RegistrySecurity 类
定义
重要
一些信息与预发行产品相关,相应产品在发行之前可能会进行重大修改。 对于此处提供的信息,Microsoft 不作任何明示或暗示的担保。
表示注册表项的 Windows 访问控制安全性。 此类不能被继承。
public ref class RegistrySecurity sealed : System::Security::AccessControl::NativeObjectSecuritypublic sealed class RegistrySecurity : System.Security.AccessControl.NativeObjectSecurity[System.Security.SecurityCritical]
public sealed class RegistrySecurity : System.Security.AccessControl.NativeObjectSecuritytype RegistrySecurity = class
inherit NativeObjectSecurity[<System.Security.SecurityCritical>]
type RegistrySecurity = class
inherit NativeObjectSecurityPublic NotInheritable Class RegistrySecurity
Inherits NativeObjectSecurity- 继承
- 属性
示例
本部分包含两个代码示例。 第一个示例显示添加和删除时兼容规则如何合并,第二个示例显示继承和传播标志如何影响规则的添加和删除。
示例 1
下面的代码示例演示 方法如何 RemoveAccessRule 从兼容规则中删除权限,以及如何将 AddAccessRule 权限与兼容规则合并。
该示例创建一个 RegistrySecurity 对象,并添加一个允许当前用户 RegistryRights.ReadKey 权限的规则。 然后,该示例创建一个规则,该规则向用户 授予 RegistryRights.SetValue与第一个规则相同的继承和传播权限,并使用 RemoveAccessRule 方法从 RegistrySecurity 对象中删除此新规则。 SetValue 是 的 ReadKey一部分,因此会将其从兼容规则中删除。 将显示 对象中的 RegistrySecurity 规则,显示 的剩余组成部分 ReadKey。
然后,示例代码调用 AddAccessRule 方法,将右侧合并 SetValue 回 对象中的 RegistrySecurity 规则。
注意
此示例不将安全对象附加到 对象 RegistryKey 。 本部分中的第二个示例附加了一个安全对象,和 中的RegistryKey.GetAccessControlRegistryKey.SetAccessControl示例也是如此。
using System;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Security;
using Microsoft.Win32;
public class Example
{
public static void Main()
{
string user = Environment.UserDomainName + "\\"
+ Environment.UserName;
// Create a security object that grants no access.
RegistrySecurity mSec = new RegistrySecurity();
// Add a rule that grants the current user ReadKey
// rights. ReadKey is a combination of four other
// rights. The rule is inherited by all
// contained subkeys.
RegistryAccessRule rule = new RegistryAccessRule(user,
RegistryRights.ReadKey,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow);
mSec.AddAccessRule(rule);
// Create a rule that allows the current user only the
// right to query the key/value pairs of a key, using
// the same inheritance and propagation flags as the
// first rule. QueryValues is a constituent of
// ReadKey, so when this rule is removed, using the
// RemoveAccessRule method, ReadKey is broken into
// its constituent parts.
rule = new RegistryAccessRule(user,
RegistryRights.QueryValues,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow);
mSec.RemoveAccessRule(rule);
// Display the rules in the security object.
ShowSecurity(mSec);
// Add the second rule back. It merges with the
// existing rule, so that the rule is now displayed
// as ReadKey.
mSec.AddAccessRule(rule);
// Display the rules in the security object.
ShowSecurity(mSec);
}
private static void ShowSecurity(RegistrySecurity security)
{
Console.WriteLine("\r\nCurrent access rules:\r\n");
foreach( RegistryAccessRule ar in security.GetAccessRules(true, true, typeof(NTAccount)) )
{
Console.WriteLine(" User: {0}", ar.IdentityReference);
Console.WriteLine(" Type: {0}", ar.AccessControlType);
Console.WriteLine(" Rights: {0}", ar.RegistryRights);
Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags);
Console.WriteLine(" Propagation: {0}", ar.PropagationFlags);
Console.WriteLine(" Inherited? {0}", ar.IsInherited);
Console.WriteLine();
}
}
}
/* This code example produces output similar to following:
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: EnumerateSubKeys, Notify, ReadPermissions
Inheritance: ContainerInherit
Propagation: None
Inherited? False
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? False
*/
Option Explicit
Imports System.Security.AccessControl
Imports System.Security.Principal
Imports System.Security
Imports Microsoft.Win32
Public Class Example
Public Shared Sub Main()
Dim user As String = Environment.UserDomainName _
& "\" & Environment.UserName
' Create a security object that grants no access.
