{"id":91891,"date":"2015-10-29T07:00:00","date_gmt":"2015-10-29T21:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/20151029-00\/?p=91891\/"},"modified":"2019-03-13T12:21:10","modified_gmt":"2019-03-13T19:21:10","slug":"20151029-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20151029-00\/?p=91891","title":{"rendered":"When you open a securable object, make sure you pass the security mask you actually want (no more, no less)"},"content":{"rendered":"

There are two categories of “Access denied” errors. One occurs when you attempt to create the handle, and the other occurs when you attempt to use the handle. <\/p>\n

\nHANDLE hEvent = OpenEvent(SYNCHRONIZE, FALSE, TEXT(\"MyEvent<\/a>\"));\n<\/pre>\n
If this call fails with Access denied<\/i>, then it means that you don’t have access to the object to the level you requested. In the above example, it means that you don’t have SYNCHRONIZE<\/code> access to the event. <\/p>\n
A common reason for getting an Access denied<\/i> when trying to create a handle is that you asked for too much access. For example, you might write <\/p>\n
\nHKEY hkey;\nLONG lError = RegOpenKeyEx(\n    hkeyRoot, subkeyName, 0, KEY_ALL_ACCESS, &hkey);\nif (lError == ERROR_SUCCESS) {\n DWORD dwType;\n DWORD dwData;\n DWORD cbData = sizeof(dwData);\n lError = RegQueryValueEx(hkey, TEXT(\"ValueName\"), nullptr,\n                          &dwType, &dwData, &cbData);\n if (lError == ERROR_SUCCESS && dwType == REG_DWORD &&\n     cbData == sizeof(dwData)) {\n  .. do something with dwData ..\n }\n RegCloseKey(hkey);\n}<\/i>\n<\/pre>\n
The call to Reg­Open­Key­Ex<\/code> fails with Access denied<\/i>. The proximate reason is that you don’t have KEY_ALL_ACCESS<\/code> permission on the registry key, which makes sense because KEY_ALL_ACCESS<\/code> asks for permission to do everything imaginable<\/i> to the registry key<\/a>, including crazy things like “Change the permissions of the key to deny access to the rightful owner.” <\/p>\n
But why are you asking for full access to the key if all you’re going to do is read from it? <\/p>\n
\nHKEY hkey;\nLONG lError = RegOpenKeyEx(\n    hkeyRoot, subkeyName, 0, KEY_READ<\/font>, &hkey);\nif (lError == ERROR_SUCCESS) {\n DWORD dwType;\n DWORD dwData;\n DWORD cbData = sizeof(dwData);\n lError = RegQueryValueEx(hkey, TEXT(\"ValueName\"), nullptr,\n                          &dwType, &dwData, &cbData);\n if (lError == ERROR_SUCCESS && dwType == REG_DWORD &&\n     cbData == sizeof(dwData)) {\n  .. do something with dwData ..\n }\n RegCloseKey(hkey);\n}\n<\/pre>\n
If you want to go for bonus points, ask for KEY_QUERY_VALUE<\/code> instead of KEY_READ<\/code>, since all you are going to do with the key is read a value. <\/p>\n
When requesting access to an object, it’s best to ask for the minimum access required to get the job done. <\/p><\/blockquote>\n
This is like the old principle of mathematics: After you’ve proved something, try to weaken the hypothesis as much as possible and strengthen the conclusions as much as possible. In other words, once you’ve solved a problem, figure out the absolute minimum requirements for your solution to work, and figure out the largest amount of information your solution produces. <\/p>\n
On the other hand, if you get an Access denied<\/i> error when trying to use<\/u> a handle, then the problem is that you didn’t open the handle with enough<\/i> access. <\/p>\n
\nHKEY hkey;\nLONG lError = RegOpenKeyEx(\n    hkeyRoot, subkeyName, 0, KEY_READ, &hkey);\nif (lError == ERROR_SUCCESS) {\n DWORD dwData = 1;\n lError = RegSetValueEx(hkey, TEXT(\"ValueName\"), nullptr,\n             REG_DWORD, (const BYTE*>)&dwData, sizeof(dwData));\n if (lError == ERROR_SUCCESS && dwType == REG_DWORD &&\n     cbData == sizeof(dwData)) {\n  .. do something with dwData ..\n }\n RegCloseKey(hkey);\n}<\/i>\n<\/pre>\n
Here, the Reg­Open­Key­Ex<\/code> succeeds, but the Reg­Set­Value­Ex<\/code> fails. That’s because the registry key was opened for KEY_READ<\/code> access, but the Reg­Set­Value­Ex<\/code> operation requires KEY_SET_VALUE<\/code> access. To fix this, you need to open the key with the access you actually want: <\/p>\n
\nHKEY hkey;\nLONG lError = RegOpenKeyEx(\n    hkeyRoot, subkeyName, 0, KEY_SET_VALUE<\/font>, &hkey);\nif (lError == ERROR_SUCCESS) {\n DWORD dwData = 1;\n lError = RegSetValueEx(hkey, TEXT(\"ValueName\"), nullptr,\n             REG_DWORD, (const BYTE*>)&dwData, sizeof(dwData));\n if (lError == ERROR_SUCCESS && dwType == REG_DWORD &&\n     cbData == sizeof(dwData)) {\n  .. do something with dwData ..\n }\n RegCloseKey(hkey);\n}\n<\/pre>\n
When requesting access to an object, it’s best to ask for the minimum access required to get the job done, but no less<\/u>. <\/p><\/blockquote>\n
Armed with this information, you can solve this problem: <\/p>\n
\n
In the main thread, we create an event like this: <\/p>\n
\nTheEvent = CreateEvent(NULL, TRUE, FALSE, name);\n<\/pre>\n
A worker thread opens the event like this: <\/p>\n
\nEventHandle = OpenEvent(SYNCHRONIZE, FALSE, name);\n<\/pre>\n
The Open­Event<\/code> succeeds, but we try to use the handle, we get Access denied<\/i>: <\/p>\n
\nSetEvent(EventHandle);\n<\/pre>\n
On the other hand, if the worker thread uses the Create­Event<\/code> function to get the handle, then the Set­Event<\/code> succeeds. <\/p>\n
What are we doing wrong? <\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"
You will get all you want, but you have to ask for it.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-91891","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
You will get all you want, but you have to ask for it.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/91891","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=91891"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/91891\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=91891"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=91891"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=91891"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}