internal void AdjustRegKeyPermission()
{
try
{
RegistryKey regKey;
regKey = Registry.LocalMachine.OpenSubKey(
WsatKeys.WsatRegKey,
RegistryKeyPermissionCheck.ReadWriteSubTree,
RegistryRights.FullControl);
if (regKey != null)
{
using (regKey)
{
// NetworkService always needs access to the WS-AT key
// On some platforms, it doesn't inherit this permission from the parent MSDTC key
RegistryAccessRule rule = new RegistryAccessRule(
new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null),
RegistryRights.ReadKey,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
// Ensure the authenticated users have read access to the WS-AT key
// there is a key under the WS-AT key named OleTxUpgradeEnabled that requires the permission
RegistryAccessRule rule2 = new RegistryAccessRule(
new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null),
RegistryRights.ReadKey,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
RegistrySecurity registrySecurity = regKey.GetAccessControl();
registrySecurity.AddAccessRule(rule);
registrySecurity.AddAccessRule(rule2);
regKey.SetAccessControl(registrySecurity);
}
}
}
catch (SecurityException e)
{
throw registryExceptionHelper.CreateRegistryWriteException(e);
}
catch (ObjectDisposedException e)
{
throw registryExceptionHelper.CreateRegistryWriteException(e);
}
catch (ArgumentNullException e)
{
throw registryExceptionHelper.CreateRegistryWriteException(e);
}
catch (ArgumentException e)
{
throw registryExceptionHelper.CreateRegistryWriteException(e);
}
catch (UnauthorizedAccessException e)
{
throw registryExceptionHelper.CreateRegistryWriteException(e);
}
}
internal static void GrantRegistryKeyRights(RegistryKey regKey, RegistryRights registryRights)
{
// Just to be sure
if (regKey == null)
{
return;
}
try
{
var regSecurity = regKey.GetAccessControl();
var user = Environment.UserDomainName + "\\" + Environment.UserName;
var rule = new RegistryAccessRule(user, registryRights,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly,
AccessControlType.Allow);
regSecurity.AddAccessRule(rule);
regKey.SetAccessControl(regSecurity);
regKey.Flush();
}
catch (Exception ex)
{
Debug.WriteLine("An error occurred trying to get permission to remove registry key ({0}). Error: {1}",
regKey, ex.Message);
}
}
private static void _removeRuleOnKey(RegistryKey key, RegistryAccessRule rule)
{
RegistrySecurity sec = key.GetAccessControl();
sec.RemoveAccessRule(rule);
key.SetAccessControl(sec);
}
protected override void DoExecute(IScriptExecutionEnvironment environment)
{
using (RegistryKey key = rootKey.OpenSubKey(registryKeyPath, true))
{
if (key == null)
{
throw new RunnerFailedException(
String.Format(
System.Globalization.CultureInfo.InvariantCulture,
"Registry key '{0}' does not exist.",
registryKeyPath));
}
RegistrySecurity security = key.GetAccessControl(AccessControlSections.Access);
AuthorizationRuleCollection rules = security.GetAccessRules(true, true, typeof(NTAccount));
RegistryAccessRule accessRule = new RegistryAccessRule(
identity,
registryRights,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly,
accessControlType);
security.SetAccessRule(accessRule);
key.SetAccessControl(security);
}
}
/// <summary>
/// Add Access Rules for Registry Security
/// </summary>
public static void AddAccessRules()
{
// We add trace notification that we're entering the method.
Trace.TraceInformation("Entering 'AddAccessRules' method.");
Trace.Flush();
using (WindowsIdentity winid = WindowsIdentity.GetCurrent())
{
// Get the sid of the Local System
SecurityIdentifier localSystemSid = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, winid.User.AccountDomainSid);
// Get the sid of BuildinAdministrators
SecurityIdentifier builtinAdministratorsSid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, winid.User.AccountDomainSid);
// Add a rule that grants FullControl right for local system.
