May 03 2022 11:06 AM - edited May 03 2022 11:07 AM
If you have a package that contains the registry key
HKEY_CURRENT_USER\Software\Vendor
And you run that package and it creates a subkey under Vendor named "Settings".
If the application calls CreateKey against the "Vendor" key requesting access "MaximumAllowed", it is granted permissions "Read/Write."
If the application calls CreateKey against "Settings" key requesting access "MaximumAllowed", it is only granted permissions "Read, Write DAC".
Attached is a procmon trace showing this situation, the highlighted line being the case of opening the key from the redirected helium containerized registry. In this case, the app examined the return permissions and gives up.
May 11 2022 01:17 AM - edited May 11 2022 11:51 PM
Thanks for reporting this. I would love to know a little more details about this issue (like App name, expected registry details, if it was previously installed, etc.
However, I have faced similar issues in the past, and found that (the workaround of) enabling the capability of 'Run as administrator (restricted)' often resolves this issue.
In case this doesn't work, you can also try to run the (MSIX) application as an administrator, and it may resolve this issue.
May 12 2022 09:02 AM - edited May 12 2022 09:13 AM
The application is "ExamDiff" from PrestoSoft (a free product you can access from their website).
The image I provided in the original post shows the line in a procmon trace that is problematic as the highlighted one (click on the image to view). The test was on a clean VM that had never seen the product.
This example was taken from a package that included the PSF RegLegacyFixup (which is needed because without it the app won't store user options in the registry at all). The result shows in the details column of procmon that "Read, Write DAC" permissions were granted. Instead, the result should say that "Read/Write" permissions were granted, just like the call made against the parent key 6 lines previous.
May 13 2022 04:03 AM
Would it be possible for you to share the config.json for the PSF RegLegacyFixup? We can try to fix this manually. We'll share the fix if it works.
May 13 2022 10:28 AM
May 16 2022 03:14 AM
May 22 2022 09:39 AM - edited May 22 2022 09:51 AM
[package sent previously]
@Aniket_Banergee I have been doing some digging on another app with an issue using CreateKeyEx in a similar situation which may be interesting as well. In this similar case, the call requesting "Maximum_Allowed" permissions gets an access denied.
In this case, the caller first opens the HKCU key.
Then it calls CreateKeyEx using the returned HKCU key and a path "Software\..." which represents a key present in the package, the call to impl:CreateKeyEx is requesting Maximum_Allowed permissions and this call is successful.
The app passes this package key to another CreateKeyEx call to create a subkey not present in the package. If I query the key passed by the app in using NTQueryKey, this shows the key path in the form "=\REGISTRY\USER\...". This CreateKeyEx call is the one returning ACCESS_DENIED, which is incorrect.
PS: I am testing against Windows 10 31H2 (19044.1706) with May 2022 updates.
May 23 2022 04:06 AM
May 23 2022 04:36 AM