RegistrySecurity 類別
定義
重要
部分資訊涉及發行前產品,在發行之前可能會有大幅修改。 Microsoft 對此處提供的資訊,不做任何明確或隱含的瑕疵擔保。
表示登錄機碼的 Windows 存取控制 (Access Control) 安全性。 此類別無法獲得繼承。
public ref class RegistrySecurity sealed : System::Security::AccessControl::NativeObjectSecuritypublic sealed class RegistrySecurity : System.Security.AccessControl.NativeObjectSecurity[System.Security.SecurityCritical]
public sealed class RegistrySecurity : System.Security.AccessControl.NativeObjectSecuritytype RegistrySecurity = class
inherit NativeObjectSecurity[<System.Security.SecurityCritical>]
type RegistrySecurity = class
inherit NativeObjectSecurityPublic NotInheritable Class RegistrySecurity
Inherits NativeObjectSecurity- 繼承
- 屬性
範例
本節包含兩個程式碼範例。 第一個範例顯示新增和移除時,相容的規則如何合併,第二個範例顯示繼承和傳播旗標如何影響新增和刪除規則。
範例 1
下列程式代碼範例示範 方法如何 RemoveAccessRule 從相容的規則中移除許可權,以及方法如何 AddAccessRule 合併許可權與相容的規則。
此範例會 RegistrySecurity 建立 物件,並新增允許目前用戶 RegistryRights.ReadKey 權力的規則。 然後,此範例會建立一個規則,以與第一個規則相同的繼承和傳播許可權授與使用者 RegistryRights.SetValue,並使用 RemoveAccessRule 方法從 RegistrySecurity 物件中移除這個新規則。 SetValue 是的組成, ReadKey因此會從相容的規則中移除。 物件中的 RegistrySecurity 規則隨即顯示,其中顯示的 ReadKey其餘組成。
然後範例程式代碼會呼叫 方法, AddAccessRule 將右方合併 SetValue 回 物件中的 RegistrySecurity 規則。
注意
這個範例不會將安全性物件附加至 RegistryKey 物件。 本節中的第二個範例會附加安全性物件,因此, 和 RegistryKey.SetAccessControl中的RegistryKey.GetAccessControl範例。
using System;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Security;
using Microsoft.Win32;
public class Example
{
public static void Main()
{
string user = Environment.UserDomainName + "\\"
+ Environment.UserName;
// Create a security object that grants no access.
RegistrySecurity mSec = new RegistrySecurity();
// Add a rule that grants the current user ReadKey
// rights. ReadKey is a combination of four other
// rights. The rule is inherited by all
// contained subkeys.
RegistryAccessRule rule = new RegistryAccessRule(user,
RegistryRights.ReadKey,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow);
mSec.AddAccessRule(rule);
// Create a rule that allows the current user only the
// right to query the key/value pairs of a key, using
// the same inheritance and propagation flags as the
// first rule. QueryValues is a constituent of
// ReadKey, so when this rule is removed, using the
// RemoveAccessRule method, ReadKey is broken into
// its constituent parts.
rule = new RegistryAccessRule(user,
RegistryRights.QueryValues,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow);
mSec.RemoveAccessRule(rule);
// Display the rules in the security object.
ShowSecurity(mSec);
// Add the second rule back. It merges with the
// existing rule, so that the rule is now displayed
// as ReadKey.
mSec.AddAccessRule(rule);
// Display the rules in the security object.
ShowSecurity(mSec);
}
private static void ShowSecurity(RegistrySecurity security)
{
Console.WriteLine("\r\nCurrent access rules:\r\n");
foreach( RegistryAccessRule ar in security.GetAccessRules(true, true, typeof(NTAccount)) )
{
Console.WriteLine(" User: {0}", ar.IdentityReference);
Console.WriteLine(" Type: {0}", ar.AccessControlType);
Console.WriteLine(" Rights: {0}", ar.RegistryRights);
Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags);
Console.WriteLine(" Propagation: {0}", ar.PropagationFlags);
Console.WriteLine(" Inherited? {0}", ar.IsInherited);
Console.WriteLine();
}
}
}
/* This code example produces output similar to following:
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: EnumerateSubKeys, Notify, ReadPermissions
Inheritance: ContainerInherit
Propagation: None
Inherited? False
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? False
*/
Option Explicit
Imports System.Security.AccessControl
Imports System.Security.Principal
Imports System.Security
Imports Microsoft.Win32
Public Class Example
Public Shared Sub Main()
Dim user As String = Environment.UserDomainName _
& "\" & Environment.UserName
' Create a security object that grants no access.