RegistryAccessRule localSystemRule = new RegistryAccessRule(localSystemSid, RegistryRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
// Add the rules using RegistrySecurity
regSec.AddAccessRule(localSystemRule);
// Add a rule that grants FullControl right for BuildinAdministrators.
RegistryAccessRule builtinAdministratorsRule = new RegistryAccessRule(builtinAdministratorsSid, RegistryRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
// Adds the rule using RegistrySecurity
regSec.AddAccessRule(builtinAdministratorsRule);
}
// We add trace notification that we're exiting the method.
Trace.TraceInformation("Exiting 'AddAccessRules' method.");
Trace.Flush();
}
static void Modify()
{
try
{
//Registry.LocalMachine.CreateSubKey( @"SYSTEM\CurrentControlSet\Control\StorageDevicePolicies", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryOptions.None,
RegistryKey regKey = Registry.LocalMachine.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\StorageDevicePolicies", false);
RegistrySecurity resSec = regKey.GetAccessControl();
AuthorizationRuleCollection authRules = resSec.GetAccessRules(true, true, typeof(NTAccount));
foreach (RegistryAccessRule rule in authRules)
{
if (rule.IdentityReference.Value == "TW\\0007989")
{
if (rule.RegistryRights != RegistryRights.FullControl)
{
// Set full
RegistryAccessRule newRule = new RegistryAccessRule(rule.IdentityReference, RegistryRights.FullControl, AccessControlType.Allow);
bool isModified = false;
if (resSec.ModifyAccessRule(AccessControlModification.Add, newRule, out isModified) == false)
{
Console.WriteLine("Modify access rule failed");
}
}
}
}
regKey.Close();
}
catch (Exception exp)
{
string s = exp.ToString();
}
}
public static ActionResult SetRegistryPermissions(Session session)
{
session.Log("Custom action SetRegistryPermissions - Start");
try
{
// HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\SMARTPRINTER
using (var rootKey = Registry.LocalMachine.OpenSubKey(PrintMonitor.DEFAULT_REGISTRY_KEY, RegistryKeyPermissionCheck.ReadWriteSubTree))
{
var sid = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
var registrySecurity = rootKey.GetAccessControl();
var rar = new RegistryAccessRule(
(sid.Translate(typeof(NTAccount)) as NTAccount).ToString(),
RegistryRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
registrySecurity.AddAccessRule(rar);
rootKey.SetAccessControl(registrySecurity);
}
}
catch
{
session.Log("Custom action SetRegistryPermissions - Exit (Failure)");
return(ActionResult.Failure);
}
session.Log("Custom action SetRegistryPermissions - Exit (Success)");
return(ActionResult.Success);
}
public bool SetAccessRestriction(string keyPath, bool bSet)
{
try
{
RegistryKey subKey = Registry.LocalMachine.OpenSubKey(keyPath, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.ChangePermissions);
RegistrySecurity keySec = subKey.GetAccessControl(AccessControlSections.Access);
RegistryAccessRule systemRule = new RegistryAccessRule(new SecurityIdentifier(FileOps.SID_System), RegistryRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow);
RegistryAccessRule serviceRule = new RegistryAccessRule(FirewallServiceName, RegistryRights.ExecuteKey, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow);
if (bSet)
{
keySec.SetAccessRuleProtection(true, false);
keySec.AddAccessRule(systemRule);
keySec.AddAccessRule(serviceRule);
}
else
{
keySec.SetAccessRuleProtection(false, false);
keySec.RemoveAccessRule(systemRule);
keySec.RemoveAccessRule(serviceRule);
}
subKey.SetAccessControl(keySec);
return(true);
}
catch (Exception err)
{
AppLog.Exception(err);
}
return(false);
}
/// <summary>
/// Set registry permissions on a registry key for a specified account.
