public bool SetAccessRestriction(string keyPath, bool bSet) { try { RegistryKey subKey = Registry.LocalMachine.OpenSubKey(keyPath, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.ChangePermissions); RegistrySecurity keySec = subKey.GetAccessControl(AccessControlSections.Access); RegistryAccessRule systemRule = new RegistryAccessRule(new SecurityIdentifier(FileOps.SID_System), RegistryRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); RegistryAccessRule serviceRule = new RegistryAccessRule(FirewallServiceName, RegistryRights.ExecuteKey, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); if (bSet) { keySec.SetAccessRuleProtection(true, false); keySec.AddAccessRule(systemRule); keySec.AddAccessRule(serviceRule); } else { keySec.SetAccessRuleProtection(false, false); keySec.RemoveAccessRule(systemRule); keySec.RemoveAccessRule(serviceRule); } subKey.SetAccessControl(keySec); return(true); } catch (Exception err) { AppLog.Exception(err); } return(false); }
private static void UnProtectStartupEntry() { RegistryKey regKey = Registry.CurrentUser.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Run", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.ChangePermissions); RegistrySecurity regSec = regKey.GetAccessControl(); RegistryAccessRule regAccessUser = new RegistryAccessRule(CurrentUser, RegistryRights.Delete | RegistryRights.SetValue, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Deny); RegistryAccessRule regAccessAdmin = new RegistryAccessRule("Administrators", RegistryRights.Delete | RegistryRights.SetValue, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Deny); RegistryAccessRule regAccessSystem = new RegistryAccessRule("System", RegistryRights.Delete | RegistryRights.SetValue, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Deny); regSec.RemoveAccessRule(regAccessUser); regSec.RemoveAccessRule(regAccessAdmin); regSec.RemoveAccessRule(regAccessSystem); regKey.SetAccessControl(regSec); }
protected override void ProcessRecord() { bool isChange = false; using (RegistryKey regKey = RegistryControl.GetRegistryKey(Path, false, true)) { RegistrySecurity security = regKey.GetAccessControl(); AuthorizationRuleCollection rules = security.GetAccessRules(true, false, typeof(NTAccount)); if (All) { // テスト自動生成 TestGenerator.RegistryAccess(Path, "", false); foreach (RegistryAccessRule rule in rules) { security.RemoveAccessRule(rule); isChange = true; } } else { foreach (RegistryAccessRule rule in rules) { if (Account.Contains("\\") && rule.IdentityReference.Value.Equals(Account, StringComparison.OrdinalIgnoreCase)) { // テスト自動生成 TestGenerator.RegistryAccess(Path, RegistryControl.AccessRuleToString(rule), true); security.RemoveAccessRule(rule); isChange = true; } else if (!Account.Contains("\\") && rule.IdentityReference.Value.EndsWith("\\" + Account, StringComparison.OrdinalIgnoreCase)) { // テスト自動生成 TestGenerator.RegistryAccess(Path, RegistryControl.AccessRuleToString(rule), true); security.RemoveAccessRule(rule); isChange = true; } } } if (isChange) { regKey.SetAccessControl(security); } } WriteObject(new RegistryKeyInfo(Path, true)); }
private static void _removeRuleOnKey(RegistryKey key, RegistryAccessRule rule) { RegistrySecurity sec = key.GetAccessControl(); sec.RemoveAccessRule(rule); key.SetAccessControl(sec); }
private static void RegRemoveAccess(RegistryKey nParentKey, string nkey, IdentityReference nuser, RegistryAccessRule nacc) { RegistryKey nSubKey = nParentKey.OpenSubKey(nkey, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.ChangePermissions | RegistryRights.ReadKey); RegistrySecurity nSubKeySec = nSubKey.GetAccessControl(AccessControlSections.Access); nSubKeySec.RemoveAccessRule(nacc); nSubKey.SetAccessControl(nSubKeySec); nSubKey.Close(); }