Dim mSec As New RegistrySecurity()
' Add a rule that grants the current user ReadKey
' rights. ReadKey is a combination of four other
' rights. The rule is inherited by all
' contained subkeys.
Dim rule As New RegistryAccessRule(user, _
RegistryRights.ReadKey, _
InheritanceFlags.ContainerInherit, _
PropagationFlags.None, _
AccessControlType.Allow)
mSec.AddAccessRule(rule)
' Create a rule that allows the current user only the
' right to query the key/value pairs of a key, using
' the same inheritance and propagation flags as the
' first rule. QueryValues is a constituent of
' ReadKey, so when this rule is removed, using the
' RemoveAccessRule method, ReadKey is broken into
' its constituent parts.
rule = New RegistryAccessRule(user, _
RegistryRights.QueryValues, _
InheritanceFlags.ContainerInherit, _
PropagationFlags.None, _
AccessControlType.Allow)
mSec.RemoveAccessRule(rule)
' Display the rules in the security object.
ShowSecurity(mSec)
' Add the second rule back. It merges with the
' existing rule, so that the rule is now displayed
' as ReadKey.
mSec.AddAccessRule(rule)
' Display the rules in the security object.
ShowSecurity(mSec)
End Sub
Private Shared Sub ShowSecurity(ByVal security As RegistrySecurity)
Console.WriteLine(vbCrLf & "Current access rules:" & vbCrLf)
For Each ar As RegistryAccessRule In _
security.GetAccessRules(True, True, GetType(NTAccount))
Console.WriteLine(" User: {0}", ar.IdentityReference)
Console.WriteLine(" Type: {0}", ar.AccessControlType)
Console.WriteLine(" Rights: {0}", ar.RegistryRights)
Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags)
Console.WriteLine(" Propagation: {0}", ar.PropagationFlags)
Console.WriteLine(" Inherited? {0}", ar.IsInherited)
Console.WriteLine()
Next
End Sub
End Class
'This code example produces output similar to following:
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: EnumerateSubKeys, Notify, ReadPermissions
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? False
'
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? False
'
示例 2
下面的代码示例演示了具有继承和传播的访问规则。 该示例创建一个 RegistrySecurity 对象,然后创建并添加两个具有 标志 ContainerInherit 的规则。 第一个规则没有传播标志,而第二个规则具有 NoPropagateInherit 和 InheritOnly。
程序在 对象中 RegistrySecurity 显示规则,然后使用 RegistrySecurity 对象创建子项。 程序创建一个子子项和一个孙子项,然后显示每个子项的安全性。 最后,程序删除测试密钥。
using System;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Security;
using Microsoft.Win32;
public class Example
{
public static void Main()
{
const string TestKey = "TestKey3927";
RegistryKey cu = Registry.CurrentUser;
string user = Environment.UserDomainName +
"\\" + Environment.UserName;
// Create a security object that grants no access.
RegistrySecurity mSec = new RegistrySecurity();
// Add a rule that grants the current user the right
// to read and enumerate the name/value pairs in a key,
// to read its access and audit rules, to enumerate
// its subkeys, to create subkeys, and to delete the key.
// The rule is inherited by all contained subkeys.
//
RegistryAccessRule rule = new RegistryAccessRule(user,
RegistryRights.ReadKey | RegistryRights.WriteKey
| RegistryRights.Delete,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow
);
mSec.AddAccessRule(rule);
// Add a rule that allows the current user the right
// right to set the name/value pairs in a key.
// This rule is inherited by contained subkeys, but
// propagation flags limit it to immediate child
// subkeys.
rule = new RegistryAccessRule(user,
RegistryRights.ChangePermissions,
InheritanceFlags.ContainerInherit,
PropagationFlags.InheritOnly |
PropagationFlags.NoPropagateInherit,
AccessControlType.Allow);
mSec.AddAccessRule(rule);
// Display the rules in the security object.
ShowSecurity(mSec);
// Create the test key using the security object.
//
RegistryKey rk = cu.CreateSubKey(TestKey,
RegistryKeyPermissionCheck.ReadWriteSubTree, mSec);
// Create a child subkey and a grandchild subkey,
// without security.
