HOWTO: Add CRYPT_MACHINE_KEYSET Flag to CryptAcquireContext

ID: Q161981

The information in this article applies to:

• Microsoft Win32 Application Programming Interface (API) for Windows NT, version 4.0

SUMMARY

In some situations, it is desirable to store Crypto Key material in a location of the registry other than the default location of HKEY_CURRENT_USER. The flag, CRYPT_MACHINE_KEYSET, when combined with CRYPT_NEW_KEYSET in CryptAcquireContext() accomplishes this. CRYPT_MACHINE_KEYSET is available starting with Service Pack 2 (SP2) of Windows NT 4.0.

MORE INFORMATION

Crypto Key material is stored in HKEY_CURRENT_USER. If you logon to a machine interactively, you will normally see two entries below the registry key HKEY_USERS: .Default, and an entry similar to S-1-5-21-x-x-x-y which is the SID of the interactively logged on user. If you are running a version of Windows NT earlier than 4.0, and if you access HKEY_CURRENT_USER from a service or from a user account that did not logon interactively, registry access to HKEY_CURRENT_USER goes to HKEY_USERS\.Default, not to your user's profile. Because of this, you are not able to access any user specific Crypto Key material, which would normally be seen if the user logged on interactively.

For SP2, the flag CRYPT_MACHINE_KEYSET has been added to CryptAcquireContext(). This flag, when used in conjunction with the CRYPT_NEWKEYSET flag, causes Crypto Keys to be stored under HKEY_LOCAL_MACHINE instead of in the default location under HKEY_CURRENT_USER. In addition, the security descriptor on the registry key that holds the key set may now be retrieved and set with CryptGetProvParam() and CryptSetProvParam() calls by using the PP_KEYSET_SEC_DESCR value in the dwParam parameter.

Although the CRYPT_MACHINE_KEYSET flag was exposed in Windows NT 4.0 Service Pack 2, Windows developers do not yet have access to a version of WINCRYPT.H that includes this flag. To take advantage of the functionality that CRYPT_MACHINE_KEYSET offers add the following to your source code:

   #ifndef CRYPT_MACHINE_KEYSET
   #define CRYPT_MACHINE_KEYSET  0x00000020
   #endif

Keywords          : kbAPI kbKernBase kbGrpKernBase 
Version           : WINDOWS NT:4.0;
Platform          : NT WINDOWS
Issue type        : kbhowto

Last Reviewed: October 30, 1997