RegistrySecurity 类
定义
重要
一些信息与预发行产品相关,相应产品在发行之前可能会进行重大修改。 对于此处提供的信息,Microsoft 不作任何明示或暗示的担保。
表示注册表项的Windows访问控制安全性。 此类不能被继承。
public ref class RegistrySecurity sealed : System::Security::AccessControl::NativeObjectSecuritypublic sealed class RegistrySecurity : System.Security.AccessControl.NativeObjectSecurity[System.Security.SecurityCritical]
public sealed class RegistrySecurity : System.Security.AccessControl.NativeObjectSecuritytype RegistrySecurity = class
inherit NativeObjectSecurity[<System.Security.SecurityCritical>]
type RegistrySecurity = class
inherit NativeObjectSecurityPublic NotInheritable Class RegistrySecurity
Inherits NativeObjectSecurity- 继承
- 属性
示例
本部分包含两个代码示例。 第一个示例显示添加和删除时兼容的规则合并方式,第二个示例显示继承和传播标志如何影响规则的添加和删除。
示例 1
下面的代码示例演示了该方法如何 RemoveAccessRule 从兼容规则中删除权限,以及该方法如何将 AddAccessRule 权限与兼容规则合并。
该示例创建一个 RegistrySecurity 对象并添加一个允许当前用户 RegistryRights.ReadKey 权限的规则。 然后,该示例创建一个规则,该规则授予用户 RegistryRights.SetValue,其继承和传播权限与第一个规则相同,并使用 RemoveAccessRule 该方法从 RegistrySecurity 对象中删除此新规则。 SetValue 是其组成部分 ReadKey,因此会将其从兼容规则中删除。 将显示对象中的 RegistrySecurity 规则,其中显示了其余组成部分 ReadKey。
然后,示例代码调用 AddAccessRule 方法,将右侧合并 SetValue 回对象中的 RegistrySecurity 规则中。
注释
此示例不将安全对象附加到对象 RegistryKey 。 本节中的第二个示例附加了一个安全对象,然后执行示例RegistryKey.GetAccessControl。RegistryKey.SetAccessControl
using System;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Security;
using Microsoft.Win32;
public class Example
{
public static void Main()
{
string user = Environment.UserDomainName + "\\"
+ Environment.UserName;
// Create a security object that grants no access.
RegistrySecurity mSec = new RegistrySecurity();
// Add a rule that grants the current user ReadKey
// rights. ReadKey is a combination of four other
// rights. The rule is inherited by all
// contained subkeys.
RegistryAccessRule rule = new RegistryAccessRule(user,
RegistryRights.ReadKey,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow);
mSec.AddAccessRule(rule);
// Create a rule that allows the current user only the
// right to query the key/value pairs of a key, using
// the same inheritance and propagation flags as the
// first rule. QueryValues is a constituent of
// ReadKey, so when this rule is removed, using the
// RemoveAccessRule method, ReadKey is broken into
// its constituent parts.
rule = new RegistryAccessRule(user,
RegistryRights.QueryValues,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow);
mSec.RemoveAccessRule(rule);
// Display the rules in the security object.
ShowSecurity(mSec);
// Add the second rule back. It merges with the
// existing rule, so that the rule is now displayed
// as ReadKey.
mSec.AddAccessRule(rule);
// Display the rules in the security object.
ShowSecurity(mSec);
}
private static void ShowSecurity(RegistrySecurity security)
{
Console.WriteLine("\r\nCurrent access rules:\r\n");
foreach( RegistryAccessRule ar in security.GetAccessRules(true, true, typeof(NTAccount)) )
{
Console.WriteLine(" User: {0}", ar.IdentityReference);
Console.WriteLine(" Type: {0}", ar.AccessControlType);
Console.WriteLine(" Rights: {0}", ar.RegistryRights);
Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags);
Console.WriteLine(" Propagation: {0}", ar.PropagationFlags);
Console.WriteLine(" Inherited? {0}", ar.IsInherited);
Console.WriteLine();
}
}
}
/* This code example produces output similar to following:
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: EnumerateSubKeys, Notify, ReadPermissions
Inheritance: ContainerInherit
Propagation: None
Inherited? False
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? False
*/
Option Explicit
Imports System.Security.AccessControl
Imports System.Security.Principal
Imports System.Security
Imports Microsoft.Win32
Public Class Example
Public Shared Sub Main()
Dim user As String = Environment.UserDomainName _
& "\" & Environment.UserName
' Create a security object that grants no access.
