Powershell 设置Acl:不允许请求的注册表访问
读后 和 我想出了这些命令Powershell 设置Acl:不允许请求的注册表访问,powershell,Powershell,读后 和 我想出了这些命令 设置位置HKLM:\Software\Classes\cmdfile\ShellEx\PropertySheetHandlers $am=新对象Security.Principal.n帐户“内置”、“管理员” $ke=获取Acl“ShimLayer属性页” $ke.SetOwner($am) 设置Acl-AclObject$ke-Path“ShimLayer属性页” 然而,当我运行它们时,我得到了这个消息 Set-Acl : Requested registry a
设置位置HKLM:\Software\Classes\cmdfile\ShellEx\PropertySheetHandlers
$am=新对象Security.Principal.n帐户“内置”、“管理员”
$ke=获取Acl“ShimLayer属性页”
$ke.SetOwner($am)
设置Acl-AclObject$ke-Path“ShimLayer属性页”
然而,当我运行它们时,我得到了这个消息
Set-Acl : Requested registry access is not allowed.
如何更改此密钥的所有者?如果管理员组已从ACL中删除,则最终会出现此错误。但您可以使用方法检索指定的子项以进行读或读/写访问,请求指定的访问权限
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("Software\Classes\cmdfile\ShellEx\PropertySheetHandlers",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::ChangePermissions)
一旦拥有了它,您就可以使用GetAccessControl()
和SetAccessControl()
方法重新获得权限
$acl = $key.GetAccessControl()
$key.SetAccessControl($acl)
有关更多信息,请参阅
编辑:
设置注册表访问控制的另一种方法
$ke = Get-Acl 'HKLM:\Software\Classes\cmdfile\ShellEx\PropertySheetHandlers\ShimLayer Property Page'
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("mydomain\myusername","FullControl","Allow")
$ke.SetAccessRule($rule)
$ke |Set-Acl -Path 'HKLM:\Software\Classes\cmdfile\ShellEx\PropertySheetHandlers\ShimLayer Property Page'
看完这些
我想出了这个有效的解决办法
功能启用权限{
参数($特权)
$Definition=@'
使用制度;
使用System.Runtime.InteropServices;
公共类{
[DllImport(“advapi32.dll”,ExactSpelling=true,SetLastError=true)]
内部静态外部bool AdjustTokenPrivileges(IntPtr htok、bool disall、,
参考第1版油新闻、内部透镜、内部PTR上一版、内部PTR版本);
[DllImport(“advapi32.dll”,ExactSpelling=true,SetLastError=true)]
内部静态外部布尔OpenProcessToken(IntPtr h、int acc、ref IntPtr phtok);
[DllImport(“advapi32.dll”,SetLastError=true)]
内部静态外部bool LookupPrivilegeValue(字符串主机、字符串名称、,
参考长脉冲);
[StructLayout(LayoutKind.Sequential,Pack=1)]
内部结构1{
公共整数计数;
公众长吕德;
公共int Attr;
}
内部常量int SE_特权_ENABLED=0x00000002;
内部const int TOKEN_QUERY=0x00000008;
内部const int TOKEN_ADJUST_PRIVILEGES=0x00000020;
公共静态bool启用权限(长processHandle、字符串权限){
布尔-雷特瓦尔;
托卡马克;
IntPtr hproc=新的IntPtr(processHandle);
IntPtr htok=IntPtr.0;
retVal=OpenProcessToken(hproc,TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
参考htok);
tp.Count=1;
tp.Luid=0;
tp.Attr=SE_特权已启用;
retVal=LookupPrivilegeValue(null,privilege,ref-tp.Luid);
retVal=AdjustTokenPrivileges(htok,false,ref tp,0,IntPtr.0,
IntPtr.0);
返回返回;
}
}
'@
$ProcessHandle=(获取进程-id$pid).Handle
$type=添加类型$definition-PassThru
$type[0]::EnablePrivilege($processHandle,$Privilege)
}
do{}直到(启用特权SeTakeOwnershipPrivilege)
$key=[Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
“软件\Classes\cmdfile\ShellEx\PropertySheetHandlers\ShimLayer属性页”,
'ReadWriteSubTree'、'TakeOwnership')
$owner=[Security.Principal.NTAccount]“管理员”
$acl=$key.GetAccessControl()
$acl.SetOwner($owner)
$key.SetAccessControl($acl)
试试看:
# group BULTIN\Users takes full control of key and all subkeys
Take-Permissions("HKLM", "SOFTWARE\test")
# group Everyone takes full control of key and all subkeys
Take-Permissions("HKLM", "SOFTWARE\test", "S-1-1-0")