Dim mSec As New RegistrySecurity()
' Add a rule that grants the current user ReadKey
' rights. ReadKey is a combination of four other
' rights. The rule is inherited by all
' contained subkeys.
Dim rule As New RegistryAccessRule(user, _
RegistryRights.ReadKey, _
InheritanceFlags.ContainerInherit, _
PropagationFlags.None, _
AccessControlType.Allow)
mSec.AddAccessRule(rule)
' Create a rule that allows the current user only the
' right to query the key/value pairs of a key, using
' the same inheritance and propagation flags as the
' first rule. QueryValues is a constituent of
' ReadKey, so when this rule is removed, using the
' RemoveAccessRule method, ReadKey is broken into
' its constituent parts.
rule = New RegistryAccessRule(user, _
RegistryRights.QueryValues, _
InheritanceFlags.ContainerInherit, _
PropagationFlags.None, _
AccessControlType.Allow)
mSec.RemoveAccessRule(rule)
' Display the rules in the security object.
ShowSecurity(mSec)
' Add the second rule back. It merges with the
' existing rule, so that the rule is now displayed
' as ReadKey.
mSec.AddAccessRule(rule)
' Display the rules in the security object.
ShowSecurity(mSec)
End Sub
Private Shared Sub ShowSecurity(ByVal security As RegistrySecurity)
Console.WriteLine(vbCrLf & "Current access rules:" & vbCrLf)
For Each ar As RegistryAccessRule In _
security.GetAccessRules(True, True, GetType(NTAccount))
Console.WriteLine(" User: {0}", ar.IdentityReference)
Console.WriteLine(" Type: {0}", ar.AccessControlType)
Console.WriteLine(" Rights: {0}", ar.RegistryRights)
Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags)
Console.WriteLine(" Propagation: {0}", ar.PropagationFlags)
Console.WriteLine(" Inherited? {0}", ar.IsInherited)
Console.WriteLine()
Next
End Sub
End Class
'This code example produces output similar to following:
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: EnumerateSubKeys, Notify, ReadPermissions
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? False
'
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? False
'
範例 2
下列程式代碼範例示範繼承和傳播的存取規則。 此範例會 RegistrySecurity 建立 對象,然後建立並新增兩個具有 ContainerInherit 旗標的規則。 第一個規則沒有傳播旗標,而第二個規則則具有 NoPropagateInherit 和 InheritOnly。
程式會顯示 物件中的 RegistrySecurity 規則,然後使用 RegistrySecurity 物件來建立子機碼。 程式會建立子子機碼和子機碼,然後顯示每個子機碼的安全性。 最後,程式會刪除測試金鑰。
using System;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Security;
using Microsoft.Win32;
public class Example
{
public static void Main()
{
const string TestKey = "TestKey3927";
RegistryKey cu = Registry.CurrentUser;
string user = Environment.UserDomainName +
"\\" + Environment.UserName;
// Create a security object that grants no access.
RegistrySecurity mSec = new RegistrySecurity();
// Add a rule that grants the current user the right
// to read and enumerate the name/value pairs in a key,
// to read its access and audit rules, to enumerate
// its subkeys, to create subkeys, and to delete the key.
// The rule is inherited by all contained subkeys.
//
RegistryAccessRule rule = new RegistryAccessRule(user,
RegistryRights.ReadKey | RegistryRights.WriteKey
| RegistryRights.Delete,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow
);
mSec.AddAccessRule(rule);
// Add a rule that allows the current user the right
// right to set the name/value pairs in a key.
// This rule is inherited by contained subkeys, but
// propagation flags limit it to immediate child
// subkeys.
rule = new RegistryAccessRule(user,
RegistryRights.ChangePermissions,
InheritanceFlags.ContainerInherit,
PropagationFlags.InheritOnly |
PropagationFlags.NoPropagateInherit,
AccessControlType.Allow);
mSec.AddAccessRule(rule);
// Display the rules in the security object.
ShowSecurity(mSec);
// Create the test key using the security object.
//
RegistryKey rk = cu.CreateSubKey(TestKey,
RegistryKeyPermissionCheck.ReadWriteSubTree, mSec);
// Create a child subkey and a grandchild subkey,
// without security.