Dim mSec As New RegistrySecurity()
' Add a rule that grants the current user ReadKey
' rights. ReadKey is a combination of four other
' rights. The rule is inherited by all
' contained subkeys.
Dim rule As New RegistryAccessRule(user, _
RegistryRights.ReadKey, _
InheritanceFlags.ContainerInherit, _
PropagationFlags.None, _
AccessControlType.Allow)
mSec.AddAccessRule(rule)
' Create a rule that allows the current user only the
' right to query the key/value pairs of a key, using
' the same inheritance and propagation flags as the
' first rule. QueryValues is a constituent of
' ReadKey, so when this rule is removed, using the
' RemoveAccessRule method, ReadKey is broken into
' its constituent parts.
rule = New RegistryAccessRule(user, _
RegistryRights.QueryValues, _
InheritanceFlags.ContainerInherit, _
PropagationFlags.None, _
AccessControlType.Allow)
mSec.RemoveAccessRule(rule)
' Display the rules in the security object.
ShowSecurity(mSec)
' Add the second rule back. It merges with the
' existing rule, so that the rule is now displayed
' as ReadKey.
mSec.AddAccessRule(rule)
' Display the rules in the security object.
ShowSecurity(mSec)
End Sub
Private Shared Sub ShowSecurity(ByVal security As RegistrySecurity)
Console.WriteLine(vbCrLf & "Current access rules:" & vbCrLf)
For Each ar As RegistryAccessRule In _
security.GetAccessRules(True, True, GetType(NTAccount))
Console.WriteLine(" User: {0}", ar.IdentityReference)
Console.WriteLine(" Type: {0}", ar.AccessControlType)
Console.WriteLine(" Rights: {0}", ar.RegistryRights)
Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags)
Console.WriteLine(" Propagation: {0}", ar.PropagationFlags)
Console.WriteLine(" Inherited? {0}", ar.IsInherited)
Console.WriteLine()
Next
End Sub
End Class
'This code example produces output similar to following:
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: EnumerateSubKeys, Notify, ReadPermissions
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? False
'
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? False
'
示例 2
下面的代码示例演示了具有继承和传播的访问规则。 该示例创建一个对象,然后创建并添加两个 RegistrySecurity 具有 ContainerInherit 标志的规则。 第一个规则没有传播标志,而第二个规则具有 NoPropagateInherit 和 InheritOnly。
程序在对象中 RegistrySecurity 显示规则,然后使用 RegistrySecurity 该对象创建子项。 该程序创建子子项和孙子子项,然后显示每个子项的安全性。 最后,程序删除测试密钥。
using System;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Security;
using Microsoft.Win32;
public class Example
{
public static void Main()
{
const string TestKey = "TestKey3927";
RegistryKey cu = Registry.CurrentUser;
string user = Environment.UserDomainName +
"\\" + Environment.UserName;
// Create a security object that grants no access.
RegistrySecurity mSec = new RegistrySecurity();
// Add a rule that grants the current user the right
// to read and enumerate the name/value pairs in a key,
// to read its access and audit rules, to enumerate
// its subkeys, to create subkeys, and to delete the key.
// The rule is inherited by all contained subkeys.
//
RegistryAccessRule rule = new RegistryAccessRule(user,
RegistryRights.ReadKey | RegistryRights.WriteKey
| RegistryRights.Delete,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow
);
mSec.AddAccessRule(rule);
// Add a rule that allows the current user the right
// right to set the name/value pairs in a key.
// This rule is inherited by contained subkeys, but
// propagation flags limit it to immediate child
// subkeys.
rule = new RegistryAccessRule(user,
RegistryRights.ChangePermissions,
InheritanceFlags.ContainerInherit,
PropagationFlags.InheritOnly |
PropagationFlags.NoPropagateInherit,
AccessControlType.Allow);
mSec.AddAccessRule(rule);
// Display the rules in the security object.
