HOWTO: Add CRYPT_MACHINE_KEYSET Flag to CryptAcquireContext

Last reviewed: October 28, 1997
Article ID: Q161981
The information in this article applies to:
  • Microsoft Win32 Application Programming Interface (API) for Windows NT, version 4.0

SUMMARY

In some situations, it is desirable to store Crypto Key material in a location of the registry other than the default location of HKEY_CURRENT_USER. The flag, CRYPT_MACHINE_KEYSET, when combined with CRYPT_NEW_KEYSET in CryptAcquireContext() accomplishes this. CRYPT_MACHINE_KEYSET is available starting with Service Pack 2 (SP2) of Windows NT 4.0.

MORE INFORMATION

Crypto Key material is stored in HKEY_CURRENT_USER. If you logon to a machine interactively, you will normally see two entries below the registry key HKEY_USERS: .Default, and an entry similar to S-1-5-21-x-x-x-y which is the SID of the interactively logged on user. If you are running a version of Windows NT earlier than 4.0, and if you access HKEY_CURRENT_USER from a service or from a user account that did not logon interactively, registry access to HKEY_CURRENT_USER goes to HKEY_USERS\.Default, not to your user's profile. Because of this, you are not able to access any user specific Crypto Key material, which would normally be seen if the user logged on interactively.

For SP2, the flag CRYPT_MACHINE_KEYSET has been added to CryptAcquireContext(). This flag, when used in conjunction with the CRYPT_NEWKEYSET flag, causes Crypto Keys to be stored under HKEY_LOCAL_MACHINE instead of in the default location under HKEY_CURRENT_USER. In addition, the security descriptor on the registry key that holds the key set may now be retrieved and set with CryptGetProvParam() and CryptSetProvParam() calls by using the PP_KEYSET_SEC_DESCR value in the dwParam parameter.

Although the CRYPT_MACHINE_KEYSET flag was exposed in Windows NT 4.0 Service Pack 2, Windows developers do not yet have access to a version of WINCRYPT.H that includes this flag. To take advantage of the functionality that CRYPT_MACHINE_KEYSET offers add the following to your source code:

   #ifndef CRYPT_MACHINE_KEYSET
   #define CRYPT_MACHINE_KEYSET  0x00000020
   #endif
Keywords          : BseCrypt
Version           : WINDOWS NT:4.0;
Platform          : NT WINDOWS
Issue type        : kbhowto


================================================================================


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: October 28, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.