问题
I must be an idiot programmer without an example. I am migrating a batch file to a asp.net app, using VB, trying to figure out how in asp.net has wasted almost a day.
There is a specific registry key/item I want to change that, by default in Server 2008 and newer, Administrators do NOT have FullControl on. The SetAccessControl function works, as long as I can first set Administrators as the object owner. From the command line it was easy to set the owner as Administrators, then grant FullControl, so I know it is possible.
Edit: the command-line works because I am logged in as a member of the Administrators group, meaning permissions should not be an issue running the code.
Edit2: to be clear, this is a "Windows Forms Application" (NOT a Web Application, NOT a Console Application).
Imports Microsoft.Win32
Imports System.Security.AccessControl
Imports System.Security.Principal
Public Sub GrantRegistyPermission()
Dim Hive As RegistryKey = Registry.ClassesRoot
Dim KeyName As String = "CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
' next line FAILS, "Requested registry access is not allowed"
'Dim SubKey As RegistryKey = Hive.OpenSubKey(KeyName, True)
' try without specifying the "writable" overload
Dim SubKey As RegistryKey = Hive.OpenSubKey(KeyName)
Dim rs As RegistrySecurity = Hive.GetAccessControl()
rs.SetOwner(New NTAccount("BUILTIN\Administrators"))
' next line FAILS, "Attempted to perform an unauthorized operation."
Hive.SetAccessControl(rs)
rs.AddAccessRule(New RegistryAccessRule(User, RegistryRights.FullControl, _
InheritanceFlags.ContainerInherit, _
PropagationFlags.InheritOnly, AccessControlType.Allow))
Hive.SetAccessControl(rs)
Hive.Close()
End Sub
回答1:
3 days wasted, this was a horrible experience. Thanks (for nothing) Microsoft, a working example of the SetOwner function would have really helped.
In the end, the only method I could get to work was to launch in a new process the SetACL.exe (or SetACLx64.exe) command that I was using in the batch file. Be sure the SetACL command-file is in the same directory, or it needs to be fully pathed (and quoted?).
Sub GrantRegKeyFullPermCmd()
Dim RegKey As String = "HKLM\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
Dim UserGroup As String = "Administrators"
Dim p As Process = Nothing
Dim ps1 As ProcessStartInfo = New ProcessStartInfo
ps1.FileName = "cmd.exe"
ps1.Verb = "runas"
ps1.WindowStyle = ProcessWindowStyle.Normal
ps1.UseShellExecute = False
ps1.RedirectStandardOutput = True
ps1.Arguments = "/C SetACLx64.exe -on """ & RegKey & """ -ot reg -actn setowner -ownr ""n:" & UserGroup & """"
Try
p = Process.Start(ps1)
Dim Results As String = p.StandardOutput.ReadToEnd
p.WaitForExit()
MsgBox("ExitCode: " & p.ExitCode & vbCrLf & "Set owner results: " & Results)
Dim ps2 As ProcessStartInfo = ps1
ps1.Arguments = "/C SetACLx64.exe -on """ & RegKey & """ -ot reg -actn ace -ace ""n:" & UserGroup & ";p:full"""
p = Process.Start(ps1)
Results = p.StandardOutput.ReadToEnd
p.WaitForExit()
MsgBox("ExitCode: " & p.ExitCode & vbCrLf & "Set permission results: " & Results)
Catch ex As Exception
MsgBox(ex.Message)
End Try
End Sub
Steps I tried that did NOT work:
apply local policy and/or GPO "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" = "Elevate without prompting"
right-click "Run as Administrator"
launch from elevated command prompt
run the SetACL command as the ProcessStartInfo.FileName
changed project properties, UAC Settings: requestedExecutionLevel level="requireAdministrator"
Hopefully, this will save others 3 days of wasted time.
来源:https://stackoverflow.com/questions/24742115/asp-net-vb-setting-owner-on-a-registry-key