Hi guys

 I know this has been discussed a lot. However, not in the detail I'd like to and after browsing through x-hundrets of articles I though I gonna past it here.

I wrote an application, which needs to read and write to the registry. After creating the Virtual Directory ("WebAd") I created an Application Pool called "RegSec" and specified an ads user account to identify with. This user is local admin and there are no restrictions to his permissions.

However, when running my application, reading of the registry works fine, but when writing I get the Message:Cannot write to the registry key".

It appears that it is not clear to me, how this happens, as the user I specified as Identity in the application pool is local Admin and that application pool has been assigned to the virtual directory.

What I want to achieve is the following:
Create an Application Pool, through which permissions are granted to any Virtual Directories that have this application pool assigned (so if I specify a user account which is member of the local admin group, all grants, including writing to the registry, should be there).
I preferrably don't want to bother anywhere else but in the application pool and also I don't want to assign the NETWORK SERVICE permissions on the registry.

Is this possible the way I want this to work? If not, has anyone an Idea how I could achieve that in a very similar way (w/o hacking registry)?

 Thanks for your help!

More than likely the issue has nothing to do with the identity or its access. Can I suggest the following

1.create a console application ding just the regustry access

2. run it under the same security identity ( runas /user:domain\user path\consoleapplication.exe) as the app pool

This will verify if there is noissue otherwise.

Hi Thajeer

When writing a windows application, that does the same thing as the web app, it all works fine. Also if I log in to that server using the same user I don't have any problems modifying the registry.
So it's only the webapplication that has the problem.

Now , do you have impersonation.

Can you please run the following code under the same website and make sure the appropriate identity has access to modify registry.

<%@ Page Language="C#" AutoEventWireup="true" %>

<%@ Register Assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
    Namespace="System.Web.UI" TagPrefix="asp" %>

<Script runat="Server">
 private void Page_Load(object sender, System.EventArgs e)
 {
  lblUser.Text = Page.User.Identity.Name;
  lblWindow.Text = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
  lblThread.Text = System.Threading.Thread.CurrentPrincipal.Identity.Name;
 }
</Script>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>Untitled Page</title>
</head>
<body>
<form runat="Server">
 Page Identity : <asp:label id="lblUser"  runat="server" text="RRRR" /><br>
 Windows Identity : <asp:label id="lblWindow" runat="server" text="RRRR" /><br>
 Thread Identity : <asp:label id="lblThread" runat="server" text="RRRR" /><br>

</form>
</body>
</html>

Hi Thajeer

 Thanks for your answer... but it was my fault. I have forgot to set 'true' in the OpenSubKey() function. Now it all works fine with the Application Pool, so I do not need to use impersonation.

Thanks

Regards