SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts

[Todd Sabin]

Luke Kenneth Casson Leighton <lkcl at samba.org> writes:

> > Yes, and there are reasons why HKLM\SAM is NOT a directory with up to 100
> > 000 files in it - even Macrosoft code isn't THAT inefficient (usually).
> > It's a file (registry hive), with access control implemented by the only
> > process allowed to access it.
> 
> bad example to pick.
> 
> 1) the SAM is loaded into memfrom what i can tell, at start-up time.  i
> may be wrong about this.
> 

Actually, it's a whole registry hierarchy.  There is in fact one key
and a couple of values per user, alias, and group.  However, the
permissions on all of these keys are exactly the same: SYSTEM: Full
Control, Admins: Write DAC.  NT's RPC servers implement the
permissions checks explicitly, they don't rely on the permissions of
the underlying kernel objects.

> 2) the registry is implemented at the kernel level, for "speed"
> optimisations.  this results in me being able to modify rpcclient and take
> out an NT box with a blue-screen if i have an "authenticated user" SMB
> connection (guest, user, admin but not anon-connect).

Actually, it's not implemented at kernel level.  The \winreg server is
contained inside winlogon.exe.  Unfortunately, if winlogon.exe exits
for some reason (like, umm, someone crashing it), the kernel notices
it and actually _forces_ a blue screen itself.


Todd