Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Disable registry access for specific process (WinAPI)

Tags:

c++

c

winapi

I have a problem I can't seem to find the answer to, though I am sure it is out there. Is there a way I can disable registry and file access for a newly-created process? I am using Job objects ( http://msdn.microsoft.com/en-us/library/windows/desktop/ms682409(v=vs.85).aspx ) and it says to set the permissions for each new job process, and in a few books I have read that things such as registry and file access can be controlled.

While looking for my answer I saw that I needed to add LUIDs for things such as SE_BACKUP_NAME and such (or whatever it is called) but none of those privilege constants seem to reflect the kind of control I want.. So my exact question is: How would I go about disabling registry/file write access for a newly created process in a Job?

I am trying to create a sandboxed-application, btw. This is so I can prevent it from making any changes to the registry or writing any files while it runs.

Any help would be appreciated!

like image 441
Joseph Avatar asked Jun 16 '12 22:06

Joseph


People also ask

How to disable access to registry?

Disable Windows Registry AccessNavigate to User Configuration > Administrative Templates > System. Then, double-click Prevent access to registry editing tools on the right under Setting. Select Enabled in the upper-left and click OK.

How do I restrict group policy in registry?

In the Local Group Policy Editor, navigate to User Configuration > Administrative Templates > System in the left pane. Then, double-click the Prevent access to registry editing tools setting in the right pane.

How to disable RegEdit Gpo?

On the group policy editor screen, expand the User configuration folder and locate the following item. Access the folder named System. Enable the option named Prevent access to registry editing tools. Select the option to disable Regedit from running silently.


1 Answers

Windows accesses many resources during process startup, so if you successfully disabled access to the filesystem and registry the process wouldn't start.

Ideally, you'd want access to be restricted after process initialization was complete, but Windows doesn't have a mechanism to do this for arbitrary processes. The sandbox in the Chrome browser relies on the cooperation of the sandboxed process.

The documentation for the Chrome sandbox has a nice overview of the various security mechanisms available in Windows and explains how they are used in Chrome. It's a nice solution if you are trying to sandbox your own code.

like image 145
arx Avatar answered Oct 30 '22 02:10

arx