RegistryKey rkChild = rk.CreateSubKey("ChildKey",
RegistryKeyPermissionCheck.ReadWriteSubTree);
RegistryKey rkGrandChild =
rkChild.CreateSubKey("GrandChildKey",
RegistryKeyPermissionCheck.ReadWriteSubTree);
Show(rk);
Show(rkChild);
Show(rkGrandChild);
rkGrandChild.Close();
rkChild.Close();
rk.Close();
cu.DeleteSubKeyTree(TestKey);
}
private static void Show(RegistryKey rk)
{
Console.WriteLine(rk.Name);
ShowSecurity(rk.GetAccessControl());
}
private static void ShowSecurity(RegistrySecurity security)
{
Console.WriteLine("\r\nCurrent access rules:\r\n");
foreach( RegistryAccessRule ar in security.GetAccessRules(true, true, typeof(NTAccount)) )
{
Console.WriteLine(" User: {0}", ar.IdentityReference);
Console.WriteLine(" Type: {0}", ar.AccessControlType);
Console.WriteLine(" Rights: {0}", ar.RegistryRights);
Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags);
Console.WriteLine(" Propagation: {0}", ar.PropagationFlags);
Console.WriteLine(" Inherited? {0}", ar.IsInherited);
Console.WriteLine();
}
}
}
/* This code example produces output similar to following:
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? False
User: TestDomain\TestUser
Type: Allow
Rights: ChangePermissions
Inheritance: ContainerInherit
Propagation: NoPropagateInherit, InheritOnly
Inherited? False
HKEY_CURRENT_USER\TestKey3927
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? False
User: TestDomain\TestUser
Type: Allow
Rights: ChangePermissions
Inheritance: ContainerInherit
Propagation: NoPropagateInherit, InheritOnly
Inherited? False
HKEY_CURRENT_USER\TestKey3927\ChildKey
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? True
User: TestDomain\TestUser
Type: Allow
Rights: ChangePermissions
Inheritance: None
Propagation: None
Inherited? True
HKEY_CURRENT_USER\TestKey3927\ChildKey\GrandChildKey
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? True
*/
Option Explicit
Imports System.Security.AccessControl
Imports System.Security.Principal
Imports System.Security
Imports Microsoft.Win32
Public Class Example
Public Shared Sub Main()
Const TestKey As String = "TestKey3927"
Dim cu As RegistryKey = Registry.CurrentUser
Dim user As String = Environment.UserDomainName _
& "\" & Environment.UserName
' Create a security object that grants no access.
Dim mSec As New RegistrySecurity()
' Add a rule that grants the current user the right
' to read and enumerate the name/value pairs in a key,
' to read its access and audit rules, to enumerate
' its subkeys, to create subkeys, and to delete the key.
' The rule is inherited by all contained subkeys.
'
Dim rule As New RegistryAccessRule(user, _
RegistryRights.ReadKey Or RegistryRights.WriteKey _
Or RegistryRights.Delete, _
InheritanceFlags.ContainerInherit, _
PropagationFlags.None, _
AccessControlType.Allow)
mSec.AddAccessRule(rule)
' Add a rule that allows the current user the right
' right to set the name/value pairs in a key.
' This rule is inherited by contained subkeys, but
' propagation flags limit it to immediate child
' subkeys.
rule = New RegistryAccessRule(user, _
RegistryRights.ChangePermissions, _
InheritanceFlags.ContainerInherit, _
PropagationFlags.InheritOnly Or PropagationFlags.NoPropagateInherit, _
AccessControlType.Allow)
mSec.AddAccessRule(rule)
' Display the rules in the security object.
ShowSecurity(mSec)
' Create the test key using the security object.
'
Dim rk As RegistryKey = cu.CreateSubKey(TestKey, _
RegistryKeyPermissionCheck.ReadWriteSubTree, _
mSec)
' Create a child subkey and a grandchild subkey,
' without security.