ShowSecurity(mSec);
// Create the test key using the security object.
//
RegistryKey rk = cu.CreateSubKey(TestKey,
RegistryKeyPermissionCheck.ReadWriteSubTree, mSec);
// Create a child subkey and a grandchild subkey,
// without security.
RegistryKey rkChild = rk.CreateSubKey("ChildKey",
RegistryKeyPermissionCheck.ReadWriteSubTree);
RegistryKey rkGrandChild =
rkChild.CreateSubKey("GrandChildKey",
RegistryKeyPermissionCheck.ReadWriteSubTree);
Show(rk);
Show(rkChild);
Show(rkGrandChild);
rkGrandChild.Close();
rkChild.Close();
rk.Close();
cu.DeleteSubKeyTree(TestKey);
}
private static void Show(RegistryKey rk)
{
Console.WriteLine(rk.Name);
ShowSecurity(rk.GetAccessControl());
}
private static void ShowSecurity(RegistrySecurity security)
{
Console.WriteLine("\r\nCurrent access rules:\r\n");
foreach( RegistryAccessRule ar in security.GetAccessRules(true, true, typeof(NTAccount)) )
{
Console.WriteLine(" User: {0}", ar.IdentityReference);
Console.WriteLine(" Type: {0}", ar.AccessControlType);
Console.WriteLine(" Rights: {0}", ar.RegistryRights);
Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags);
Console.WriteLine(" Propagation: {0}", ar.PropagationFlags);
Console.WriteLine(" Inherited? {0}", ar.IsInherited);
Console.WriteLine();
}
}
}
/* This code example produces output similar to following:
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? False
User: TestDomain\TestUser
Type: Allow
Rights: ChangePermissions
Inheritance: ContainerInherit
Propagation: NoPropagateInherit, InheritOnly
Inherited? False
HKEY_CURRENT_USER\TestKey3927
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? False
User: TestDomain\TestUser
Type: Allow
Rights: ChangePermissions
Inheritance: ContainerInherit
Propagation: NoPropagateInherit, InheritOnly
Inherited? False
HKEY_CURRENT_USER\TestKey3927\ChildKey
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? True
User: TestDomain\TestUser
Type: Allow
Rights: ChangePermissions
Inheritance: None
Propagation: None
Inherited? True
HKEY_CURRENT_USER\TestKey3927\ChildKey\GrandChildKey
Current access rules:
User: TestDomain\TestUser
Type: Allow
Rights: SetValue, CreateSubKey, Delete, ReadKey
Inheritance: ContainerInherit
Propagation: None
Inherited? True
*/
Option Explicit
Imports System.Security.AccessControl
Imports System.Security.Principal
Imports System.Security
Imports Microsoft.Win32
Public Class Example
Public Shared Sub Main()
Const TestKey As String = "TestKey3927"
Dim cu As RegistryKey = Registry.CurrentUser
Dim user As String = Environment.UserDomainName _
& "\" & Environment.UserName
' Create a security object that grants no access.
Dim mSec As New RegistrySecurity()
' Add a rule that grants the current user the right
' to read and enumerate the name/value pairs in a key,
' to read its access and audit rules, to enumerate
' its subkeys, to create subkeys, and to delete the key.
' The rule is inherited by all contained subkeys.
'
Dim rule As New RegistryAccessRule(user, _
RegistryRights.ReadKey Or RegistryRights.WriteKey _
Or RegistryRights.Delete, _
InheritanceFlags.ContainerInherit, _
PropagationFlags.None, _
AccessControlType.Allow)
mSec.AddAccessRule(rule)
' Add a rule that allows the current user the right
' right to set the name/value pairs in a key.
' This rule is inherited by contained subkeys, but
' propagation flags limit it to immediate child
' subkeys.
rule = New RegistryAccessRule(user, _
RegistryRights.ChangePermissions, _
InheritanceFlags.ContainerInherit, _
PropagationFlags.InheritOnly Or PropagationFlags.NoPropagateInherit, _
AccessControlType.Allow)
mSec.AddAccessRule(rule)
' Display the rules in the security object.