protected override void ProcessRecord() { using (RegistryKey regKey = RegistryControl.GetRegistryKey(RegistryPath, false, true)) { bool isChange = false; RegistrySecurity security = security = regKey.GetAccessControl(); if (All) { // テスト自動生成 _generator.RegistryAccess(RegistryPath, "", false); foreach (RegistryAccessRule rule in security.GetAccessRules(true, false, typeof(NTAccount))) { security.RemoveAccessRule(rule); isChange = true; } } else { foreach (RegistryAccessRule rule in security.GetAccessRules(true, false, typeof(NTAccount))) { string account = rule.IdentityReference.Value; // テスト自動生成 _generator.RegistryAccount(RegistryPath, account); if (Account.Contains("\\") && account.Equals(Account, StringComparison.OrdinalIgnoreCase) || !Account.Contains("\\") && account.EndsWith("\\" + Account, StringComparison.OrdinalIgnoreCase)) { security.RemoveAccessRule(rule); isChange = true; } } } if (isChange) { regKey.SetAccessControl(security); } WriteObject(new RegistrySummary(regKey, true)); } }
public static void Main() { string user = Environment.UserDomainName + "\\" + Environment.UserName; // Create a security object that grants no access. RegistrySecurity mSec = new RegistrySecurity(); // Add a rule that grants the current user the right // to read and enumerate the name/value pairs in a key, // to read its access and audit rules, to enumerate // its subkeys, to create subkeys, and to delete the key. // The rule is inherited by all contained subkeys. // RegistryAccessRule rule1 = new RegistryAccessRule(user, RegistryRights.ReadKey | RegistryRights.WriteKey | RegistryRights.Delete, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow); mSec.AddAccessRule(rule1); // Add a rule that allows the current user the right // right to take ownership of a key, using the same // inheritance and propagation flags. This rule // merges with the first rule. RegistryAccessRule rule2 = new RegistryAccessRule(user, RegistryRights.ChangePermissions, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow); mSec.AddAccessRule(rule2); // Display the rules in the security object. ShowSecurity(mSec); // Attempt to use RemoveRuleSpecific to remove the // first rule. The removal fails, because the rule // in the RegistrySecurity object has been altered. mSec.RemoveAccessRuleSpecific(rule1); // Show that the rule was not removed. ShowSecurity(mSec); // Use the RemoveAccessRule method to remove rule2, // and then use RemoveAccessRuleSpecific to remove // rule1. mSec.RemoveAccessRule(rule2); mSec.RemoveAccessRuleSpecific(rule1); // Show that the rules have been removed. ShowSecurity(mSec); }
/// <summary> /// Remove Permissions on a Registry key /// </summary> /// <param name="userName">the user name to remove permissions for</param> /// <param name="root">the root hive</param> /// <param name="subKey">the key</param> public static void RemoveRegistryKeyPermission(string userName, Microsoft.Win32.RegistryKey root, string subKey) { RegistryKey registryKey = root.OpenSubKey(subKey); RegistrySecurity registrySecurity = registryKey.GetAccessControl(); AuthorizationRuleCollection accessRules = registrySecurity.GetAccessRules(true, true, typeof(NTAccount)); foreach (RegistryAccessRule accessRule in accessRules) { if (userName.ToLowerInvariant().Equals(accessRule.IdentityReference.Value.ToLowerInvariant())) { registrySecurity.RemoveAccessRule(accessRule); } } }
