public static bool HasRights(RegistryKey key, SecurityIdentifier sid, RegistryRights rights)
{
if (key == null)
{
return(false);
}
var security = key.GetAccessControl();
var rules = security.GetAccessRules(true, true, typeof(SecurityIdentifier));
foreach (RegistryAccessRule rule in rules)
{
if (rule.IdentityReference != sid)
{
continue;
}
if (rule.AccessControlType != AccessControlType.Allow)
{
continue;
}
if ((rule.RegistryRights & rights) == rights)
{
return(true);
}
}
return(false);
}
public RegistryAuditRule
(String identity, RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags, AuditFlags auditFlags)
: base(IdentityReference.IdentityFromName(identity),
(int)registryRights, false, inheritanceFlags,
propagationFlags, auditFlags) {}
/// <summary>
/// Set registry permissions on a registry key for a specified account.
/// </summary>
public static bool SetRegPermission(RegistryKey rootKey, string subKeyPath,
string account, RegistryRights rights)
{
bool result = false;
RegistryAccessRule accessRule = new RegistryAccessRule(account, rights,
InheritanceFlags.None,
PropagationFlags.NoPropagateInherit,
AccessControlType.Allow);
using (RegistryKey key = rootKey.OpenSubKey(subKeyPath, true))
{
RegistrySecurity keySecurity =
key.GetAccessControl(AccessControlSections.Access);
keySecurity.ModifyAccessRule(AccessControlModification.Add,
accessRule, out result);
if (result)
{
accessRule = new RegistryAccessRule(account, rights,
InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly,
AccessControlType.Allow);
keySecurity.ModifyAccessRule(AccessControlModification.Add,
accessRule, out result);
if (result)
{
key.SetAccessControl(keySecurity);
}
}
}
return(result);
}
internal TransactedRegistryAccessRule(
string identity,
RegistryRights registryRights,
AccessControlType type)
: this((IdentityReference) new NTAccount(identity), (int)registryRights, false, InheritanceFlags.None, PropagationFlags.None, type)
{
}
// Constructor.
public RegistryAccessRule
(IdentityReference identity, RegistryRights registryRights,
AccessControlType type)
: base(identity, (int)registryRights, false,
InheritanceFlags.None, PropagationFlags.None, type)
{
}
private RegistryKey GetRegistryKey(REGISTRY_ROOT Root, string KeyPath, RegistryRights Desired)
{
try
{
switch (Root)
{
case REGISTRY_ROOT.HKEY_CLASSES_ROOT:
return(Registry.ClassesRoot.OpenSubKey(KeyPath, RegistryKeyPermissionCheck.ReadWriteSubTree, Desired));
case REGISTRY_ROOT.HKEY_LOCAL_MACHINE:
return(Registry.LocalMachine.OpenSubKey(KeyPath, RegistryKeyPermissionCheck.ReadWriteSubTree, Desired));
case REGISTRY_ROOT.HKEY_USERS:
return(Registry.Users.OpenSubKey(KeyPath, RegistryKeyPermissionCheck.ReadWriteSubTree, Desired));
case REGISTRY_ROOT.HKEY_CURRENT_USER:
return(Registry.CurrentUser.OpenSubKey(KeyPath, RegistryKeyPermissionCheck.ReadWriteSubTree, Desired));
default:
return(null);
}
}
catch (Exception)
{
return(null);
}
}
private RegistryKey InternalOpenSubKeyCore(string name, RegistryRights rights, bool throwOnPermissionFailure)
{
SafeRegistryHandle result = null;
int ret = Interop.mincore.RegOpenKeyEx(_hkey, name, 0, ((int)rights | (int)_regView), out result);
if (ret == 0 && !result.IsInvalid)
{
RegistryKey key = new RegistryKey(result, IsWritable((int)rights), false, _remoteKey, false, _regView);
key._keyName = _keyName + "\\" + name;
return(key);
}
if (throwOnPermissionFailure)
{
if (ret == Interop.Errors.ERROR_ACCESS_DENIED || ret == Interop.Errors.ERROR_BAD_IMPERSONATION_LEVEL)
{
// We need to throw SecurityException here for compatibility reason,
// although UnauthorizedAccessException will make more sense.
