Managing first time application setup

[MattNorman]

I am trying to come up with a solution to handle the first time setup of my application where the user will be prompted for various settings such as database server and credentials.

I am currently doing this by looking for a registry key/value and if not present, I run the setup process on application start.

The issue with my current setup is that any user that has access to the machine that it is installed on, could in theory just delete all of the registry keys to allow them to be able to reconfigure all settings.

This wouldn't necessarily be a concern if they deleted all registry settings as they would have to specify the database server and credentials again. If they however only deleted the registry key for first time setup they could technically run the first time setup and the app would see the existing database settings.

Is there a more elegant way of handling this and preventing unauthorised users from potentially getting on to the app if they somehow gained access to the computer?

The only thing I can think of with my current setup is that if the first time setup reg key is deleted then I prevent my setup form from reading in any existing settings and force them to be entered again.

Appreciate any guidance.

 

[Skydiver]

Back in the 80's and 90's the first rule of computer security was that if a bad guy has physical access to the computer, then it's game over: the bad guy wins because they can do all kinds of manipulations on the machine to get around whatever defenses you may have. Nowadays, people don't quite just throw their hands up in the air like that. They will still plan on doing defense in depth to at least try to slow down the bad guy even if they have full control of the machine.

I assume this is going to be on Windows, rather than cross platform because you are talking about the registry.

Sometimes, the simplest idea is the best idea. Keep It Simple Stupid. So your idea of just ignoring existing values and forcing them to re-enter the database server and credentials if the first time setup registry key is missing is going to be the most expedient solution.

A more complex solution is to compute a checksum (or hash) of the first time setup registry key, the database server, and the credentials values, and store that another registry key. On startup compute the checksum (or hash) of three values and compare with the checksum stored in the registry. If the values don't match, treat this as if it's a first time setup. Obviously, like the previous simple solution, you would still have to implement the logic of ignoring existing values and forcing them to re-enter values. Having checksums will discourage tampering, but in the end it still comes down to the simple logic of starting over if not all the pieces are there.

As a quick aside: hopefully you aren't storing the credentials and password in the registry in clear text.

 

[NoUserHere]

Love that last idea. Nice concept indeed.