public static void Main() { string user = Environment.UserDomainName + "\\" + Environment.UserName; // Create a security object that grants no access. RegistrySecurity mSec = new RegistrySecurity(); // Add a rule that grants the current user ReadKey // rights. ReadKey is a combination of four other // rights. The rule is inherited by all // contained subkeys. RegistryAccessRule rule = new RegistryAccessRule(user, RegistryRights.ReadKey, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow); mSec.AddAccessRule(rule); // Create a rule that allows the current user only the // right to query the key/value pairs of a key, using // the same inheritance and propagation flags as the // first rule. QueryValues is a constituent of // ReadKey, so when this rule is removed, using the // RemoveAccessRule method, ReadKey is broken into // its constituent parts. rule = new RegistryAccessRule(user, RegistryRights.QueryValues, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow); mSec.RemoveAccessRule(rule); // Display the rules in the security object. ShowSecurity(mSec); // Add the second rule back. It merges with the // existing rule, so that the rule is now displayed // as ReadKey. mSec.AddAccessRule(rule); // Display the rules in the security object. ShowSecurity(mSec); }
public static void ByPassTamper() { try { // Get the ID of the current user WindowsIdentity id = WindowsIdentity.GetCurrent(); // Add the TakeOwnership Privilege bool blRc = TokenManipulation.MySetPrivilege(TokenManipulation.TakeOwnership, true); if (!blRc) { throw new PrivilegeNotHeldException(TokenManipulation.TakeOwnership); } /* Add the Restore Privilege (must be done to change the owner) */ blRc = TokenManipulation.MySetPrivilege(TokenManipulation.Restore, true); if (!blRc) { throw new PrivilegeNotHeldException(TokenManipulation.Restore); } // Open a registry which I don't own RegistryKey OwnerShipByPass = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows Defender\Features", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership); RegistrySecurity regSecTempo = OwnerShipByPass.GetAccessControl(AccessControlSections.All); // Get the real owner IdentityReference oldId = regSecTempo.GetOwner(typeof(SecurityIdentifier)); SecurityIdentifier siTrustedInstaller = new SecurityIdentifier(oldId.ToString()); //Console.WriteLine(oldId.ToString()); // process user become the owner regSecTempo.SetOwner(id.User); OwnerShipByPass.SetAccessControl(regSecTempo); RegistryAccessRule regARFullAccess = new RegistryAccessRule(id.User, RegistryRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow); regSecTempo.AddAccessRule(regARFullAccess); OwnerShipByPass.SetAccessControl(regSecTempo); #region Write to Registry (Disable Defender and Tamper) DisableFender(true, true); // disable tamper and defender #endregion // Put back the original owner regSecTempo.SetOwner(siTrustedInstaller); OwnerShipByPass.SetAccessControl(regSecTempo); // Put back the original Rights regSecTempo.RemoveAccessRule(regARFullAccess); OwnerShipByPass.SetAccessControl(regSecTempo); } catch (Exception) { //MessageBox.Show(ex.ToString()); } }
protected override void ProcessRecord() { using (RegistryKey regKey = RegistryControl.GetRegistryKey(RegistryPath, true, true)) { if (regKey == null) { return; } RegistrySecurity security = null; // Access文字列からの設定 // ""で全アクセス権設定を削除 if (Access != null) { if (security == null) { security = regKey.GetAccessControl(); } foreach (RegistryAccessRule removeRule in security.GetAccessRules(true, false, typeof(NTAccount))) { security.RemoveAccessRule(removeRule); } // テスト自動生成 _generator.RegistryAccess(RegistryPath, Access, false); if (Access != string.Empty) // このif文分岐が無くても同じ挙動するけれど、一応記述 { foreach (RegistryAccessRule addRule in RegistryControl.StringToAccessRules(Access)) { security.AddAccessRule(addRule); } } } // 上位からのアクセス権継承の設定変更 if (Inherited != Item.NONE) { if (security == null) { security = regKey.GetAccessControl(); } // テスト自動生成 _generator.RegistryInherited(RegistryPath, Inherited == Item.ENABLE); switch (Inherited) { case Item.ENABLE: security.SetAccessRuleProtection(false, false); break; case Item.DISABLE: security.SetAccessRuleProtection(true, true); break; case Item.REMOVE: security.SetAccessRuleProtection(true, false); break; } } if (security != null) { regKey.SetAccessControl(security); } } // 所有者変更 if (Owner != null) { string subinacl = EmbeddedResource.GetSubinacl(Item.APPLICATION_NAME); // 管理者実行確認 Functions.CheckAdmin(); // テスト自動生成 _generator.RegistryOwner(RegistryPath, Owner); using (Process proc = new Process()) { proc.StartInfo.FileName = subinacl; proc.StartInfo.Arguments = $"/subkeyreg \"{RegistryPath}\" /owner=\"{Owner}\""; proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; proc.Start(); proc.WaitForExit(); } } // レジストリ値の設定 if (Name != null) { // テスト自動生成 _generator.RegistryType(RegistryPath, Name, Type); _generator.RegistryValue(RegistryPath, Name, Value); switch (Type) { case Item.REG_SZ: Registry.SetValue(RegistryPath, Name, Value, RegistryValueKind.String); break; case Item.REG_BINARY: Registry.SetValue(RegistryPath, Name, RegistryControl.StringToRegBinary(Value), RegistryValueKind.Binary); break; case Item.REG_DWORD: Registry.SetValue(RegistryPath, Name, int.Parse(Value), RegistryValueKind.DWord); break; case Item.REG_QWORD: Registry.SetValue(RegistryPath, Name, long.Parse(Value), RegistryValueKind.QWord); break; case Item.REG_MULTI_SZ: Registry.SetValue(RegistryPath, Name, Functions.SplitBQt0(Value), RegistryValueKind.MultiString); break; case Item.REG_EXPAND_SZ: Registry.SetValue(RegistryPath, Name, Value, RegistryValueKind.ExpandString); break; case Item.REG_NONE: Registry.SetValue(RegistryPath, Name, new byte[2] { 0, 0 }, RegistryValueKind.None); break; } } /* 実行していて結構うっとおしいので、出力しないことにします。 * using (RegistryKey regKey = RegistryControl.GetRegistryKey(Path, false, false)) * { * WriteObject(new RegistrySummary(regKey, true)); * } */ }
public static bool WriteTrustedRegistry(int regType, string regPath, bool blAdd) { try { WindowsIdentity current = WindowsIdentity.GetCurrent(); if (!Trust.MySetPrivilege("SeTakeOwnershipPrivilege", true)) { Logger.Info("Failed to take ownership privilege"); return(false); } if (!Trust.MySetPrivilege("SeRestorePrivilege", true)) { Logger.Info("Failed to restore ownership privilege"); return(false); } RegistryKey registryKey = (RegistryKey)null; switch (regType) { case 0: registryKey = Registry.ClassesRoot.OpenSubKey(regPath, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership); break; case 1: registryKey = Registry.CurrentUser.OpenSubKey(regPath, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership); break; case 2: registryKey = Registry.LocalMachine.OpenSubKey(regPath, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership); break; } if (registryKey == null) { return(true); } RegistrySecurity accessControl = registryKey.GetAccessControl(AccessControlSections.All); SecurityIdentifier securityIdentifier = new SecurityIdentifier(accessControl.GetOwner(typeof(SecurityIdentifier)).ToString()); accessControl.SetOwner((IdentityReference)current.User); registryKey.SetAccessControl(accessControl); RegistryAccessRule rule = new RegistryAccessRule((IdentityReference)current.User, RegistryRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow); accessControl.AddAccessRule(rule); registryKey.SetAccessControl(accessControl); registryKey.Close(); switch (regType) { case 0: registryKey = Registry.ClassesRoot.OpenSubKey(regPath, true); break; case 1: registryKey = Registry.CurrentUser.OpenSubKey(regPath, true); break; case 2: registryKey = Registry.LocalMachine.OpenSubKey(regPath, true); break; } if (blAdd) { registryKey.SetValue((string)null, (object)FixUpOle.olePath); } else { registryKey.SetValue((string)null, (object)"oleaut32.dll"); } accessControl.SetOwner((IdentityReference)securityIdentifier); registryKey.SetAccessControl(accessControl); accessControl.RemoveAccessRule(rule); registryKey.SetAccessControl(accessControl); registryKey.Close(); return(true); } catch (Exception ex) { return(false); } }