ThrowHelper.ThrowSecurityException(SR.Security_RegistryPermission);
}
}
// Return null if we didn't find the key.
return(null);
}
public RegistryAccessRule
(String identity, RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags, AccessControlType type)
: base(IdentityReference.IdentityFromName(identity),
(int)registryRights, false, inheritanceFlags,
propagationFlags, type) {}
internal static void GrantRegistryKeyRights(RegistryKey regKey, RegistryRights registryRights)
{
// Just to be sure
if (regKey == null)
{
return;
}
try
{
var regSecurity = regKey.GetAccessControl();
var user = Environment.UserDomainName + "\\" + Environment.UserName;
var rule = new RegistryAccessRule(user, registryRights,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly,
AccessControlType.Allow);
regSecurity.AddAccessRule(rule);
regKey.SetAccessControl(regSecurity);
regKey.Flush();
}
catch (Exception ex)
{
Debug.WriteLine("An error occurred trying to get permission to remove registry key ({0}). Error: {1}",
regKey, ex.Message);
}
}
// Constructor.
public RegistryAuditRule
(IdentityReference identity, RegistryRights registryRights,
AuditFlags auditFlags)
: base(identity, (int)registryRights, false,
InheritanceFlags.None, PropagationFlags.None, auditFlags)
{
}
public RegistryKey OpenSubKey(string name, RegistryRights rights)
{
ValidateKeyName(name);
EnsureNotDisposed();
name = FixupName(name); // Fixup multiple slashes to a single slash
return(InternalOpenSubKeyCore(name, rights, throwOnPermissionFailure: true));
}
public RegistryAccessRule(string identity,
RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AccessControlType type)
{
this.registryRights = registryRights;
}
public RegistryAccessRule (string identity,
RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AccessControlType type)
: this (new NTAccount (identity), registryRights, inheritanceFlags, propagationFlags, type)
{
}
public RegistryAccessRule (IdentityReference identity,
RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AccessControlType type)
: this (identity, registryRights, false, inheritanceFlags, propagationFlags, type)
{
}
internal static extern int ClusterRegCreateKey(
[In] SafeHKey hKey,
[In, MarshalAs(UnmanagedType.LPWStr)] string lpszSubKey,
[In] uint dwOption,
[In] RegistryRights samDesired,
[In] IntPtr lpSecurityAttributes,
[Out] out SafeHKey phkResult,
[Out] out int lpdwDisposition);
public RegistryAuditRule (string identity,
RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AuditFlags flags)
: this (new NTAccount (identity), registryRights, inheritanceFlags, propagationFlags, flags)
{
}
public RegistryAuditRule(string identity,
RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AuditFlags flags)
: this(new NTAccount(identity), registryRights, inheritanceFlags, propagationFlags, flags)
{
}
public RegistryAccessRule(IdentityReference identity,
RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AccessControlType type)
: this(identity, registryRights, false, inheritanceFlags, propagationFlags, type)
{
}
public RegistryAuditRule(string identity,
RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AuditFlags flags)
{
this.registryRights = registryRights;
}
public RegistryAuditRule(IdentityReference identity,
RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AuditFlags flags)
: this(identity, registryRights, false, inheritanceFlags, propagationFlags, flags)
{
}
public RegistryAuditRule (IdentityReference identity,
RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AuditFlags flags)
: this (identity, registryRights, false, inheritanceFlags, propagationFlags, flags)
{
}
public RegistryAccessRule(string identity,
RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AccessControlType type)
: this(new NTAccount(identity), registryRights, inheritanceFlags, propagationFlags, type)
{
}
internal RegistryAuditRule (IdentityReference identity,
RegistryRights registryRights,
bool isInherited,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AuditFlags flags)
: base (identity, (int)registryRights, isInherited, inheritanceFlags, propagationFlags, flags)
{
}
internal RegistryAccessRule (IdentityReference identity,
RegistryRights registryRights,
bool isInherited,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AccessControlType type)
: base (identity, (int)registryRights, isInherited, inheritanceFlags, propagationFlags, type)
{
}
private static void ValidateKeyRights(RegistryRights rights)
{
if (0 != (rights & ~RegistryRights.FullControl))
{
// We need to throw SecurityException here for compatiblity reason,
// although UnauthorizedAccessException will make more sense.
