C# & Windows 10 更改 HKLM 中密钥的注册表访问规则
C# & Windows 10 changing registry access rules for key in HKLM
有人可以帮我吗 - 我开发了一个控制台应用程序,用于在 HKLM 中创建我自己的注册表项,然后修改对此项的访问权限,以允许每个用户 NT 帐户能够 read/write 到这个键。
在 app.manifest 我有这个声明来强制管理员有权 运行 它:
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
在 Windows 7 64 位上一切正常,在 Windows 10 64 位上检测到问题 - 应用程序正在按预期创建注册表项,但是当它尝试修改其访问规则时,它失败了。
我修改key访问规则的代码:
private static bool SetFullAccessForKey(string regKey)
{
try
{
SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
NTAccount account = sid.Translate(typeof(NTAccount)) as NTAccount;
using (RegistryKey rk = Registry.LocalMachine.OpenSubKey(regKey, RegistryKeyPermissionCheck.ReadWriteSubTree))
{
RegistrySecurity rs = rk.GetAccessControl();
RegistryAccessRule rar = new RegistryAccessRule(
account.ToString(),
RegistryRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
rs.AddAccessRule(rar);
rk.SetAccessControl(rs);
}
return true;
}
catch
{
return false;
}
}
有人可以帮我吗,这里有什么问题吗?
正如我所说,在 Windows 7 64 上一切正常。
感谢帮助!
已编辑 04-01-2017:有关执行 SetFullAccessForKey(...) 时出现的异常的更多详细信息:
System.InvalidOperationException: This access control list is not in canonical form and therefore cannot be modified.
at System.Security.AccessControl.CommonAcl.ThrowIfNotCanonical()
at System.Security.AccessControl.CommonAcl.AddQualifiedAce(SecurityIdentifier sid, AceQualifier qualifier, Int32 accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
at System.Security.AccessControl.DiscretionaryAcl.AddAccess(AccessControlType accessType, SecurityIdentifier sid, Int32 accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified)
at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule)
at System.Security.AccessControl.RegistrySecurity.AddAccessRule(RegistryAccessRule rule)
at regconfigtest.RegistryTools.SetFullAccessForKey(String regKey)
感谢您对此的任何帮助!
我可以确认此处提供的解决方案:
How do you programmatically fix a non-canonical ACL?
已解决我的问题!现在它可以在所有平台上正常运行:Win7、Win8 和 Win10。
有人可以帮我吗 - 我开发了一个控制台应用程序,用于在 HKLM 中创建我自己的注册表项,然后修改对此项的访问权限,以允许每个用户 NT 帐户能够 read/write 到这个键。
在 app.manifest 我有这个声明来强制管理员有权 运行 它:
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
在 Windows 7 64 位上一切正常,在 Windows 10 64 位上检测到问题 - 应用程序正在按预期创建注册表项,但是当它尝试修改其访问规则时,它失败了。
我修改key访问规则的代码:
private static bool SetFullAccessForKey(string regKey)
{
try
{
SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
NTAccount account = sid.Translate(typeof(NTAccount)) as NTAccount;
using (RegistryKey rk = Registry.LocalMachine.OpenSubKey(regKey, RegistryKeyPermissionCheck.ReadWriteSubTree))
{
RegistrySecurity rs = rk.GetAccessControl();
RegistryAccessRule rar = new RegistryAccessRule(
account.ToString(),
RegistryRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
rs.AddAccessRule(rar);
rk.SetAccessControl(rs);
}
return true;
}
catch
{
return false;
}
}
有人可以帮我吗,这里有什么问题吗? 正如我所说,在 Windows 7 64 上一切正常。
感谢帮助!
已编辑 04-01-2017:有关执行 SetFullAccessForKey(...) 时出现的异常的更多详细信息:
System.InvalidOperationException: This access control list is not in canonical form and therefore cannot be modified.
at System.Security.AccessControl.CommonAcl.ThrowIfNotCanonical()
at System.Security.AccessControl.CommonAcl.AddQualifiedAce(SecurityIdentifier sid, AceQualifier qualifier, Int32 accessMask, AceFlags flags, ObjectAceFlags objectFlags, Guid objectType, Guid inheritedObjectType)
at System.Security.AccessControl.DiscretionaryAcl.AddAccess(AccessControlType accessType, SecurityIdentifier sid, Int32 accessMask, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags)
at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified)
at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule)
at System.Security.AccessControl.RegistrySecurity.AddAccessRule(RegistryAccessRule rule)
at regconfigtest.RegistryTools.SetFullAccessForKey(String regKey)
感谢您对此的任何帮助!
我可以确认此处提供的解决方案:
How do you programmatically fix a non-canonical ACL?
已解决我的问题!现在它可以在所有平台上正常运行:Win7、Win8 和 Win10。