Mar*_*ark 5 registry powershell acl
我试图通过Powershell获得一个注册表项的所有权,它正在默默地失败.我正在使用以下代码:
# get the username of the current user
$uname = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
# create an identity reference for the owner
$user = new-object System.Security.Principal.NTAccount($uname)
# create a "drive" for HKEY_CLASSES_ROOT
new-psdrive -name HKCR_zf -psprovider Registry -root HKEY_CLASSES_ROOT
# change the current location
set-location HCKR_zf:\CLSID
# set ACLs
(get-acl '{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}').setowner($user)
一切都运行到最后一行,但.setowner()调用无声地失败(所有者不会更改).
如何获得注册表项的所有权?
小智 5
有时脚本没有必要的所有权、特权或权限来更改注册表值。它需要管理员权限。下一个脚本递归地获取所有子项的权限。
调用示例:
# group BULTIN\Users takes full control of key and all subkeys
Take-Permissions "HKLM" "SOFTWARE\test"
# group Everyone takes full control of key and all subkeys
Take-Permissions "HKLM" "SOFTWARE\test" "S-1-1-0"
# group Everyone takes full control of key WITHOUT subkeys
Take-Permissions "HKLM" "SOFTWARE\test" "S-1-1-0" $false
你只需要定义下一个函数:
function Take-Permissions {
# Developed for PowerShell v4.0
# Required Admin privileges
# Links:
# http://shrekpoint.blogspot.ru/2012/08/taking-ownership-of-dcom-registry.html
# http://www.remkoweijnen.nl/blog/2012/01/16/take-ownership-of-a-registry-key-in-powershell/
# https://powertoe.wordpress.com/2010/08/28/controlling-registry-acl-permissions-with-powershell/
param($rootKey, $key, [System.Security.Principal.SecurityIdentifier]$sid = 'S-1-5-32-545', $recurse = $true)
switch -regex ($rootKey) {
'HKCU|HKEY_CURRENT_USER' { $rootKey = 'CurrentUser' }
'HKLM|HKEY_LOCAL_MACHINE' { $rootKey = 'LocalMachine' }
'HKCR|HKEY_CLASSES_ROOT' { $rootKey = 'ClassesRoot' }
'HKCC|HKEY_CURRENT_CONFIG' { $rootKey = 'CurrentConfig' }
'HKU|HKEY_USERS' { $rootKey = 'Users' }
}
### Step 1 - escalate current process's privilege
# get SeTakeOwnership, SeBackup and SeRestore privileges before executes next lines, script needs Admin privilege
$import = '[DllImport("ntdll.dll")] public static extern int RtlAdjustPrivilege(ulong a, bool b, bool c, ref bool d);'
$ntdll = Add-Type -Member $import -Name NtDll -PassThru
$privileges = @{ SeTakeOwnership = 9; SeBackup = 17; SeRestore = 18 }
foreach ($i in $privileges.Values) {
$null = $ntdll::RtlAdjustPrivilege($i, 1, 0, [ref]0)
}
function Take-KeyPermissions {
param($rootKey, $key, $sid, $recurse, $recurseLevel = 0)
### Step 2 - get ownerships of key - it works only for current key
$regKey = [Microsoft.Win32.Registry]::$rootKey.OpenSubKey($key, 'ReadWriteSubTree', 'TakeOwnership')
$acl = New-Object System.Security.AccessControl.RegistrySecurity
$acl.SetOwner($sid)
$regKey.SetAccessControl($acl)
### Step 3 - enable inheritance of permissions (not ownership) for current key from parent
$acl.SetAccessRuleProtection($false, $false)
$regKey.SetAccessControl($acl)
### Step 4 - only for top-level key, change permissions for current key and propagate it for subkeys
# to enable propagations for subkeys, it needs to execute Steps 2-3 for each subkey (Step 5)
if ($recurseLevel -eq 0) {
$regKey = $regKey.OpenSubKey('', 'ReadWriteSubTree', 'ChangePermissions')
$rule = New-Object System.Security.AccessControl.RegistryAccessRule($sid, 'FullControl', 'ContainerInherit', 'None', 'Allow')
$acl.ResetAccessRule($rule)
$regKey.SetAccessControl($acl)
}
### Step 5 - recursively repeat steps 2-5 for subkeys
if ($recurse) {
foreach($subKey in $regKey.OpenSubKey('').GetSubKeyNames()) {
Take-KeyPermissions $rootKey ($key+'\'+$subKey) $sid $recurse ($recurseLevel+1)
}
}
}
Take-KeyPermissions $rootKey $key $sid $recurse
}
仅调用SetOwner并不会提交更改。您需要将 acl 对象传递回Set-Acl以提交更改。
查看此线程,有很好的描述和完整的示例代码。似乎还有其他一些障碍需要跳过:http://social.technet.microsoft.com/Forums/en/winserverpowershell/thread/e718a560-2908-4b91-ad42-d392e7f8f1ad
| 归档时间: |
|
| 查看次数: |
19562 次 |
| 最近记录: |