在 Windows Server 2008 R2 上将 HKCR\CLSID\* 密钥的所有者更改为管理员

Posted 2023-02-19

【中文标题】在 Windows Server 2008 R2 上将 HKCR\\CLSID\\* 密钥的所有者更改为管理员

【英文标题】：Changing owner of HKCR\CLSID\* key to Administrator on Windows Server 2008 R2在 Windows Server 2008 R2 上将 HKCR\CLSID\* 密钥的所有者更改为管理员

【发布时间】：2011-10-14 19:34:24

【问题描述】：

Win Server 2008 R2 上有一个注册表项，

HKCR:\CLSID\76A64158-CB41-11D1-8B02-00600806D9B6

其所有者不是管理员。它是 TrustedInstaller。现在制作遥控器 DCOM/WMI 连接正常，我需要授予管理员权限 完全控制此密钥和所有权。因为这需要在 几台机器，我希望我可以使用 Powershell 来做到这一点。我跟着 这些

Controlling Registry ACL Permissions with Powershell

Change the owner of directories with powershell

但我仍然收到此错误

使用“3”参数调用“OpenSubKey”的异常： “不允许请求的注册表访问。”

我要运行的代码很简单

$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(
  "CLSID\76A64158-CB41-11D1-8B02-00600806D9B6",
  [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
  [System.Security.AccessControl.RegistryRights]::TakeOwnership
)
echo $key

关于如何更改此密钥的所有权的任何想法？我相信一旦拥有 更改为管理员，我将能够使用 Set-Acl 更改权限。

【问题讨论】：

如果使用 [Microsoft.Win32.RegistryKeyPermissionCheck]::Default 而不是 ReadWriteSubTree 会发生什么？

【参考方案1】：

我可以使用以下脚本在 powershell 中实现这一点

# Checking OS Version and changing Registry Key permissions accordingly. We do need
# to change reg-key ownership for Win Server 2008, but in 2008 R2, owner of one of
# the required keys is TrustedInstaller instead of Administrator. Thus we need to
# change the owner back to Admin in order to make any changes to that key.
echo "Checking Operating System Version..."
$cv = (gi "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion")
$wv = $cv.GetValue("ProductName")
echo "$wv"
# Mounting HKey_ClassesRoot Registry key as a drive - Silent
New-PSDrive -name HKCR -PSProvider Registry -root HKEY_CLASSES_ROOT | Out-Null
$acl = Get-Acl "HKCR:\CLSID\76A64158-CB41-11D1-8B02-00600806D9B6"
$owner = $acl.Owner
# Case 48188: Because Windows has server version like Windows Web Server 2008 R2, we
# cannot validate the version name using "Windows Server 2008 R2". We will only
# check if the name contains "Server 2008 R2".
if($wv.Contains("Server 2008 R2") -and !$owner.Contains("Administrators"))

  echo "Setting Administrators Group privileges in Windows Registry..."
  $boolResult = enable-privilege SeTakeOwnershipPrivilege
    if(-not $boolResult)
    
      echo "Privileges could not be elevated. Changing ownership of the registry"
      echo "key would fail. Please change ownership of key"
      echo "HKCR\CLSID\76A64158-CB41-11D1-8B02-00600806D9B6 to Administrators"
      echo "Group manually."
      return
    
  $key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(
    "CLSID\76A64158-CB41-11D1-8B02-00600806D9B6",
    [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
    [System.Security.AccessControl.RegistryRights]::takeownership
  )
  # You must get a blank acl for the key b/c you do not currently have access
  $acl = $key.GetAccessControl(
    [System.Security.AccessControl.AccessControlSections]::None
  )
  $owner = [System.Security.Principal.NTAccount]"Administrators"
  $acl.SetOwner($owner)
  $key.SetAccessControl($acl)

  # After you have set owner you need to get the acl with the perms so you can
  # modify it.
  $acl = $key.GetAccessControl()
  $person = [System.Security.Principal.NTAccount]"Administrators"
  $access = [System.Security.AccessControl.RegistryRights]"FullControl"
  $inheritance = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit"
  $propagation = [System.Security.AccessControl.PropagationFlags]"None"
  $type = [System.Security.AccessControl.AccessControlType]"Allow"

  $rule = New-Object System.Security.AccessControl.RegistryAccessRule(
    $person,$access,$inheritance,$propagation,$type
  )
  $acl.SetAccessRule($rule)
  $key.SetAccessControl($acl)

  $key.Close()
  echo "Administrators Group ownership privileges set."

【讨论】：

您忘记在代码中提及来自enable-privilege SeTakeOwnershipPrivilege 的函数。

【参考方案2】：

我之前遇到过类似的问题。我没有尝试获取密钥的所有权，而是更改了它的权限，以便每个人都可以读取它 (8)。这可以使用“regini”来完成。我有一个包装函数，可以更改所提供密钥的权限。

示例： RegistryPermission -server 'localhost' -key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum" -string '[1 8 17]'

有关更多信息，请在命令提示符下运行“regini”以进行权限设置。

函数 Fix-RegistryPermission 
    参数 (
        [字符串] $服务器，
        [字符串] $key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum",
        [字符串] $permissions = "[1 8 17]"
    )

    $("0 1" -f $key, $permissions) |输出文件 $("0\regini_input.txt" -f $Env:Temp);

    & "regini" -m \\$server $("0\regini_input.txt" -f $Env:Temp);
    睡觉 3;
    删除项目 $("0\regini_input.txt" -f $Env:Temp);