Load_UnloadHive Access Denied

Started by hienpham, July 22, 2015, 12:13:52 PM

Previous topic - Next topic

hienpham

Hi,
    I have 2 questions about Load_UnloadHive:
1. Per the WinBatch Article ID: W15140, we get Access Denied when you do the UnloadHive when you did not close all the subkey handles that you have open after doing the LoadHive to modify the registry of that Hive. I make sure that I have closed all the handles:
         RegLoadHive(@REGUSERS,UserKey,ProfDir:UserKey:"\NTUSER.DAT")
                    user_class = regopenkey(@REGUSERS,UserKey)
                              Regkey = RegCreateKey...
                                   ........  do some RegSetDword
                              RegCloseKey(Regkey)
                              Regkey = RegCreateKey...
                                   ........  do some RegSetDword
                              RegCloseKey(Regkey)
                              Regkey = RegCreateKey...
                                   ........  do some RegSetDword
                              RegCloseKey(Regkey)
                                           ;(I have 3 such blocs between LoadHive and Unloahive)
                  regclosekey(user_class)
         RegUnloadHive(@REGUSERS,UserKey)    ; error = 5 Access Denied


             I got Access Denied (error = 5) when performing the RegUnloadHive.
   My question is can we have more than 1 Regcreatekey commands between the Load/UnloadHive

2. My next question is that there is somehow a way to get the list of all SubKey Handles that are still open.
3. My last question is,  what will happen if we were not able to do  RegUnloadHive and leave those regkeys in the HKEY_USERS? In that case did the corresponding non-open profiles get their registry (that we just modify) get update?

Thanks so much for your help.

td

Quote from: hienpham on July 22, 2015, 12:13:52 PM
Hi,
    I have 2 questions about Load_UnloadHive:
Looks more like 3 to me.
Quote
1. Per the WinBatch Article ID: W15140, we get Access Denied when you do the UnloadHive when you did not close all the subkey handles that you have open after doing the LoadHive to modify the registry of that Hive. I make sure that I have closed all the handles:
         RegLoadHive(@REGUSERS,UserKey,ProfDir:UserKey:"\NTUSER.DAT")
                    user_class = regopenkey(@REGUSERS,UserKey)
                              Regkey = RegCreateKey...
                                   ........  do some RegSetDword
                              RegCloseKey(Regkey)
                              Regkey = RegCreateKey...
                                   ........  do some RegSetDword
                              RegCloseKey(Regkey)
                              Regkey = RegCreateKey...
                                   ........  do some RegSetDword
                              RegCloseKey(Regkey)
                                           ;(I have 3 such blocs between LoadHive and Unloahive)
                  regclosekey(user_class)
         RegUnloadHive(@REGUSERS,UserKey)    ; error = 5 Access Denied


             I got Access Denied (error = 5) when performing the RegUnloadHive.
   My question is can we have more than 1 Regcreatekey commands between the Load/UnloadHive
It is not a problem to have more than one key created in a loaded hive.
Quote
2. My next question is that there is somehow a way to get the list of all SubKey Handles that are still open.
None that are obvious other than using System Internals Process Explorer to look for open handles in your running script's process..  I imagine if you gave it enough thought you might be able to dream up something though.
Quote
3. My last question is,  what will happen if we were not able to do  RegUnloadHive and leave those regkeys in the HKEY_USERS? In that case did the corresponding non-open profiles get their registry (that we just modify) get update?
The profiles will obviously be dumped from memory on reboot.  The corresponding files will likely be updated with the changes on reboot but can't be sure about that.

You're assuming that the access deny error is the result of a key not being closed before the hive is unloaded.   However, you might want to consider some other possible causes for the error.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

hienpham

Thanks a lot TD. Your answers really help me. I found my mistakes.
Thanks again.