/// <summary>
/// apply registry security settings to user profiles
/// </summary>
/// <param name="where"></param>
/// <param name="keyname"></param>
/// <param name="username"></param>
/// <returns></returns>
public static Boolean RegSec(pInvokes.structenums.RegistryLocation where, string keyname, string username)
{
try
{
IdentityReference UserIRef = new NTAccount(String.Format("{0}\\{1}", Environment.MachineName, username));
SecurityIdentifier UserSid = (SecurityIdentifier)UserIRef.Translate(typeof(SecurityIdentifier));
using (RegistryKey key = pInvokes.GetRegistryLocation(where).OpenSubKey(keyname, true))
{
RegistrySecurity keySecurity = key.GetAccessControl(AccessControlSections.Access);
string SDDL = keySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.All);
//LibraryLogging.Info(SDDL);
foreach (RegistryAccessRule user in keySecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)))
{
//LibraryLogging.Info("registry ACE user: {0} {1} {2}", key.Name, user.InheritanceFlags.ToString(), user.IdentityReference.Value);
if (user.IdentityReference.Value.StartsWith("S-1-5-21-") && !user.IdentityReference.Value.Equals(UserIRef.Value))
{
//LibraryLogging.Info("mod registry ACE:{0} from unknown user:{1} to {2} {3} {4}", key.Name, user.IdentityReference.Value, username, user.RegistryRights.ToString(), user.AccessControlType.ToString());
SDDL = SDDL.Replace(user.IdentityReference.Value, UserSid.Value);
//LibraryLogging.Info(SDDL);
keySecurity.SetSecurityDescriptorSddlForm(SDDL);
key.SetAccessControl(keySecurity);
break;
}
}
foreach (string subkey in key.GetSubKeyNames())
{
if (!RegSec(where, keyname + "\\" + subkey, username))
{
return(false);
}
}
}
}
catch (SystemException ex)
{
LibraryLogging.Warn("RegSec:{0} Warning {1}", keyname, ex.Message);
}
catch (Exception ex)
{
LibraryLogging.Error("RegSec:{0} Error:{1}", keyname, ex.Message);
return(false);
}
return(true);
}
public void ReplaceRegistry(string rootKey, bool recursive)
{
ActionObserver.NotifyAction("Search/Replace SID", "Registry", rootKey, Hostname);
try {
RegistryKey key = Tools.WinTool.OpenKey(Hostname, rootKey);
try {
RegistrySecurity security = key.GetAccessControl(AccessControlSections.All);
string sddl = security.GetSecurityDescriptorSddlForm(AccessControlSections.All);
foreach (Tuple <SecurityIdentifier, SecurityIdentifier> item in ReplaceList)
{
string searchItem = item.Item1.ToString();
string replaceItem = item.Item2.ToString();
string newSddl = sddl.Replace(searchItem, replaceItem);
if (newSddl != sddl)
{
ActionObserver.NotifyInformation(
"RegistryKey '{0}' replaced '{1}' with '{2}'",
rootKey, searchItem, replaceItem
);
}
sddl = newSddl;
}
security.SetSecurityDescriptorSddlForm(sddl, AccessControlSections.All);
key.SetAccessControl(security);
} catch (Exception error) {
ActionObserver.NotifyError("Unable to search SIDs on registry key '{0}' due to error '{1}'", rootKey, error.Message);
}
if (recursive)
{
foreach (string subKey in Tools.WinTool.GetSubKeys(Hostname, rootKey))
{
if (Tools.WinTool.KeyExists(Hostname, subKey))
{
ReplaceRegistry(subKey, recursive);
}
else
{
ActionObserver.NotifyWarning("Unable to access key '{0}'", subKey);
}
}
}
} catch (Exception error) {
ActionObserver.NotifyError("Unable to search/replace SIDs on registry key '{0}' due to error='{1}'", rootKey, error.Message);
}
}
/// <summary>
/// apply registry security settings to user profiles
/// </summary>
public static bool RegSec(Abstractions.WindowsApi.pInvokes.structenums.RegistryLocation where, string keyname, SecurityIdentifier userSid)
{
try
{
using (RegistryKey key = Abstractions.WindowsApi.pInvokes.GetRegistryLocation(where).OpenSubKey(keyname, true))
{
RegistrySecurity keySecurity = key.GetAccessControl(AccessControlSections.Access);
string sddl = keySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.All);
foreach (RegistryAccessRule user in keySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{
