当前位置: 文江博客话题详情

在 Windows Server 2008 R2 上将 HKCR\CLSID\* 密钥的所有者更改为管理员

发布于 2024-11-26 11:57:46 字数 1030 浏览 0 评论 0原文

Win Server 2008 R2 上有一个注册表项,

HKCR:\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

其所有者不是管理员。它是TrustedInstaller。现在制作远程 DCOM/WMI 连接正常,我需要授予管理员权限 也完全控制该密钥和所有权。由于这需要在 几台机器,我希望我可以使用 Powershell 来完成此操作。我跟着 这些

使用 Powershell 控制注册表 ACL 权限

使用 powershell 更改目录的所有者

但我仍然出现此错误

Exception calling "OpenSubKey" with "3" argument(s):
"Requested registry access is not allowed."

我尝试运行的代码很简单

$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(
  "CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}",
  [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
  [System.Security.AccessControl.RegistryRights]::TakeOwnership
)
echo $key

关于如何更改此密钥的所有权有什么想法吗?我相信一旦拥有 更改为管理员后,我将能够使用 Set-Acl 更改权限。

原文

There is a registry key on Win Server 2008 R2,

HKCR:\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

whose owner is not Administrator. It is TrustedInstaller. Now to make Remote
DCOM/WMI connection working, I need to give Administrator the permission to have
Full Control over this key and ownership as well. As this needs to be done on
several machines, I was hoping I could do this using Powershell. I followed
these

Controlling Registry ACL Permissions with Powershell

Change the owner of directories with powershell

but I still get this error

Exception calling "OpenSubKey" with "3" argument(s):
"Requested registry access is not allowed."

The code I am trying to run is simple

$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(
  "CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}",
  [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
  [System.Security.AccessControl.RegistryRights]::TakeOwnership
)
echo $key

Any ideas on how to change ownership of this key? I believe once the ownership
is changed to Administrator, I will be able to change permissions using Set-Acl.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

终陌 2024-12-03 11:57:46

我能够使用以下脚本在 powershell 中实现此目的

# Checking OS Version and changing Registry Key permissions accordingly. We do need
# to change reg-key ownership for Win Server 2008, but in 2008 R2, owner of one of
# the required keys is TrustedInstaller instead of Administrator. Thus we need to
# change the owner back to Admin in order to make any changes to that key.
echo "Checking Operating System Version..."
$cv = (gi "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion")
$wv = $cv.GetValue("ProductName")
echo "$wv"
# Mounting HKey_ClassesRoot Registry key as a drive - Silent
New-PSDrive -name HKCR -PSProvider Registry -root HKEY_CLASSES_ROOT | Out-Null
$acl = Get-Acl "HKCR:\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}"
$owner = $acl.Owner
# Case 48188: Because Windows has server version like Windows Web Server 2008 R2, we
# cannot validate the version name using "Windows Server 2008 R2". We will only
# check if the name contains "Server 2008 R2".
if($wv.Contains("Server 2008 R2") -and !$owner.Contains("Administrators"))
{
  echo "Setting Administrators Group privileges in Windows Registry..."
  $boolResult = enable-privilege SeTakeOwnershipPrivilege
    if(-not $boolResult)
    {
      echo "Privileges could not be elevated. Changing ownership of the registry"
      echo "key would fail. Please change ownership of key"
      echo "HKCR\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} to Administrators"
      echo "Group manually."
      return
    }
  $key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(
    "CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}",
    [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
    [System.Security.AccessControl.RegistryRights]::takeownership
  )
  # You must get a blank acl for the key b/c you do not currently have access
  $acl = $key.GetAccessControl(
    [System.Security.AccessControl.AccessControlSections]::None
  )
  $owner = [System.Security.Principal.NTAccount]"Administrators"
  $acl.SetOwner($owner)
  $key.SetAccessControl($acl)

  # After you have set owner you need to get the acl with the perms so you can
  # modify it.
  $acl = $key.GetAccessControl()
  $person = [System.Security.Principal.NTAccount]"Administrators"
  $access = [System.Security.AccessControl.RegistryRights]"FullControl"
  $inheritance = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit"
  $propagation = [System.Security.AccessControl.PropagationFlags]"None"
  $type = [System.Security.AccessControl.AccessControlType]"Allow"

  $rule = New-Object System.Security.AccessControl.RegistryAccessRule(
    $person,$access,$inheritance,$propagation,$type
  )
  $acl.SetAccessRule($rule)
  $key.SetAccessControl($acl)