throw new SecurityException(SR.Security_RegistryPermission);
}
}
internal TransactedRegistryAuditRule(
string identity,
RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AuditFlags flags)
: this((IdentityReference) new NTAccount(identity), (int)registryRights, false, inheritanceFlags, propagationFlags, flags)
{
}
public RegistryAuditRule
(String identity, RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags, AuditFlags auditFlags)
: base(IdentityReference.IdentityFromName(identity),
(int)registryRights, false, inheritanceFlags,
propagationFlags, auditFlags)
{
}
public RegistryKey CreateRegKey(string regKeyName = "")
{
if (string.IsNullOrEmpty(regKeyName))
{
regKeyName = _regKey;
}
else
{
regKeyName = $"{this._regKey}\\{regKeyName}";
}
// creazione chiave
_baseKey?.CreateSubKey(regKeyName ?? "", RegistryKeyPermissionCheck.ReadWriteSubTree)?.Close();
// apertura con permessi per modifica permesssi
RegistryKey key = _baseKey?.OpenSubKey(
regKeyName,
RegistryKeyPermissionCheck.ReadWriteSubTree,
RegistryRights.ChangePermissions | RegistryRights.ReadKey | RegistryRights.WriteKey |
RegistryRights.FullControl
);
// permessi da applicare
RegistryRights acl = RegistryRights.WriteKey | RegistryRights.ReadKey | RegistryRights.Delete;
// attuale policy
if (EnvironmentUtils.IsWin())
{
try
{
RegistrySecurity regSec = key?.GetAccessControl();
// aggiunta policy all'attuale
regSec?.AddAccessRule(
new RegistryAccessRule(
$"{Environment.UserDomainName}\\{Environment.UserName}",
acl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly,
AccessControlType.Allow
)
);
// definizione proprietario
regSec?.SetOwner(new NTAccount($"{Environment.UserDomainName}\\{Environment.UserName}"));
// applicazione della policy
key?.SetAccessControl(regSec);
}
catch
{
// ignore
}
}
return(key);
}
internal RegistryAuditRule(IdentityReference identity,
RegistryRights registryRights,
bool isInherited,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AuditFlags flags)
: base(identity, (int)registryRights, isInherited, inheritanceFlags, propagationFlags, flags)
{
}
public RegistryAccessRule
(String identity, RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags, AccessControlType type)
: base(IdentityReference.IdentityFromName(identity),
(int)registryRights, false, inheritanceFlags,
propagationFlags, type)
{
}
internal RegistryAccessRule(IdentityReference identity,
RegistryRights registryRights,
bool isInherited,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AccessControlType type)
: base(identity, (int)registryRights, isInherited, inheritanceFlags, propagationFlags, type)
{
}
private static extern int RegCreateKeyEx(
SafeRegistryHandle hKey,
string lpSubKey,
int Reserved,
string lpClass,
RegistryOptions dwOptions,
RegistryRights samDesired,
IntPtr lpSecurityAttributes,
out SafeRegistryHandle phkResult,
out int lpdwDisposition);
public RegistryAccessRule (IdentityReference identity,
RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AccessControlType type)
// FIXME: accessMask=0 likely causes an error
: base (identity, 0, false, inheritanceFlags, propagationFlags, type)
{
this.rights = registryRights;
}
public RegistryAccessRule(IdentityReference identity,
RegistryRights registryRights,
InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags,
AccessControlType type)
// FIXME: accessMask=0 likely causes an error
: base(identity.Translate(typeof(SecurityIdentifier)), 0, false, inheritanceFlags, propagationFlags, type)
{
this.rights = registryRights;
}
/// <summary>
/// Check if user have all specified rights to the registry key.
