我在从网络服务访问某些(但不是全部)注册表项时遇到困难。因此,我假设(并通过一些研究证实)访问注册表存在一些安全限制。我需要在 C#.Net 应用程序中专门执行一些代码或配置更改吗?
具体来说,我正在尝试读取和写入“Software\Microsoft\Internet Explorer\PageSetup”下的 PageSetup 的值
I've been having difficulties accessing some (but not all) registry keys from my web service. I therefore assumed (and confirmed with some research) that there are some security restrictions on accessing the registry. Is there some code or change in the configuration I need to do specifically in my C#.Net application?
Specifically, I am trying to read and write the values of the PageSetup under "Software\Microsoft\Internet Explorer\PageSetup"
发布评论
评论(2)
模拟用户后,
HKEY_CURRENT_USER
将不会更改。您应该在模拟用户并 RegCloseKey。或者,您可以获取用户的 SID 并从
HKEY_USERS
读取注册表:After impersonation of the user
HKEY_CURRENT_USER
will be not changed. You should use RegOpenCurrentUser after impersonation of the user and RegCloseKey.Alternatively you get the user's SID and read registry from
HKEY_USERS
:您可以使用 System.Security.Principal.WindowsIdentity.GetCurrent() 创建一个 Web 方法,该方法返回当前用户的名称(很可能是特殊的 ASP_NET 用户),然后增加该用户的权限(或更改该用户的安全设置)您想要从 regedit 编辑的键,以便运行您的进程的用户能够读取注册表的部分
另一方面,如果我是对的,并且您想要编辑 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup,您的目标不是更改 ASP_NET 用户该密钥中的信息,然后需要使用服务器计算机中可用的帐户对您的 Web 服务进行身份验证,为此,您需要将 Web 服务配置为在 Web.config 中使用 Windows 身份验证:
...
<身份验证模式=“Windows”/>
<身份模拟=“true”/>
...
然后获取经过身份验证的用户的 Windows 令牌:
最后,使用经过身份验证的用户的 Windows 令牌临时模拟原始用户,并在模拟完成后从当前线程中删除模拟令牌。
这样,当您请求 WindowsIdentity.GetCurrent() 时,您将获得要进行身份验证的 Windows 帐户用户的名称(这称为暂时模拟经过身份验证的用户)。并且您可以访问用于进行身份验证的用户的 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup
有关 Windows 身份验证和模拟的更多信息,请访问:http://msdn.microsoft.com/en-us/library/ff647405.aspx
You could use System.Security.Principal.WindowsIdentity.GetCurrent() to create a web methods that returns the name of the current user (most likely the special ASP_NET user) and then increase the privilegies of the user (or change the security settings of the key you want to edit from regedit so that the user under which your process is running is able to read the portion of the registry
On the other hand, if I am right and, and you want to edit HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup, and your goal is not to change the information in that key for the ASP_NET user then would need to authenticate to your webservice using an account that is available in the server machine, for that, you will need to configure you webservice to use windows authentication in Web.config:
<system.web>
...
<authentication mode="Windows"/>
<identity impersonate="true"/>
...
</system.web>
Then you obtain the authenticated user's Windows token:
and finally you use the authenticated user's Windows token to temporarily impersonate the original user and remove the impersonation token from the current thread when you are finished impersonating.
That way, when you asked for WindowsIdentity.GetCurrent() you would get the name of the windows account user to authenticate (this is called temporarily impersonate the authenticated user). And you would have access to the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup of the user you used to authenticate
More info on windows authentication and impersonation here: http://msdn.microsoft.com/en-us/library/ff647405.aspx