  $key.Close()
  echo "Administrators Group ownership privileges set."
}

I was able to achieve this in powershell using the following script

# Checking OS Version and changing Registry Key permissions accordingly. We do need
# to change reg-key ownership for Win Server 2008, but in 2008 R2, owner of one of
# the required keys is TrustedInstaller instead of Administrator. Thus we need to
# change the owner back to Admin in order to make any changes to that key.
echo "Checking Operating System Version..."
$cv = (gi "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion")
$wv = $cv.GetValue("ProductName")
echo "$wv"
# Mounting HKey_ClassesRoot Registry key as a drive - Silent
New-PSDrive -name HKCR -PSProvider Registry -root HKEY_CLASSES_ROOT | Out-Null
$acl = Get-Acl "HKCR:\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}"
$owner = $acl.Owner
# Case 48188: Because Windows has server version like Windows Web Server 2008 R2, we
# cannot validate the version name using "Windows Server 2008 R2". We will only
# check if the name contains "Server 2008 R2".
if($wv.Contains("Server 2008 R2") -and !$owner.Contains("Administrators"))
{
  echo "Setting Administrators Group privileges in Windows Registry..."
  $boolResult = enable-privilege SeTakeOwnershipPrivilege
    if(-not $boolResult)
    {
      echo "Privileges could not be elevated. Changing ownership of the registry"
      echo "key would fail. Please change ownership of key"
      echo "HKCR\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} to Administrators"
      echo "Group manually."
      return
    }
  $key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(
    "CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}",
    [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
    [System.Security.AccessControl.RegistryRights]::takeownership
  )
  # You must get a blank acl for the key b/c you do not currently have access
  $acl = $key.GetAccessControl(
    [System.Security.AccessControl.AccessControlSections]::None
  )
  $owner = [System.Security.Principal.NTAccount]"Administrators"
  $acl.SetOwner($owner)
  $key.SetAccessControl($acl)

  # After you have set owner you need to get the acl with the perms so you can
  # modify it.
  $acl = $key.GetAccessControl()
  $person = [System.Security.Principal.NTAccount]"Administrators"
  $access = [System.Security.AccessControl.RegistryRights]"FullControl"
  $inheritance = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit"
  $propagation = [System.Security.AccessControl.PropagationFlags]"None"
  $type = [System.Security.AccessControl.AccessControlType]"Allow"

  $rule = New-Object System.Security.AccessControl.RegistryAccessRule(
    $person,$access,$inheritance,$propagation,$type
  )
  $acl.SetAccessRule($rule)
  $key.SetAccessControl($acl)

  $key.Close()
  echo "Administrators Group ownership privileges set."
}
回复 原文
瀞厅☆埖开 2024-12-03 11:57:46

我以前遇到过类似的问题。我没有尝试获取密钥的所有权,而是更改了它的权限,以便每个人都可以读取它 (8)。这可以使用“regini”来完成。我有一个包装函数,可以更改提供的密钥的权限。

示例:RegistryPermission -server 'localhost' -key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum" -string '[1 8 17]'

有关详细信息,请在命令提示符下运行“regini”进行权限设置。

function Fix-RegistryPermission {
    param (
        [string] $server,
        [string] $key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum",
        [string] $permissions = "[1 8 17]"
    )

    $("{0} {1}" -f $key, $permissions) | Out-File $("{0}\regini_input.txt" -f $Env:Temp);

    & "regini" -m \\$server $("{0}\regini_input.txt" -f $Env:Temp);
    sleep 3;
    Remove-Item $("{0}\regini_input.txt" -f $Env:Temp);     
}

I ran into similar problem previously. Instead of trying to take ownership of the key, I changed the permission of it so that it can be readable to everyone (8). This can be done using 'regini'. I have a wrapper function that can change the permission of the provided key.

Example: RegistryPermission -server 'localhost' -key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum" -string '[1 8 17]'

For more info, run 'regini' in command prompt for the permission settings.

function Fix-RegistryPermission {
    param (
        [string] $server,
        [string] $key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum",
        [string] $permissions = "[1 8 17]"
    )

    $("{0} {1}" -f $key, $permissions) | Out-File $("{0}\regini_input.txt" -f $Env:Temp);

    & "regini" -m \\$server $("{0}\regini_input.txt" -f $Env:Temp);
    sleep 3;
    Remove-Item $("{0}\regini_input.txt" -f $Env:Temp);     
}
回复 原文
~没有更多了~

关于作者

太傻旳人生

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

胡图图

文章 0 评论 0

zt006

文章 0 评论 0

z祗昰~

文章 0 评论 0

冰葑

文章 0 评论 0

野の

文章 0 评论 0

天空

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文