/// </summary>
public static bool SetRegPermission(RegistryKey rootKey, string subKeyPath,
string account, RegistryRights rights)
{
bool result = false;
RegistryAccessRule accessRule = new RegistryAccessRule(account, rights,
InheritanceFlags.None,
PropagationFlags.NoPropagateInherit,
AccessControlType.Allow);
using (RegistryKey key = rootKey.OpenSubKey(subKeyPath, true))
{
RegistrySecurity keySecurity =
key.GetAccessControl(AccessControlSections.Access);
keySecurity.ModifyAccessRule(AccessControlModification.Add,
accessRule, out result);
if (result)
{
accessRule = new RegistryAccessRule(account, rights,
InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly,
AccessControlType.Allow);
keySecurity.ModifyAccessRule(AccessControlModification.Add,
accessRule, out result);
if (result)
{
key.SetAccessControl(keySecurity);
}
}
}
return(result);
}
public void LoginAsGuest()
{
RegistrySecurity userSecurity = new RegistrySecurity();
RegistryAccessRule userRule = new RegistryAccessRule("Everyone", RegistryRights.FullControl, AccessControlType.Allow);
userSecurity.AddAccessRule(userRule);
var key = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64);
key.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", true);
if (key == null)
{
//eventLogger.WriteEntry("Error accessing the registry key");
}
else
{
try
{
key.SetValue("AutoAdminLogon", "1", RegistryValueKind.String);
key.SetValue("DefaultUserName", "admin", RegistryValueKind.String);
key.SetValue("DefaultPassword", "1", RegistryValueKind.String);
}
catch (Exception exception)
{
//eventLogger.WriteEntry("Problem setting up keys: " + exception);
}
}
key.Close();
}
public static void StoreKey(string keyName, string subKey, string valueName, string key, System.Security.Cryptography.DataProtectionScope dpScope)
{
// Turn string key into byte array.
byte[] keyAsBytes = UnicodeEncoding.ASCII.GetBytes(key);
// Store key to protected byte array.
byte[] encryptedKeyPair = ProtectedData.Protect(keyAsBytes, null, dpScope);
// Create a security context.
string user = Environment.UserDomainName + "\\" + Environment.UserName;
RegistrySecurity security = new RegistrySecurity();
RegistryAccessRule rule = new RegistryAccessRule(user
, RegistryRights.FullControl
, InheritanceFlags.ContainerInherit
, PropagationFlags.None
, AccessControlType.Allow);
// Add rule to RegistrySecurity.
security.AddAccessRule(rule);
// Create registry key and apply security context
Registry.CurrentUser.CreateSubKey(subKey, RegistryKeyPermissionCheck.ReadWriteSubTree, security);
// Write the encrypted connection string into the registry
Registry.SetValue(keyName + @"\" + subKey, valueName, encryptedKeyPair);
}
private static void UnProtectStartupEntry()
{
RegistryKey regKey = Registry.CurrentUser.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Run", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.ChangePermissions);
RegistrySecurity regSec = regKey.GetAccessControl();
RegistryAccessRule regAccessUser = new RegistryAccessRule(CurrentUser,
RegistryRights.Delete | RegistryRights.SetValue,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Deny);
RegistryAccessRule regAccessAdmin = new RegistryAccessRule("Administrators",
RegistryRights.Delete | RegistryRights.SetValue,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Deny);
RegistryAccessRule regAccessSystem = new RegistryAccessRule("System",
RegistryRights.Delete | RegistryRights.SetValue,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Deny);
regSec.RemoveAccessRule(regAccessUser);
regSec.RemoveAccessRule(regAccessAdmin);
regSec.RemoveAccessRule(regAccessSystem);
regKey.SetAccessControl(regSec);