if (user.IdentityReference.Value.StartsWith("S-1-5-21-") && !user.IdentityReference.Value.Equals(userSid.Value))
{
sddl = sddl.Replace(user.IdentityReference.Value, userSid.Value);
keySecurity.SetSecurityDescriptorSddlForm(sddl);
key.SetAccessControl(keySecurity);
break;
}
}
foreach (string subkey in key.GetSubKeyNames())
{
if (!RegSec(where, keyname + "\\" + subkey, userSid))
{
return(false);
}
}
}
}
catch (SystemException ex)
{
Log.WarnFormat("RegSec:{0} Warning {1}", keyname, ex.Message);
}
catch (Exception ex)
{
Log.ErrorFormat("RegSec:{0} Error:{1}", keyname, ex.Message);
return(false);
}
return(true);
}
public static void ProvisionAutoGenKeys(RegistryView regView, string expandedVersion, string sid)
{
var baseRegKey = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, regView);
var softwareMicrosoftKey = baseRegKey.OpenSubKey("SOFTWARE\\Microsoft\\", true);
var aspNetKey = softwareMicrosoftKey.OpenSubKey("ASP.NET", true);
if (aspNetKey == null)
{
aspNetKey = softwareMicrosoftKey.CreateSubKey("ASP.NET");
}
var aspNetBaseKey = aspNetKey.OpenSubKey(expandedVersion, true);
if (aspNetBaseKey == null)
{
aspNetBaseKey = aspNetKey.CreateSubKey(expandedVersion);
}
var autoGenBaseKey = aspNetBaseKey.OpenSubKey("AutoGenKeys", true);
if (autoGenBaseKey == null)
{
autoGenBaseKey = aspNetBaseKey.CreateSubKey("AutoGenKeys");
}
var regSec = new RegistrySecurity();
regSec.SetSecurityDescriptorSddlForm($"D:P(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)(A;OICI;GA;;;{sid})");
var userAutoGenKey = autoGenBaseKey.OpenSubKey(sid, true);
if (userAutoGenKey == null)
{
userAutoGenKey = autoGenBaseKey.CreateSubKey(sid, RegistryKeyPermissionCheck.Default, regSec);
}
else
{
userAutoGenKey.SetAccessControl(regSec);
}
}
/// <summary>
/// Creates a new (empty) registry hive.
/// </summary>
/// <param name="stream">The stream to contain the new hive.</param>
/// <param name="ownership">Whether the returned object owns the stream.</param>
/// <returns>The new hive.</returns>
public static RegistryHive Create(Stream stream, Ownership ownership)
{
if (stream == null)
{
throw new ArgumentNullException(nameof(stream), "Attempt to create registry hive in null stream");
}
// Construct a file with minimal structure - hive header, plus one (empty) bin
BinHeader binHeader = new BinHeader();
binHeader.FileOffset = 0;
binHeader.BinSize = (int)(4 * Sizes.OneKiB);
HiveHeader hiveHeader = new HiveHeader();
hiveHeader.Length = binHeader.BinSize;
stream.Position = 0;
byte[] buffer = new byte[hiveHeader.Size];
hiveHeader.WriteTo(buffer, 0);
stream.Write(buffer, 0, buffer.Length);
buffer = new byte[binHeader.Size];
binHeader.WriteTo(buffer, 0);
stream.Position = BinStart;
stream.Write(buffer, 0, buffer.Length);
buffer = new byte[4];
EndianUtilities.WriteBytesLittleEndian(binHeader.BinSize - binHeader.Size, buffer, 0);
stream.Write(buffer, 0, buffer.Length);
// Make sure the file is initialized out to the end of the firs bin
stream.Position = BinStart + binHeader.BinSize - 1;
stream.WriteByte(0);
// Temporary hive to perform construction of higher-level structures
RegistryHive newHive = new RegistryHive(stream);
KeyNodeCell rootCell = new KeyNodeCell("root", -1);
rootCell.Flags = RegistryKeyFlags.Normal | RegistryKeyFlags.Root;
newHive.UpdateCell(rootCell, true);
RegistrySecurity sd = new RegistrySecurity();
sd.SetSecurityDescriptorSddlForm("O:BAG:BAD:PAI(A;;KA;;;SY)(A;CI;KA;;;BA)", AccessControlSections.All);
SecurityCell secCell = new SecurityCell(sd);
newHive.UpdateCell(secCell, true);
secCell.NextIndex = secCell.Index;
secCell.PreviousIndex = secCell.Index;
newHive.UpdateCell(secCell, false);
rootCell.SecurityIndex = secCell.Index;
newHive.UpdateCell(rootCell, false);
// Ref the root cell from the hive header
hiveHeader.RootCell = rootCell.Index;
buffer = new byte[hiveHeader.Size];
hiveHeader.WriteTo(buffer, 0);
stream.Position = 0;
stream.Write(buffer, 0, buffer.Length);
// Finally, return the new hive
return(new RegistryHive(stream, ownership));
}