Microsoft KB Archive/161981

{|
 * width="100%"|

HOWTO: Add CRYPT_MACHINE_KEYSET Flag to CryptAcquireContext

 * }

Q161981

-

The information in this article applies to:


 * Microsoft Win32 Application Programming Interface (API), used with:
 * the operating system: Microsoft Windows NT 4.0

-

SUMMARY
In some situations, it is desirable to store Crypto Key material in a location of the registry other than the default location of HKEY_CURRENT_USER. The flag, CRYPT_MACHINE_KEYSET, when combined with CRYPT_NEW_KEYSET in CryptAcquireContext accomplishes this. CRYPT_MACHINE_KEYSET is available starting with Service Pack 2 (SP2) of Windows NT 4.0.

MORE INFORMATION
Crypto Key material is stored in HKEY_CURRENT_USER. If you logon to a machine interactively, you will normally see two entries below the registry key HKEY_USERS: .Default, and an entry similar to S-1-5-21-x-x-x-y which is the SID of the interactively logged on user. If you are running a version of Windows NT earlier than 4.0, and if you access HKEY_CURRENT_USER from a service or from a user account that did not logon interactively, registry access to HKEY_CURRENT_USER goes to HKEY_USERS\.Default, not to your user's profile. Because of this, you are not able to access any user specific Crypto Key material, which would normally be seen if the user logged on interactively.

For SP2, the flag CRYPT_MACHINE_KEYSET has been added to CryptAcquireContext. This flag, when used in conjunction with the CRYPT_NEWKEYSET flag, causes Crypto Keys to be stored under HKEY_LOCAL_MACHINE instead of in the default location under HKEY_CURRENT_USER. In addition, the security descriptor on the registry key that holds the key set may now be retrieved and set with CryptGetProvParam and CryptSetProvParam calls by using the PP_KEYSET_SEC_DESCR value in the dwParam parameter.

Although the CRYPT_MACHINE_KEYSET flag was exposed in Windows NT 4.0 Service Pack 2, Windows developers do not yet have access to a version of WINCRYPT.H that includes this flag. To take advantage of the functionality that CRYPT_MACHINE_KEYSET offers add the following to your source code:

  #ifndef CRYPT_MACHINE_KEYSET #define CRYPT_MACHINE_KEYSET 0x00000020 #endif Additional query words:

Keywords : kbAPI kbCrypt kbKernBase kbDSupport kbGrpDSKernBase

Issue type : kbhowto

Technology : kbAudDeveloper kbWin32sSearch kbWin32API