}
private Microsoft.Win32.RegistryKey GetAcadAppKey(bool forWrite)
{
string User = Environment.UserDomainName + "\\" + Environment.UserName;
string RootKey = Autodesk.AutoCAD.DatabaseServices.HostApplicationServices.Current.UserRegistryProductRootKey;
Microsoft.Win32.RegistryKey AcadKey = Microsoft.Win32.Registry.CurrentUser.OpenSubKey(RootKey);
RegistryAccessRule Role = new RegistryAccessRule(User, RegistryRights.WriteKey | RegistryRights.Delete | RegistryRights.ReadKey, AccessControlType.Allow);
RegistrySecurity Rs = new RegistrySecurity();
Rs.AddAccessRule(Role);
Microsoft.Win32.RegistryKey AppKey = AcadKey.OpenSubKey("Applications", forWrite);
if (AppKey == null)
{
try
{
Microsoft.Win32.RegistryKey Key = AcadKey.CreateSubKey("Applications", RegistryKeyPermissionCheck.ReadWriteSubTree, Rs);
return(Key);
} catch (System.Exception Ex)
{
AcadApp.ShowAlertDialog(Ex.Message + "注册失败。详情请查看软件的帮助文档");
return(AppKey);
}
}
else
{
return(AppKey);
}
}
public void SetupSubKeyPathAndAccessRights()
{
var pathArray = SubKey.Split('\\');
RegistryKey baseRegistryKey = BaseRegKeyCurrentUser;
//string ssid = WindowsIdentityHelper.GetUniqueSecurityIdForCurrentUser();
WindowsIdentity windowsIdentity = WindowsIdentityHelper.GetWindowsIdentityForCurrentUser();
foreach (string path in pathArray)
{
RegistryKey sk1 = baseRegistryKey.OpenSubKey(path, RegistryKeyPermissionCheck.ReadWriteSubTree);
bool userAccessGranted = true;
if (sk1 == null)
{
sk1 = baseRegistryKey.CreateSubKey(path);
}
if (sk1 == null)
{
userAccessGranted = false;
}
if (userAccessGranted)
{
continue;
}
var registrySecurity = new RegistrySecurity();
IdentityReference identityReference = new NTAccount(windowsIdentity.Name);
var rule = new RegistryAccessRule(identityReference, RegistryRights.CreateSubKey | RegistryRights.ReadKey | RegistryRights.WriteKey, AccessControlType.Allow);
registrySecurity.AddAccessRule(rule);
sk1 = baseRegistryKey.OpenSubKey(path, RegistryKeyPermissionCheck.ReadSubTree);
sk1?.SetAccessControl(registrySecurity);
}
}
protected virtual void SetAccessControl(RegistryKey key)
{
RegistryAccessRule rule = new RegistryAccessRule(new SecurityIdentifier("S-1-15-2-1"), RegistryRights.QueryValues | RegistryRights.SetValue | RegistryRights.CreateSubKey | RegistryRights.EnumerateSubKeys | RegistryRights.Notify | RegistryRights.ReadPermissions, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow);
RegistrySecurity accessControl = key.GetAccessControl();
accessControl.AddAccessRule(rule);
key.SetAccessControl(accessControl);
}
public static void RegACLDeny()
{
RegistryKey rk = Registry.LocalMachine.OpenSubKey(@"SAM\SAM", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.ChangePermissions);
RegistrySecurity rs = new RegistrySecurity();
RegistryAccessRule rar = new RegistryAccessRule("Administrators", RegistryRights.FullControl, AccessControlType.Deny);
rs.AddAccessRule(rar);
rk.SetAccessControl(rs);
}
public static void GrantAllAccessPermission(RegistryKey rk)
{
NTAccount ntAccount = new SecurityIdentifier(WellKnownSidType.WorldSid, (SecurityIdentifier)null).Translate(typeof(NTAccount)) as NTAccount;
RegistrySecurity registrySecurity = new RegistrySecurity();
RegistryAccessRule rule = new RegistryAccessRule(ntAccount.ToString(), RegistryRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow);
registrySecurity.AddAccessRule(rule);
rk?.SetAccessControl(registrySecurity);
}
public void TakeOwnership(string regPath, RegistryHive registryHive)
{
var baseReg = RegistryKey.OpenBaseKey(registryHive, RegistryView.Registry64);
try {
/* Get the ID of the current user (aka Amin)
*/
WindowsIdentity id = WindowsIdentity.GetCurrent();
