Win Server 2008 R2上有一个注册表项,
HKCR:\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
其所有者不是管理员。它是TrustedInstaller。现在做远程 DCOM / WMI连接工作,我需要授予管理员权限 完全控制此密钥和所有权。因为这需要做 几台机器,我希望我能用Powershell做到这一点。我跟着 这些
Controlling Registry ACL Permissions with Powershell
Change the owner of directories with powershell
但我仍然收到此错误
Exception calling "OpenSubKey" with "3" argument(s): "Requested registry access is not allowed."
我试图运行的代码很简单
$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(
"CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}",
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::TakeOwnership
)
echo $key
有关如何更改此密钥所有权的任何想法?我相信一旦拥有 更改为管理员,我将能够使用Set-Acl。
更改权限答案 0 :(得分:2)
我能够使用以下脚本
在powershell中实现此目的# Checking OS Version and changing Registry Key permissions accordingly. We do need
# to change reg-key ownership for Win Server 2008, but in 2008 R2, owner of one of
# the required keys is TrustedInstaller instead of Administrator. Thus we need to
# change the owner back to Admin in order to make any changes to that key.
echo "Checking Operating System Version..."
$cv = (gi "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion")
$wv = $cv.GetValue("ProductName")
echo "$wv"
# Mounting HKey_ClassesRoot Registry key as a drive - Silent
New-PSDrive -name HKCR -PSProvider Registry -root HKEY_CLASSES_ROOT | Out-Null
$acl = Get-Acl "HKCR:\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}"
$owner = $acl.Owner
# Case 48188: Because Windows has server version like Windows Web Server 2008 R2, we
# cannot validate the version name using "Windows Server 2008 R2". We will only
# check if the name contains "Server 2008 R2".
if($wv.Contains("Server 2008 R2") -and !$owner.Contains("Administrators"))
{
echo "Setting Administrators Group privileges in Windows Registry..."
$boolResult = enable-privilege SeTakeOwnershipPrivilege
if(-not $boolResult)
{
echo "Privileges could not be elevated. Changing ownership of the registry"
echo "key would fail. Please change ownership of key"
echo "HKCR\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} to Administrators"
echo "Group manually."
return
}
$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(
"CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}",
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::takeownership
)
# You must get a blank acl for the key b/c you do not currently have access
$acl = $key.GetAccessControl(
[System.Security.AccessControl.AccessControlSections]::None
)
$owner = [System.Security.Principal.NTAccount]"Administrators"
$acl.SetOwner($owner)
$key.SetAccessControl($acl)
# After you have set owner you need to get the acl with the perms so you can
# modify it.
$acl = $key.GetAccessControl()
$person = [System.Security.Principal.NTAccount]"Administrators"
$access = [System.Security.AccessControl.RegistryRights]"FullControl"
$inheritance = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit"
$propagation = [System.Security.AccessControl.PropagationFlags]"None"
$type = [System.Security.AccessControl.AccessControlType]"Allow"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(
$person,$access,$inheritance,$propagation,$type
)
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
$key.Close()
echo "Administrators Group ownership privileges set."
}
答案 1 :(得分:1)
我以前遇到过类似的问题。我没有尝试取得密钥的所有权,而是更改了它的权限,以便每个人都可以阅读(8)。这可以使用'regini'来完成。我有一个包装函数,可以更改提供的密钥的权限。
示例: RegistryPermission -server'localhost'-key“HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Enum”-string'[1 8 17]' 的
有关详细信息,请在命令提示符下运行'regini'以获取权限设置。
function Fix-RegistryPermission {
param (
[string] $server,
[string] $key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum",
[string] $permissions = "[1 8 17]"
)
$("{0} {1}" -f $key, $permissions) | Out-File $("{0}\regini_input.txt" -f $Env:Temp);
& "regini" -m \\$server $("{0}\regini_input.txt" -f $Env:Temp);
sleep 3;
Remove-Item $("{0}\regini_input.txt" -f $Env:Temp);
}