Dim rkChild As RegistryKey= rk.CreateSubKey("ChildKey", _
RegistryKeyPermissionCheck.ReadWriteSubTree)
Dim rkGrandChild As RegistryKey = _
rkChild.CreateSubKey("GrandChildKey", _
RegistryKeyPermissionCheck.ReadWriteSubTree)
Show(rk)
Show(rkChild)
Show(rkGrandChild)
rkGrandChild.Close()
rkChild.Close()
rk.Close()
cu.DeleteSubKeyTree(TestKey)
End Sub
Private Shared Sub Show(ByVal rk As RegistryKey)
Console.WriteLine(rk.Name)
ShowSecurity(rk.GetAccessControl())
End Sub
Private Shared Sub ShowSecurity(ByVal security As RegistrySecurity)
Console.WriteLine(vbCrLf & "Current access rules:" & vbCrLf)
For Each ar As RegistryAccessRule In _
security.GetAccessRules(True, True, GetType(NTAccount))
Console.WriteLine(" User: {0}", ar.IdentityReference)
Console.WriteLine(" Type: {0}", ar.AccessControlType)
Console.WriteLine(" Rights: {0}", ar.RegistryRights)
Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags)
Console.WriteLine(" Propagation: {0}", ar.PropagationFlags)
Console.WriteLine(" Inherited? {0}", ar.IsInherited)
Console.WriteLine()
Next
End Sub
End Class
'This code example produces output similar to following:
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? False
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ChangePermissions
' Inheritance: ContainerInherit
' Propagation: NoPropagateInherit, InheritOnly
' Inherited? False
'
'HKEY_CURRENT_USER\TestKey3927
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? False
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ChangePermissions
' Inheritance: ContainerInherit
' Propagation: NoPropagateInherit, InheritOnly
' Inherited? False
'
'HKEY_CURRENT_USER\TestKey3927\ChildKey
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? True
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ChangePermissions
' Inheritance: None
' Propagation: None
' Inherited? True
'
'HKEY_CURRENT_USER\TestKey3927\ChildKey\GrandChildKey
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? True
備註
RegistrySecurity物件會指定登錄機碼的訪問許可權,並指定如何稽核存取嘗試。 登錄機碼的訪問許可權會以規則表示,每個存取規則都由 RegistryAccessRule 物件表示。 每個稽核規則都會以 RegistryAuditRule 物件表示。
這會鏡像基礎 Windows 安全性系統,其中每個安全性實體最多都有一個選擇性訪問控制清單, (DACL) 控制安全物件的存取權,而且最多一個系統訪問控制清單 (SACL) ,以指定稽核哪些存取嘗試。 DACL 和 SACL 是 ACE) (存取控制專案的排序列表,可指定使用者和群組的存取和稽核。 RegistryAccessRule或 RegistryAuditRule 物件可能代表一個以上的 ACE。
注意
Windows 訪問控制安全性只能套用至登錄機碼。 它無法套用至儲存在索引鍵中的個別索引鍵/值組。
RegistrySecurity、 RegistryAccessRule和類別會隱藏 ACL 和 RegistryAuditRule ACE 的實作詳細數據。 它們可讓您忽略十七個不同的 ACE 類型,以及正確維護訪問許可權繼承和傳播的複雜性。 這些物件也設計為防止下列常見的訪問控制錯誤:
使用 Null DACL 建立安全性描述元。 DACL 的 Null 參考可讓任何使用者將存取規則新增至物件,而可能會建立拒絕服務攻擊。 新的 RegistrySecurity 物件一律會以空的 DACL 開頭,這會拒絕所有使用者的所有存取。
違反 ACE 標準順序。 如果 DACL 中的 ACE 列表未依標準順序保留,使用者可能會不小心被授與安全物件的存取權。 例如,拒絕的訪問許可權必須一律出現在允許的訪問許可權之前。 RegistrySecurity 物件會在內部維持正確的順序。
操作安全性描述元旗標,其應該只在資源管理員控制之下。
建立無效的 ACE 旗標組合。
操作繼承的 ACE。 資源管理員會處理繼承和傳播,以回應您對存取和稽核規則所做的變更。
將無意義的 ACE 插入 ACL。
.NET 安全性物件不支援的唯一功能是大部分應用程式開發人員應該避免的風險活動,例如:
資源管理員通常會執行的低階工作。
以不維護標準順序的方式新增或移除訪問控制專案。
若要修改登錄機碼的 Windows 存取控制安全性,請使用 RegistryKey.GetAccessControl 方法來取得 RegistrySecurity 物件。 藉由新增和移除規則來修改安全性對象,然後使用 RegistryKey.SetAccessControl 方法來重新附加它。
重要
您對 RegistrySecurity 對象的變更不會影響登錄機碼的存取層級,除非您呼叫 RegistryKey.SetAccessControl 方法來將已改變的安全性物件指派給登錄機碼。
若要將訪問控制安全性從某個登錄機碼複製到另一個登錄機碼,請使用 RegistryKey.GetAccessControl 方法來取得代表第一個登錄機碼存取和稽核規則的物件,然後使用 RegistryKey.SetAccessControl 方法將這些規則指派給第二個RegistrySecurity登錄機碼。 您也可以使用 採用物件參數的 或 RegistryKey.CreateSubKey 方法,將規則指派給第二個RegistryKey.OpenSubKeyRegistrySecurity登錄機碼。
投資安全性描述元定義語言的使用者 (SDDL) 可以使用 SetSecurityDescriptorSddlForm 方法來設定登錄機碼的存取規則,以及 GetSecurityDescriptorSddlForm 取得字元串,代表 SDDL 格式的存取規則。 不建議用於新的開發。
建構函式
| RegistrySecurity() |
使用預設值,初始化 RegistrySecurity 類別的新執行個體。 |