RegistryKey rkChild = rk.CreateSubKey("ChildKey",
RegistryKeyPermissionCheck.ReadWriteSubTree);
RegistryKey rkGrandChild =
rkChild.CreateSubKey("GrandChildKey",
RegistryKeyPermissionCheck.ReadWriteSubTree);
Show(rk);
Show(rkChild);
Show(rkGrandChild);
rkGrandChild.Close();
rkChild.Close();
rk.Close();
cu.DeleteSubKeyTree(TestKey);
}
private static void Show(RegistryKey rk)
{
Console.WriteLine(rk.Name);
ShowSecurity(rk.GetAccessControl());
}
private static void ShowSecurity(RegistrySecurity security)
{
Console.WriteLine("\r\nCurrent access rules:\r\n");
foreach( RegistryAccessRule ar in security.GetAccessRules(true, true, typeof(NTAccount)) )
{
Console.WriteLine(" User: {0}", ar.IdentityReference);
Console.WriteLine(" Type: {0}", ar.AccessControlType);
Console.WriteLine(" Rights: {0}", ar.RegistryRights);
Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags);
Console.WriteLine(" Propagation: {0}", ar.PropagationFlags);
Console.WriteLine(" Inherited? {0}", ar.IsInherited);
Console.WriteLine();
}
}
}
/* This code example produces output similar to following:
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? False
User: TestDomain\TestUser
Type: Allow
Rights: ChangePermissions
Inheritance: ContainerInherit
Propagation: NoPropagateInherit, InheritOnly
Inherited? False
HKEY_CURRENT_USER\TestKey3927
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? False
User: TestDomain\TestUser
Type: Allow
Rights: ChangePermissions
Inheritance: ContainerInherit
Propagation: NoPropagateInherit, InheritOnly
Inherited? False
HKEY_CURRENT_USER\TestKey3927\ChildKey
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? True
User: TestDomain\TestUser
Type: Allow
Rights: ChangePermissions
Inheritance: None
Propagation: None
Inherited? True
HKEY_CURRENT_USER\TestKey3927\ChildKey\GrandChildKey
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? True
*/
Option Explicit
Imports System.Security.AccessControl
Imports System.Security.Principal
Imports System.Security
Imports Microsoft.Win32
Public Class Example
Public Shared Sub Main()
Const TestKey As String = "TestKey3927"
Dim cu As RegistryKey = Registry.CurrentUser
Dim user As String = Environment.UserDomainName _
& "\" & Environment.UserName
' Create a security object that grants no access.
Dim mSec As New RegistrySecurity()
' Add a rule that grants the current user the right
' to read and enumerate the name/value pairs in a key,
' to read its access and audit rules, to enumerate
' its subkeys, to create subkeys, and to delete the key.
' The rule is inherited by all contained subkeys.
'
Dim rule As New RegistryAccessRule(user, _
RegistryRights.ReadKey Or RegistryRights.WriteKey _
Or RegistryRights.Delete, _
InheritanceFlags.ContainerInherit, _
PropagationFlags.None, _
AccessControlType.Allow)
mSec.AddAccessRule(rule)
' Add a rule that allows the current user the right
' right to set the name/value pairs in a key.
' This rule is inherited by contained subkeys, but
' propagation flags limit it to immediate child
' subkeys.
rule = New RegistryAccessRule(user, _
RegistryRights.ChangePermissions, _
InheritanceFlags.ContainerInherit, _
PropagationFlags.InheritOnly Or PropagationFlags.NoPropagateInherit, _
AccessControlType.Allow)
mSec.AddAccessRule(rule)
' Display the rules in the security object.
ShowSecurity(mSec)
' Create the test key using the security object.
'
Dim rk As RegistryKey = cu.CreateSubKey(TestKey, _
RegistryKeyPermissionCheck.ReadWriteSubTree, _
mSec)
' Create a child subkey and a grandchild subkey,
' without security.
