Welcome to MSDN Blogs Sign in | Join | Help

Application Security - each one, teach one

Richard Lewis' application security notes for the software designer, developer and tester

Syndication

Writing to Registry? Some best-practices...

Use the following best practices when dealing with the Windows registry.

  • Use of registry reduces application portability. Therefore, use only if required.
  • Don’t use the registry as a configuration trash–bin.
  • Don’t store secrets in registry.
  • Encrypt application data stored in the registry.
  • Discourage users from directly editing the registry.
  • Perform input validation on data read and written to registry.
  • Don’t write data to HKLM. Reading back the data will require the user to be logged on as administrator as by default only Read-access is provided to HKLM all users.
  • Don't open registry keys for FULL_CONTROL or ALL_ACCESS.

Vista update:
a) Always open registry keys with read-only access when possible. Use read-write access only when needed and revert the permissions back to read-only once the operation is complete.
b) Beware of WRP (Windows Resource Protection) that might be protecting a hive you might want to store your app data into and may result in access denied error message and ultimately broken app functionality.
c) How to find out if WRP is active for a registry key, Two ways of doing this.

a. Programmatic: Call the SfcIsKeyProtected function in your code .
b. Administratively: Use Regedit by right-clicking the key in question  Permissions. Keys that are WRP will show Trusted Installer with Full Control.  SYSTEM, Administrators, and Users will only have Read permissions.

d) Hopefully, the registry changes are being doing through a thick-client and not IE. If it is IE, btw, remember that in Vista runs IE in protected mode and so wont be able to store to HKCU.

Published Tuesday, January 30, 2007 7:04 PM by richardl

Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# re: Writing to Registry? Some best-practices... @ Tuesday, June 12, 2007 11:54 AM

"Don’t write data to HKLM. Reading back the data will require the user to be logged on as administrator..."

Should this not read: "Writing data to HKLM will require that the user be logged on as an administrative user..." - as you corrrectly point out anyone can read data from HKLM

Derek Noonan

# re: Writing to Registry? Some best-practices... @ Thursday, July 05, 2007 6:05 AM

"Discourage users from directly editing the registry" -- Instead of that Don't give any rights to the normal user to access registry. Only Administrator can open the registry. & if some one wants to edit  / write some values in registry he /she should have administrative rights.

Anuj Sharma

# re: Writing to Registry? Some best-practices... @ Friday, September 14, 2007 5:11 AM

Writing to the registry in Vista... prob. The purpose of the HKLM is to store data to all users (Machine specific)? Yes this could be stored in an INI file but I thought the registry was the replacement of INI files. The actual problem is that the Install prog appears to be a user, not administrator. If this is right then, either the program needs administrative rights or you give user rights to the specific hive of a HKLM key say SOFTWARE/.... (No Way..) So the issue is in the install. The registry is a wonderfull way to store user specific and machine specific data, is Microsoft locking it down so only Windows has access?

John Irvine

# re: Writing to Registry? Some best-practices... @ Monday, October 15, 2007 4:50 AM

Can IE extensions get read only access to HKLM or HKCU?

maltwhiskman

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement  
Page view tracker