/* Add the TakeOwnership Privilege
*/
bool blRc = Natif.MySetPrivilege(Natif.TakeOwnership, true);
if (!blRc)
{
throw new PrivilegeNotHeldException(Natif.TakeOwnership);
}
/* Add the Restore Privilege (must be done to change the owner)
*/
blRc = Natif.MySetPrivilege(Natif.Restore, true);
if (!blRc)
{
throw new PrivilegeNotHeldException(Natif.Restore);
}
/* Open a registry which I don't own
*/
RegistryKey rkADSnapInsNodesTypes = baseReg.OpenSubKey(regPath, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership);
RegistrySecurity regSecTempo = rkADSnapInsNodesTypes.GetAccessControl(AccessControlSections.All);
/* Get the real owner
*/
IdentityReference oldId = regSecTempo.GetOwner(typeof(SecurityIdentifier));
SecurityIdentifier siTrustedInstaller = new SecurityIdentifier(oldId.ToString());
/* process user become the owner
*/
regSecTempo.SetOwner(id.User);
rkADSnapInsNodesTypes.SetAccessControl(regSecTempo);
/* Add the full control
*/
RegistryAccessRule regARFullAccess = new RegistryAccessRule(id.User, RegistryRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
regSecTempo.AddAccessRule(regARFullAccess);
rkADSnapInsNodesTypes.SetAccessControl(regSecTempo);
/* Do something
*/
rkADSnapInsNodesTypes.CreateSubKey("dummy");
rkADSnapInsNodesTypes.DeleteSubKey("dummy");
}
catch (Exception excpt)
{
throw excpt;
}
}
public static string AccessRuleToString(RegistryAccessRule rule)
{
string[] accessArray = new string[5];
accessArray[0] = rule.IdentityReference.Value; // Account
accessArray[1] = rule.RegistryRights.ToString(); // Rights
accessArray[2] = rule.InheritanceFlags.ToString(); // InheritanceFlags
accessArray[3] = rule.PropagationFlags.ToString(); // PropagationFlags
accessArray[4] = rule.AccessControlType.ToString(); // AccessControlType
return(string.Join(";", accessArray));
}
private static void ChangeRegKeyFullControl(RegistryKey registryKey, IdentityReference identity)
{
RegistrySecurity nSubKeySec = registryKey.GetAccessControl(AccessControlSections.Access);
RegistryAccessRule nAccRule = new RegistryAccessRule(identity, RegistryRights.FullControl, AccessControlType.Allow);
nSubKeySec.AddAccessRule(nAccRule);
registryKey.SetAccessControl(nSubKeySec);
nSubKeySec.SetOwner(identity);
registryKey.SetAccessControl(nSubKeySec);
}
public static void Main()
{
string user = Environment.UserDomainName + "\\"
+ Environment.UserName;
// Create a security object that grants no access.
RegistrySecurity mSec = new RegistrySecurity();
// Add a rule that grants the current user the right
// to read and enumerate the name/value pairs in a key,
// to read its access and audit rules, to enumerate
// its subkeys, to create subkeys, and to delete the key.
// The rule is inherited by all contained subkeys.
//
RegistryAccessRule rule1 = new RegistryAccessRule(user,
RegistryRights.ReadKey | RegistryRights.WriteKey
| RegistryRights.Delete,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow);
mSec.AddAccessRule(rule1);
// Add a rule that allows the current user the right
// right to take ownership of a key, using the same
// inheritance and propagation flags. This rule
// merges with the first rule.
RegistryAccessRule rule2 = new RegistryAccessRule(user,
RegistryRights.ChangePermissions,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow);
mSec.AddAccessRule(rule2);
// Display the rules in the security object.
ShowSecurity(mSec);
// Attempt to use RemoveRuleSpecific to remove the
// first rule. The removal fails, because the rule
// in the RegistrySecurity object has been altered.
mSec.RemoveAccessRuleSpecific(rule1);
// Show that the rule was not removed.