Dim rkChild As RegistryKey= rk.CreateSubKey("ChildKey", _
RegistryKeyPermissionCheck.ReadWriteSubTree)
Dim rkGrandChild As RegistryKey = _
rkChild.CreateSubKey("GrandChildKey", _
RegistryKeyPermissionCheck.ReadWriteSubTree)
Show(rk)
Show(rkChild)
Show(rkGrandChild)
rkGrandChild.Close()
rkChild.Close()
rk.Close()
cu.DeleteSubKeyTree(TestKey)
End Sub
Private Shared Sub Show(ByVal rk As RegistryKey)
Console.WriteLine(rk.Name)
ShowSecurity(rk.GetAccessControl())
End Sub
Private Shared Sub ShowSecurity(ByVal security As RegistrySecurity)
Console.WriteLine(vbCrLf & "Current access rules:" & vbCrLf)
For Each ar As RegistryAccessRule In _
security.GetAccessRules(True, True, GetType(NTAccount))
Console.WriteLine(" User: {0}", ar.IdentityReference)
Console.WriteLine(" Type: {0}", ar.AccessControlType)
Console.WriteLine(" Rights: {0}", ar.RegistryRights)
Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags)
Console.WriteLine(" Propagation: {0}", ar.PropagationFlags)
Console.WriteLine(" Inherited? {0}", ar.IsInherited)
Console.WriteLine()
Next
End Sub
End Class
'This code example produces output similar to following:
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? False
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ChangePermissions
' Inheritance: ContainerInherit
' Propagation: NoPropagateInherit, InheritOnly
' Inherited? False
'
'HKEY_CURRENT_USER\TestKey3927
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? False
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ChangePermissions
' Inheritance: ContainerInherit
' Propagation: NoPropagateInherit, InheritOnly
' Inherited? False
'
'HKEY_CURRENT_USER\TestKey3927\ChildKey
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? True
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ChangePermissions
' Inheritance: None
' Propagation: None
' Inherited? True
'
'HKEY_CURRENT_USER\TestKey3927\ChildKey\GrandChildKey
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? True
注解
对象 RegistrySecurity 指定注册表项的访问权限,还指定如何审核访问尝试。 对注册表项的访问权限表示为规则,每个访问规则由 对象 RegistryAccessRule 表示。 每个审核规则都由 一个 RegistryAuditRule 对象表示。
这反映了基础 Windows 安全系统,其中每个安全对象最多有一个可自由访问控制列表, (DACL) 控制对受保护对象的访问,最多有一个系统访问控制列表 (SACL) ,用于指定审核哪些访问尝试。 DACL 和 SACL 是访问控制条目的有序列表, (ACE) 指定用户和组的访问和审核。 或 RegistryAccessRuleRegistryAuditRule 对象可能表示多个 ACE。
注意
Windows 访问控制安全性只能应用于注册表项。 它不能应用于存储在密钥中的单个键/值对。
RegistrySecurity、 RegistryAccessRule和 RegistryAuditRule 类隐藏 ACL 和 ACE 的实现详细信息。 它们允许忽略 17 种不同的 ACE 类型,以及正确维护访问权限继承和传播的复杂性。 这些对象还设计为防止以下常见访问控制错误:
创建具有 null DACL 的安全描述符。 对 DACL 的空引用允许任何用户向对象添加访问规则,从而可能引发拒绝服务攻击。 新 RegistrySecurity 对象始终以空 DACL 开头,这会拒绝所有用户的所有访问。
违反 ACE 的规范顺序。 如果 DACL 中的 ACE 列表未按规范顺序保留,则用户可能会无意中获得对受保护对象的访问权限。 例如,拒绝的访问权限必须始终出现在允许的访问权限之前。 RegistrySecurity 对象在内部保持正确的顺序。
操作安全描述符标志,这些标志应仅受资源管理器控制。
创建无效的 ACE 标志组合。
操作继承的 ACE。 继承和传播由资源管理器处理,以响应对访问和审核规则所做的更改。
将无意义的 ACE 插入 ACL。
.NET 安全对象不支持的唯一功能是大多数应用程序开发人员应避免的危险活动,如下所示:
通常由资源管理器执行的低级别任务。
以不维护规范顺序的方式添加或删除访问控制条目。
若要修改注册表项的 Windows 访问控制安全性,请使用 RegistryKey.GetAccessControl 方法获取 RegistrySecurity 对象。 通过添加和删除规则修改安全对象,然后使用 RegistryKey.SetAccessControl 方法重新附加它。
重要
在调用 RegistryKey.SetAccessControl 方法将RegistrySecurity更改的安全对象分配给注册表项之前,对对象所做的更改不会影响注册表项的访问级别。
若要将访问控制安全性从一个注册表项复制到另一个注册表项,请使用 RegistryKey.GetAccessControl 方法获取表示第一个 RegistrySecurity 注册表项的访问和审核规则的对象,然后使用 RegistryKey.SetAccessControl 方法将这些规则分配给第二个注册表项。 还可以使用 采用对象参数的 或 RegistryKey.CreateSubKey 方法将规则分配给第二个RegistrySecurity注册表项RegistryKey.OpenSubKey。
投资安全描述符定义语言 (SDDL) 的用户可以使用 SetSecurityDescriptorSddlForm 方法来设置注册表项的访问规则,并使用 GetSecurityDescriptorSddlForm 方法获取表示 SDDL 格式的访问规则的字符串。 对于新开发,不建议这样做。
构造函数
| RegistrySecurity() |
使用默认值初始化 RegistrySecurity 类的新实例。 |