/// </summary>
/// <param name="key">Registry key to check.</param>
/// <param name="rights">Rights to check.</param>
/// <param name="identity">Windows identity to check. If null then check current user.</param>
/// <param name="isElevated">Override elevated option. If set to false then return rights available when user is not running as Administrator.</param>
/// <returns>True if user has rights, false if user don't have rights or rights not found.</returns>
public static bool HasRights(RegistryKey key, RegistryRights rights, WindowsIdentity identity = null, bool?isElevated = null)
{
if (identity == null)
{
identity = WindowsIdentity.GetCurrent();
}
var isAdmin = isElevated.HasValue
? isElevated.Value
: identity.Owner.IsWellKnown(WellKnownSidType.BuiltinAdministratorsSid);
return(HasRights(key, rights, identity.User, isAdmin));
}
/// <summary>
/// Check if user have all specified rights to the registry key.
/// </summary>
/// <param name="key">Registry key to check.</param>
/// <param name="rights">Rights to check.</param>
/// <param name="identity">Windows identity to check. If null then check current user.</param>
/// <param name="isElevated">Override elevated option. If set to false then return rights available when user is not running as Administrator.</param>
/// <returns>True if user has rights, false if user don't have rights or rights not found.</returns>
public static bool HasRights(RegistryKey key, RegistryRights rights, WindowsIdentity identity = null, bool?isElevated = null)
{
if (identity == null)
{
identity = WindowsIdentity.GetCurrent();
}
var isAdmin = isElevated.HasValue
? isElevated.Value
: identity.User != identity.Owner;
return(HasRights(key, rights, identity.User, isAdmin));
}
public SetRegistryKeyPermissionsTask(
RegistryKey rootKey,
string registryKeyPath,
string identity,
RegistryRights registryRights,
AccessControlType accessControlType)
{
this.rootKey = rootKey;
this.registryKeyPath = registryKeyPath;
this.identity = identity;
this.registryRights = registryRights;
this.accessControlType = accessControlType;
}
public SafeRegistryHandle(RegistryHive hive, string key, RegistryRights samDesired)
: base(true)
{
IntPtr handle;
int result = UnsafeNativeMethods.RegOpenKeyEx(hive, key, 0, samDesired, out handle);
if (result != 0)
{
throw new Win32Exception(result);
}
SetHandle(handle);
}
public SafeRegistryHandle(RegistryHive hive, string key, RegistryRights samDesired)
: base(true)
{
IntPtr handle;
int result = UnsafeNativeMethods.RegOpenKeyEx(hive, key, 0, samDesired, out handle);
if (result != 0)
{
throw new Win32Exception(result);
}
SetHandle(handle);
}
private static void SetUserAccess(RegistryKey registryKey, IdentityReference user, RegistryRights accessType)
{
RegistrySecurity registrySecurity = registryKey.GetAccessControl();
RegistryAccessRule rule = new RegistryAccessRule(
user,
accessType,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow
);
registrySecurity.AddAccessRule(rule);
registryKey.SetAccessControl(registrySecurity);
}
public TRunner SetRegistryKeyPermissions(
RegistryKey rootKey,
string registryKeyPath,
string identity,
RegistryRights registryRights,
AccessControlType accessControlType)
{
SetRegistryKeyPermissionsTask.Execute(
scriptExecutionEnvironment,
rootKey,
registryKeyPath,
identity,
registryRights,
accessControlType);
return(ReturnThisTRunner());
}
public static bool DoesUserHaveAccess(RegistryKey registryKey, string userNameOrSID, RegistryRights accessType)
{
RegistrySecurity registrySecurity = registryKey.GetAccessControl();
foreach (RegistryAccessRule registryAccessRule in registrySecurity.GetAccessRules(true, true, typeof(NTAccount)))
{
IdentityReference sidIdentityReference = registryAccessRule.IdentityReference.Translate(typeof(SecurityIdentifier));
if (
(userNameOrSID.Equals(registryAccessRule.IdentityReference.Value, StringComparison.InvariantCultureIgnoreCase) == true
|| userNameOrSID.Equals(sidIdentityReference.Value, StringComparison.InvariantCultureIgnoreCase) == true)
&& (registryAccessRule.RegistryRights & accessType) == accessType)
return true;
}
return false;
}