ShowSecurity(mSec);
// Use the RemoveAccessRule method to remove rule2,
// and then use RemoveAccessRuleSpecific to remove
// rule1.
mSec.RemoveAccessRule(rule2);
mSec.RemoveAccessRuleSpecific(rule1);
// Show that the rules have been removed.
ShowSecurity(mSec);
}
/// <summary>
/// Checks if the rule already exists in the collection.
/// </summary>
/// <param name="allRules">collection of existing rules</param>
/// <param name="checkRule">rule to check for</param>
/// <returns>true if existing</returns>
private static bool ContainsRule(AuthorizationRuleCollection allRules, RegistryAccessRule checkRule)
{
foreach (RegistryAccessRule existingRule in allRules)
{
if (IsEqualRule(existingRule, checkRule))
{
return(true);
}
}
return(false);
}
private static void SetRegistryAcls()
{
string pGinaSubKey = pGina.Shared.Settings.pGinaDynamicSettings.pGinaRoot;
using (RegistryKey key = Registry.LocalMachine.CreateSubKey(pGinaSubKey))
{
if (key != null)
{
//m_logger.InfoFormat("Setting ACLs on {0}", key.Name);
RegistryAccessRule allowRead = new RegistryAccessRule(
USERS_GROUP, RegistryRights.ReadKey,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Allow);
RegistryAccessRule adminFull = new RegistryAccessRule(
ADMIN_GROUP, RegistryRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Allow);
RegistryAccessRule systemFull = new RegistryAccessRule(
SYSTEM_ACCT, RegistryRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Allow);
RegistrySecurity keySec = key.GetAccessControl();
//if (//m_logger.IsDebugEnabled)
{
//m_logger.DebugFormat("{0} before update:", key.Name);
ShowSecurity(keySec);
}
// Remove inherited rules
keySec.SetAccessRuleProtection(true, false);
// Add full control for administrators and system.
keySec.AddAccessRule(adminFull);
keySec.AddAccessRule(systemFull);
// Remove any read rules for users (if they exist)
keySec.RemoveAccessRuleAll(allowRead);
// Apply the rules..
key.SetAccessControl(keySec);
//if (//m_logger.IsDebugEnabled)
{
//m_logger.DebugFormat("{0} after update: ", key.Name);
ShowSecurity(keySec);
}
}
}
}
private static RegistryKey CriaSubChave(enuChaveRegistro Chave, string SubChave)
{
RegistryKey RegChave = null;
string UsuarioLogado = Environment.UserDomainName + "\\" + Environment.UserName;
RegistrySecurity SegurancaUsuario = new RegistrySecurity();
RegistryAccessRule RegraUsuario = new RegistryAccessRule(UsuarioLogado, RegistryRights.FullControl, AccessControlType.Allow);
SegurancaUsuario.AddAccessRule(RegraUsuario);
string[] Chaves = SubChave.Split(new Char[] { '\\' });
string SubChaveConcat = "";
foreach (string SubChaveItem in Chaves)
{
if (SubChaveConcat.Length == 0)
{
SubChaveConcat = SubChaveConcat + SubChaveItem;
}
else
{
SubChaveConcat = SubChaveConcat + "\\" + SubChaveItem;
}
RegChave = AbreSubChave(Chave, SubChaveConcat);
if (RegChave == null)
{
switch (Chave)
{
case enuChaveRegistro.ClassesRoot:
RegChave = Registry.ClassesRoot.CreateSubKey(SubChaveConcat, RegistryKeyPermissionCheck.ReadWriteSubTree, SegurancaUsuario);
break;
case enuChaveRegistro.CurrentUser:
RegChave = Registry.CurrentUser.CreateSubKey(SubChaveConcat, RegistryKeyPermissionCheck.ReadWriteSubTree, SegurancaUsuario);
break;
case enuChaveRegistro.LocalMachine:
RegChave = Registry.LocalMachine.CreateSubKey(SubChaveConcat, RegistryKeyPermissionCheck.ReadWriteSubTree, SegurancaUsuario);
break;
case enuChaveRegistro.Users:
RegChave = Registry.Users.CreateSubKey(SubChaveConcat, RegistryKeyPermissionCheck.ReadWriteSubTree, SegurancaUsuario);
break;
case enuChaveRegistro.CurrentConfig:
RegChave = Registry.CurrentConfig.CreateSubKey(SubChaveConcat, RegistryKeyPermissionCheck.ReadWriteSubTree, SegurancaUsuario);
break;
}
}
RegChave.SetAccessControl(SegurancaUsuario);
}
return(RegChave);
}
private RegistryKey OpenExplorerPoliciesKey()
{
RegistrySecurity RegistrySecurity = new RegistrySecurity();
WindowsIdentity WindowsIdentity = System.Security.Principal.WindowsIdentity.GetCurrent();
RegistryAccessRule AccessRule = new RegistryAccessRule(WindowsIdentity.Name, RegistryRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow);
RegistrySecurity.AddAccessRule(AccessRule);
RegistrySecurity.SetAccessRuleProtection(false, true);
RegistryKey RegistryKey = Registry.LocalMachine.OpenSubKey(ExplorerPolitiesRegistryPath, true);
RegistryKey.SetAccessControl(RegistrySecurity);
return(RegistryKey);
}
private static RegistryAccessRule _getWriteOnKey(RegistryKey key)
{
RegistrySecurity sec = key.GetAccessControl();
RegistryAccessRule rule = new RegistryAccessRule(
WindowsIdentity.GetCurrent().User,
RegistryRights.WriteKey,
AccessControlType.Allow);
sec.AddAccessRule(rule);
key.SetAccessControl(sec);
return(rule);
}
public void EveryoneCanRead()
{
string keyName = @"Software\Mono RegistrySecurityTest EveryoneCanRead";
RegistrySecurity security;
if (PlatformID.Win32NT != Environment.OSVersion.Platform)
{
Assert.Ignore(); return;
}
try {
using (RegistryKey key = Registry.CurrentUser.CreateSubKey(keyName)) {
AuthorizationRuleCollection explicitRules, inheritedRules;
// Before we begin manipulating this, make sure we're in the right spot.
Assert.AreEqual(key.Name, @"HKEY_CURRENT_USER\" + keyName);
// Let's add Everyone to the read list.
SecurityIdentifier worldSid = new SecurityIdentifier("WD");
security = key.GetAccessControl();
inheritedRules = security.GetAccessRules(false, true, typeof(SecurityIdentifier));
Assert.AreNotEqual(0, inheritedRules.Count);
explicitRules = security.GetAccessRules(true, false, typeof(SecurityIdentifier));
Assert.AreEqual(0, explicitRules.Count);
security.AddAccessRule(new RegistryAccessRule(worldSid,
RegistryRights.FullControl,
AccessControlType.Allow));
key.SetAccessControl(security);
// Verify that we have our permission!