# group Everyone takes full control of key WITHOUT subkeys
Take-Permissions("HKLM", "SOFTWARE\test", "S-1-1-0", $false)
只需定义此函数:
function Take-Permissions {
# Developed for PowerShell v4.0
# Required Admin privileges
# Links:
# http://shrekpoint.blogspot.ru/2012/08/taking-ownership-of-dcom-registry.html
# http://www.remkoweijnen.nl/blog/2012/01/16/take-ownership-of-a-registry-key-in-powershell/
# https://powertoe.wordpress.com/2010/08/28/controlling-registry-acl-permissions-with-powershell/
param($rootKey, $key, [System.Security.Principal.SecurityIdentifier]$sid = 'S-1-5-32-545', $recurse = $true)
switch -regex ($rootKey) {
'HKCU|HKEY_CURRENT_USER' { $rootKey = 'CurrentUser' }
'HKLM|HKEY_LOCAL_MACHINE' { $rootKey = 'LocalMachine' }
'HKCR|HKEY_CLASSES_ROOT' { $rootKey = 'ClassesRoot' }
'HKCC|HKEY_CURRENT_CONFIG' { $rootKey = 'CurrentConfig' }
'HKU|HKEY_USERS' { $rootKey = 'Users' }
}
### Step 1 - escalate current process's privilege
# get SeTakeOwnership, SeBackup and SeRestore privileges before executes next lines, script needs Admin privilege
$import = '[DllImport("ntdll.dll")] public static extern int RtlAdjustPrivilege(ulong a, bool b, bool c, ref bool d);'
$ntdll = Add-Type -Member $import -Name NtDll -PassThru
$privileges = @{ SeTakeOwnership = 9; SeBackup = 17; SeRestore = 18 }
foreach ($i in $privileges.Values) {
$null = $ntdll::RtlAdjustPrivilege($i, 1, 0, [ref]0)
}
function Take-KeyPermissions {
param($rootKey, $key, $sid, $recurse, $recurseLevel = 0)
### Step 2 - get ownerships of key - it works only for current key
$regKey = [Microsoft.Win32.Registry]::$rootKey.OpenSubKey($key, 'ReadWriteSubTree', 'TakeOwnership')
$acl = New-Object System.Security.AccessControl.RegistrySecurity
$acl.SetOwner($sid)
$regKey.SetAccessControl($acl)
### Step 3 - enable inheritance of permissions (not ownership) for current key from parent
$acl.SetAccessRuleProtection($false, $false)
$regKey.SetAccessControl($acl)
### Step 4 - only for top-level key, change permissions for current key and propagate it for subkeys
# to enable propagations for subkeys, it needs to execute Steps 2-3 for each subkey (Step 5)
if ($recurseLevel -eq 0) {
$regKey = $regKey.OpenSubKey('', 'ReadWriteSubTree', 'ChangePermissions')
$rule = New-Object System.Security.AccessControl.RegistryAccessRule($sid, 'FullControl', 'ContainerInherit', 'None', 'Allow')
$acl.ResetAccessRule($rule)
$regKey.SetAccessControl($acl)
}
### Step 5 - recursively repeat steps 2-5 for subkeys
if ($recurse) {
foreach($subKey in $regKey.OpenSubKey('').GetSubKeyNames()) {
Take-KeyPermissions $rootKey ($key+'\'+$subKey) $sid $recurse ($recurseLevel+1)
}
}
}
Take-KeyPermissions $rootKey $key $sid $recurse
}
@StevenPenny,它与注册表有关,否则我会在发布答案之前尝试,但它应该符合文档要求。编辑了答案并删除了“HKLM:”。试一试。感谢您的编辑,但您仍然有错误的键,它应该是
ShimLayer属性页
,如问题所示。当将命令与该键一起使用时,调用带有“3”参数的“OpenSubKey”时出现异常:“不允许请求的注册表访问。”注意,您可能需要将$key=…LocalMachine
更改为我需要的类似ClassesRoot
的其他内容。否则你是唯一帮助我的人!很好的解决方案,我做了一些调整,我需要获得注册表项的所有权,然后将每个人的读取权限设置为拒绝,以防止选项显示在我们正在严格锁定的一些公共PC上的文件资源管理器中。非常好的解决方案,包括C代码定义等,并允许它在PowerShell中运行。我永远也想不到这一点。否则,因为我尝试的所有其他解决方案都不起作用。