Hello P1,


I sent you the key as a file attachment.  (163 kb)
Btw, I'm using windows xp pro and internet explorer.  Here is the code I use to change the key permissions.  I can't remember where it came from but I am not the author.  It doesn't generate any errors but it doesn't seem to do anything either.  Maybe I'm missing something basic here like asking for the wrong pivilege?

Code Select Expand

;//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
ModifyPrivilege proc

//szPrivilege=="SeTakeOwnershipPrivilege" maybe this is the wrong privilege

local    NewState :TOKEN_PRIVILEGES
local    luid :LUID
local    hToken :HANDLE
local    fEnable :DWORD





int 03h

mov hToken, NULL
;//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;// Open the process token for this process.
;//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

invoke GetCurrentProcess
mov ecx,eax
invoke OpenProcessToken,ecx,\
TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,ADDR hToken
;//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;//returns pointer to a handle identifying the newly
;//opened access token
;//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

.if eax==00h
;//return ERROR_FUNCTION_FAILED
mov eax,29ah
ret
.endif

;//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;// Get the local unique id for the privilege.
;//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
invoke LookupPrivilegeValue,NULL,ADDR szPrivilege,addr luid
.if eax==00h
;//return ERROR_FUNCTION_FAILED
invoke CloseHandle,hToken
mov eax,1627
ret
.endif

;//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;//    Assign values to the TOKEN_PRIVILEGE structure.
;//    NewState.PrivilegeCount = 1;
;//    NewState.Privileges[0].Luid = luid;
;//    NewState.Privileges[0].Attributes = (fEnable ? SE_PRIVILEGE_ENABLED : 0);
;//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
mov NewState.PrivilegeCount,1
mov eax, luid.LowPart
mov ecx, luid.HighPart
mov NewState.Privileges[0*sizeof LUID_AND_ATTRIBUTES].Luid.LowPart,eax
mov NewState.Privileges[0*sizeof LUID_AND_ATTRIBUTES].Luid.HighPart,ecx

.if (fEnable)
mov eax, SE_PRIVILEGE_ENABLED
.else
mov eax, 0
.endif
mov NewState.Privileges[0*sizeof LUID_AND_ATTRIBUTES].Attributes,eax

;//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;//Adjust the token privilege.
;//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
invoke AdjustTokenPrivileges,hToken,FALSE,addr NewState,sizeof NewState,NULL,NULL

.if eax==00h
;//return ERROR_FUNCTION_FAILED
invoke CloseHandle,hToken
mov eax,1627
ret
.endif

;//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;//Close the handle.
;//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
invoke CloseHandle,hToken
;//return ERROR_SUCCESS
mov eax,00h
ret



ModifyPrivilege endp
;//;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;


any ideas greatly appreciated.

best regards,
czDrillard

[P1]

I now know that the regular registry APIs don't apply to these settings.

It's not called Protected Storage for nothing.

But we need to do more research before getting into the nest of data.

It centers around the PStore API's, which are COM interfaces to handle these registry entries.

Regards,  P1  :8)

[PBrennick]

It wont do anything as long as that int 3 is there, BTW.

Also SeTakeOwnershipPrivilege should be SetTakeOwnershipPrivilege

Paul

[czDrillard]

Hi PBrennick, I can't find SetTakeOwnershipPrivilege listed in the SDK of windows header files; it doesn't show up in google.  Sounds like what I want but what is it?  I'm using the SeTakeOwnershipPrivilege string to ennable the privilege in my process token.  More information would be appreciated.

best regards,

czDrillard