// Constructor for creating access rules for registry objects
public RegistryAccessRule(IdentityReference identity, RegistryRights registryRights, AccessControlType type)
: this(identity, (int) registryRights, false, InheritanceFlags.None, PropagationFlags.None, type)
{
}
public RegistryKey OpenSubKey (string name, RegistryKeyPermissionCheck permissionCheck, RegistryRights rights)
{
throw new NotImplementedException ();
}
public RegistryKey OpenSubKey (string name, RegistryKeyPermissionCheck permissionCheck, RegistryRights rights)
{
return OpenSubKey (name, permissionCheck == RegistryKeyPermissionCheck.ReadWriteSubTree);
}
public RegistryKey OpenSubKey (string name, RegistryKeyPermissionCheck permissionCheck, RegistryRights rights)
{
return OpenSubKey (name);
}
public RegistryAuditRule(string identity, RegistryRights registryRights, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags flags) : base (default(System.Security.Principal.IdentityReference), default(int), default(bool), default(InheritanceFlags), default(PropagationFlags), default(AuditFlags))
{
Contract.Ensures(0 <= identity.Length);
Contract.Ensures(identity.Length <= 512);
}
public RegistryAuditRule(System.Security.Principal.IdentityReference identity, RegistryRights registryRights, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags flags) : base (default(System.Security.Principal.IdentityReference), default(int), default(bool), default(InheritanceFlags), default(PropagationFlags), default(AuditFlags))
{
}
public RegistryKey OpenSubKey(string name, RegistryRights rights)
{
ValidateKeyName(name);
EnsureNotDisposed();
name = FixupName(name); // Fixup multiple slashes to a single slash
return InternalOpenSubKeyCore(name, rights, throwOnPermissionFailure: true);
}
public RegistryAccessRule(string identity, RegistryRights registryRights, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type);
private RegistryKey InternalOpenSubKeyCore(string name, RegistryRights rights, bool throwOnPermissionFailure)
{
// TODO: Implement this
throw new PlatformNotSupportedException();
}
static extern int RegCreateKeyEx(
SafeRegistryHandle hKey,
string lpSubKey,
int Reserved,
string lpClass,
RegistryOptions dwOptions,
RegistryRights samDesired,
IntPtr lpSecurityAttributes,
out SafeRegistryHandle phkResult,
out int lpdwDisposition);
public RegistryKey OpenSubKey(string name, RegistryRights rights);
public RegistryAccessRule(String identity, RegistryRights registryRights, AccessControlType type)
: this(new NTAccount(identity), (int) registryRights, false, InheritanceFlags.None, PropagationFlags.None, type)
{
}
public RegistryAccessRule(string identity, RegistryRights registryRights, AccessControlType type);
public RegistryAuditRule(string identity, RegistryRights registryRights, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags flags);
private RegistryKey InternalOpenSubKeyCore(string name, RegistryRights rights, bool throwOnPermissionFailure)
{
SafeRegistryHandle result = null;
int ret = Interop.Advapi32.RegOpenKeyEx(_hkey, name, 0, ((int)rights | (int)_regView), out result);
if (ret == 0 && !result.IsInvalid)
{
RegistryKey key = new RegistryKey(result, IsWritable((int)rights), false, _remoteKey, false, _regView);
key._keyName = _keyName + "\\" + name;
return key;
}
if (throwOnPermissionFailure)
{
if (ret == Interop.Errors.ERROR_ACCESS_DENIED || ret == Interop.Errors.ERROR_BAD_IMPERSONATION_LEVEL)
{
// We need to throw SecurityException here for compatibility reason,
// although UnauthorizedAccessException will make more sense.
ThrowHelper.ThrowSecurityException(SR.Security_RegistryPermission);
}
}
// Return null if we didn't find the key.
return null;
}
public RegistryKey OpenSubKey(String name, RegistryRights rights)
{
return InternalOpenSubKey(name, this.checkMode, (int)rights);
}
public TransactedRegistryKey OpenSubKey(String name, RegistryKeyPermissionCheck permissionCheck, RegistryRights rights)
{
return InternalOpenSubKey(name, permissionCheck, (int)rights);
}
public RegistryAccessRule(IdentityReference identity, RegistryRights registryRights, AccessControlType type);