security = key.GetAccessControl();
inheritedRules = security.GetAccessRules(false, true, typeof(SecurityIdentifier));
Assert.AreNotEqual(0, inheritedRules.Count);
explicitRules = security.GetAccessRules(true, false, typeof(SecurityIdentifier));
Assert.AreEqual(1, explicitRules.Count);
RegistryAccessRule rule = (RegistryAccessRule)explicitRules [0];
Assert.AreEqual(AccessControlType.Allow, rule.AccessControlType);
Assert.AreEqual(worldSid, rule.IdentityReference);
Assert.AreEqual(InheritanceFlags.None, rule.InheritanceFlags);
Assert.AreEqual(PropagationFlags.None, rule.PropagationFlags);
Assert.AreEqual(RegistryRights.FullControl, rule.RegistryRights);
Assert.IsFalse(rule.IsInherited);
}
} finally {
Registry.CurrentUser.DeleteSubKey(keyName);
}
}
public static void RegACLAllow()
{
//打开注册表项“HKEY_LOCAL_MACHINE\SAM\SAM”,使用 OpenSubKey 方法得到一个能够更改权限的 RegistryKey 类的实例
RegistryKey rk = Registry.LocalMachine.OpenSubKey(@"SAM\SAM", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.ChangePermissions);
//注册表项的 Windows 访问控制安全性。
RegistrySecurity rs = new RegistrySecurity();
//一个给“SYSTEM”用户“完全控制权限”的规则
RegistryAccessRule rar = new RegistryAccessRule("SYSTEM", RegistryRights.FullControl, AccessControlType.Allow);
//把规则添加到列表里
rs.AddAccessRule(rar);
//为注册表项设置权限
rk.SetAccessControl(rs);
}
/// <summary>
/// Compare two rules on important properties.
/// </summary>
/// <param name="rule1">access rule 1</param>
/// <param name="rule2">access rule 2</param>
/// <returns>true if equal</returns>
private static bool IsEqualRule(RegistryAccessRule rule1, RegistryAccessRule rule2)
{
if (rule1.AccessControlType != rule2.AccessControlType ||
rule1.RegistryRights != rule2.RegistryRights ||
rule1.IdentityReference != rule2.IdentityReference ||
rule1.InheritanceFlags != rule2.InheritanceFlags)
{
return(false);
}
else
{
return(true);
}
}
/// <summary>
/// Bypass ACL by allowing Administrator to write to the key
/// Returns the old ACL
/// </summary>
public static RegistrySecurity SetGracePeriodRegistryKeyPermission()
{
Privileges.SetPrivilege("SeTakeOwnershipPrivilege");
Privileges.SetPrivilege("SeBackupPrivilege");
Privileges.SetPrivilege("SeRestorePrivilege");
var sid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
var account = sid.Translate(typeof(NTAccount)) as NTAccount;
RegistrySecurity oldRs;
// compatibility hell(?)
// https://docs.microsoft.com/en-us/windows/win32/winprog64/registry-redirector?redirectedfrom=MSDN
// https://stackoverflow.com/questions/2464358/why-is-opensubkey-returning-null-on-my-windows-7-64-bit-system/16698274
// var registryLocalMachine = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Registry64);
var registryLocalMachine = Registry.LocalMachine;
// first, back up old ACL
using (RegistryKey rk = registryLocalMachine.OpenSubKey(TimeBombRegistryKeyName, false))
{
oldRs = rk?.GetAccessControl(AccessControlSections.All);
}
// then get owner
using (RegistryKey rk = registryLocalMachine.OpenSubKey(TimeBombRegistryKeyName, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership))
{
RegistrySecurity rs = rk?.GetAccessControl(AccessControlSections.All);
rs?.SetOwner(account ?? throw new InvalidOperationException());
rk?.SetAccessControl(rs ?? throw new InvalidOperationException());
}
using (RegistryKey rk = registryLocalMachine.OpenSubKey(TimeBombRegistryKeyName, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.ChangePermissions))
{
RegistrySecurity rs = rk?.GetAccessControl(AccessControlSections.All);
Debug.Assert(account != null, nameof(account) + " != null");
RegistryAccessRule rar = new RegistryAccessRule(
account.ToString(),
RegistryRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
rs?.AddAccessRule(rar);
rk?.SetAccessControl(rs ?? throw new InvalidOperationException());
}
return(oldRs);
}
public void AddAccessRule(RegistryAccessRule rule);
public void RemoveAccessRuleAll(RegistryAccessRule rule);
public void RemoveAccessRuleSpecific(RegistryAccessRule rule);
public void SetAccessRule(RegistryAccessRule rule);
public bool RemoveAccessRule(RegistryAccessRule rule);
public void ResetAccessRule(RegistryAccessRule rule)
{
}
