Fixing reset that was blocked because of extra

Fixing permissions to prevent potential retrieval of account key

WinCertes/Config/RegistryConfig.cs

@@ -1,6 +1,8 @@
 using Microsoft.Win32;
 using NLog;
 using System;
+using System.Security.AccessControl;
+using System.Security.Principal;
 
 namespace WinCertes
 {
@@ -35,6 +37,16 @@ public RegistryConfig(bool extra = false)
                     _registryKey += @"\extra";
                     _subKey += @"\extra";
                 }
+                RegistryKey regKey = Registry.LocalMachine.OpenSubKey("SOFTWARE").OpenSubKey("WinCertes", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.FullControl);
+                RegistrySecurity regSec = regKey.GetAccessControl(AccessControlSections.All);
+                regSec.SetOwner(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null));
+                regSec.SetAccessRuleProtection(true, false);
+                regKey.SetAccessControl(regSec);
+                RegistryAccessRule adminFull = new RegistryAccessRule(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), RegistryRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
+                regSec.AddAccessRule(adminFull);
+                adminFull = new RegistryAccessRule(new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), RegistryRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
+                regSec.AddAccessRule(adminFull);
+                regKey.SetAccessControl(regSec);
             }
             catch (Exception e)
             {
@@ -193,6 +205,10 @@ public bool isThereConfigParam(string startsWith)
         /// </summary>
         public void DeleteAllParameters()
         {
+            if (Registry.LocalMachine.OpenSubKey("SOFTWARE").OpenSubKey("WinCertes").OpenSubKey("extra") != null)
+            {
+                Registry.LocalMachine.OpenSubKey(_subKey,true).DeleteSubKeyTree("extra");
+            }
             foreach (string key in Registry.LocalMachine.OpenSubKey(_subKey).GetValueNames())
             {
                 DeleteParameter(key);

WinCertes/Program.cs

@@ -122,7 +122,7 @@ class Program
         private static bool _show = false;
         private static bool _reset = false;
         private static bool _extra = false;
-       private static OptionSet _options;
+        private static OptionSet _options;
 
         private static readonly int ERROR = 1;
         private static readonly int ERROR_INCORRECT_PARAMETER = 2;
@@ -153,7 +153,7 @@ private static bool HandleOptions(string[] args)
                 { "show", "show current configuration parameters", v=> _show = (v != null ) },
                 { "reset", "reset all configuration parameters", v=> _reset = (v != null ) },
                 { "extra", "manages one additonal certificate instead of the default one, with its own settings", v=> _extra = (v != null ) },
-                { "no-csp", "does not import the certificate into CSP. Use with caution, at your own risks", v=> _winCertesOptions.noCsp = (v != null) }
+                { "no-csp", "does not import the certificate into CSP. Use with caution, at your own risks. REVOCATION WILL NOT WORK IN THAT MODE.", v=> _winCertesOptions.noCsp = (v != null) }
             };
 
             // and the handling of these options
@@ -308,8 +308,6 @@ static int Main(string[] args)
 
             // Reset is a full reset !
             if (_reset) {
-                IConfig extraConfig = new RegistryConfig(true);
-                extraConfig.DeleteAllParameters();
                 IConfig baseConfig = new RegistryConfig(false);
                 baseConfig.DeleteAllParameters();
                 Utils.DeleteScheduledTasks();