最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

winapi - Accessing restricted Windows registry keys in C# - Stack Overflow

programmeradmin2浏览0评论

I am working on C# code that accesses the Windows registry for USB related information, mainly USBSTOR. If we try to access properties under each USBSTOR entry, it is restricted (even to Administrators).

I am using the Microsoft.Win32.Registry class for querying required info, which gives us an option to "Take Ownership" of registry keys when opening.

Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SYSTEM\ControlSet001\Enum\USBSTOR\CdRom&Ven_TS8XDVDR&Prod_Transcend&Rev_TW00\112233445568&0\Properties", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership);

This works fine for most of the cases, but Microsoft.Win32 does not provide facility to read information like lastwritetime etc.

Quick Search and ChatGPT revealed that we can use low-level Windows API to take ownership and then read required information but it assumes that we can open registry key using

(int)RegOpenKeyEx(hKey, subKey, 0, KEY_ALL_ACCESS, ref hKeyResult);

In my case opening subject key throws an error

Code: 5 (0x5) (ERROR_ACCESS_DENIED)

What is the best way to work around these restriction and query required data?

I am working on C# code that accesses the Windows registry for USB related information, mainly USBSTOR. If we try to access properties under each USBSTOR entry, it is restricted (even to Administrators).

I am using the Microsoft.Win32.Registry class for querying required info, which gives us an option to "Take Ownership" of registry keys when opening.

Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SYSTEM\ControlSet001\Enum\USBSTOR\CdRom&Ven_TS8XDVDR&Prod_Transcend&Rev_TW00\112233445568&0\Properties", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership);

This works fine for most of the cases, but Microsoft.Win32 does not provide facility to read information like lastwritetime etc.

Quick Search and ChatGPT revealed that we can use low-level Windows API to take ownership and then read required information but it assumes that we can open registry key using

(int)RegOpenKeyEx(hKey, subKey, 0, KEY_ALL_ACCESS, ref hKeyResult);

In my case opening subject key throws an error

Code: 5 (0x5) (ERROR_ACCESS_DENIED)

What is the best way to work around these restriction and query required data?

Share Improve this question edited Nov 21, 2024 at 7:01 Remy Lebeau 599k36 gold badges503 silver badges848 bronze badges asked Nov 21, 2024 at 4:27 Junaid ArshadJunaid Arshad 11 bronze badge 3
  • 2 If you can't even view the data as an admin, then you likely shouldn't be messing with it at all. What exactly are you trying to extract from it? Have you tried opening the key for read-only access instead of read/write? – Remy Lebeau Commented Nov 21, 2024 at 7:03
  • @RemyLebeau I am trying to extract time information like first and last connection date/time. Yes, I have tried lot of different options without success. I came across a tool named USBDeView which reads this information even with limited user account – Junaid Arshad Commented Nov 21, 2024 at 16:53
  • 1 Are you sure USBDeView is reading it from the registry? Have you tried using SysInternals Process Monitor to see what registry keys are being accessed and with what permissions? – Remy Lebeau Commented Nov 21, 2024 at 19:26
Add a comment  | 

1 Answer 1

Reset to default 0

In my tool "USB Drive Info" you can right-click the USB device -> RegEdit...

The first sub-item is HKLM\SYSTEM\CurrentControlSet\Enum<DeviceInstanceID> which leads above the "Device Parameters". Since UsbDriveInfo uses the dirty trick of stealing a Windows service's access token to start RegEdit.exe with, "Device Parameters" can be accessed. Does not look that interesting :-)

Since Windows Vista arrival and removal time can be determined by means of CM_Get_DevNode_Property with DEVPKEY_Device_LastArrivalDate and DEVPKEY_Device_LastRemovalDate. In C++:

// assuming DeviceInstanceID is in szDeviceInstanceId

DEVINST DevInst = 0;

if ( CR_SUCCESS == CM_Locate_DevNode(&DevInst, szDeviceInstanceId, 0) ) {
    // DevInst determined
    FILETIME FT;
    DEVPROPTYPE PropType;
    ULONG PropSize = sizeof(FT);
    if ( CR_SUCCESS == CM_Get_DevNode_Property(DevInst, &DEVPKEY_Device_LastRemovalDate,
                                               &PropType, (PBYTE)&FT, &PropSize, 0);
      // time in FT
    }
}
发布评论

评论列表(0)

  1. 暂无评论