ShowSecurity(mSec)
' Create the test key using the security object.
'
Dim rk As RegistryKey = cu.CreateSubKey(TestKey, _
RegistryKeyPermissionCheck.ReadWriteSubTree, _
mSec)
' Create a child subkey and a grandchild subkey,
' without security.
Dim rkChild As RegistryKey= rk.CreateSubKey("ChildKey", _
RegistryKeyPermissionCheck.ReadWriteSubTree)
Dim rkGrandChild As RegistryKey = _
rkChild.CreateSubKey("GrandChildKey", _
RegistryKeyPermissionCheck.ReadWriteSubTree)
Show(rk)
Show(rkChild)
Show(rkGrandChild)
rkGrandChild.Close()
rkChild.Close()
rk.Close()
cu.DeleteSubKeyTree(TestKey)
End Sub
Private Shared Sub Show(ByVal rk As RegistryKey)
Console.WriteLine(rk.Name)
ShowSecurity(rk.GetAccessControl())
End Sub
Private Shared Sub ShowSecurity(ByVal security As RegistrySecurity)
Console.WriteLine(vbCrLf & "Current access rules:" & vbCrLf)
For Each ar As RegistryAccessRule In _
security.GetAccessRules(True, True, GetType(NTAccount))
Console.WriteLine(" User: {0}", ar.IdentityReference)
Console.WriteLine(" Type: {0}", ar.AccessControlType)
Console.WriteLine(" Rights: {0}", ar.RegistryRights)
Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags)
Console.WriteLine(" Propagation: {0}", ar.PropagationFlags)
Console.WriteLine(" Inherited? {0}", ar.IsInherited)
Console.WriteLine()
Next
End Sub
End Class
'This code example produces output similar to following:
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? False
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ChangePermissions
' Inheritance: ContainerInherit
' Propagation: NoPropagateInherit, InheritOnly
' Inherited? False
'
'HKEY_CURRENT_USER\TestKey3927
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? False
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ChangePermissions
' Inheritance: ContainerInherit
' Propagation: NoPropagateInherit, InheritOnly
' Inherited? False
'
'HKEY_CURRENT_USER\TestKey3927\ChildKey
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? True
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: ChangePermissions
' Inheritance: None
' Propagation: None
' Inherited? True
'
'HKEY_CURRENT_USER\TestKey3927\ChildKey\GrandChildKey
'
'Current access rules:
'
' User: TestDomain\TestUser
' Type: Allow
' Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
' Inherited? True
注解
对象 RegistrySecurity 指定注册表项的访问权限,并指定如何审核访问尝试。 对注册表项的访问权限以规则表示,每个访问规则都由对象 RegistryAccessRule 表示。 每个审核规则都由一个 RegistryAuditRule 对象表示。
这反映了基础 Windows 安全系统,其中每个安全对象最多具有一个可自由访问控制列表(DACL),用于控制对受保护对象的访问,以及最多一个系统访问控制列表(SACL),用于指定审核哪些访问尝试。 DACL 和 SACL 是访问控制条目(ACE)的有序列表,用于为用户和组指定访问和审核。 A RegistryAccessRule 或 RegistryAuditRule 对象可能表示多个 ACE。
注释
Windows访问控制安全性只能应用于注册表项。 它不能应用于存储在密钥中的单个键/值对。
和RegistrySecurityRegistryAccessRuleRegistryAuditRule类隐藏 ACL 和 ACE 的实现详细信息。 它们允许你忽略十七种不同的 ACE 类型以及正确维护访问权限继承和传播的复杂性。 这些对象还旨在防止以下常见访问控制错误:
使用 null DACL 创建安全描述符。 对 DACL 的空引用允许任何用户向对象添加访问规则,从而可能创建拒绝服务攻击。 新 RegistrySecurity 对象始终以空 DACL 开头,拒绝所有用户的所有访问。
违反 ACE 规范排序。 如果 DACL 中的 ACE 列表未按规范顺序保留,则用户可能会无意中获得对受保护对象的访问。 例如,拒绝的访问权限必须始终显示在允许的访问权限之前。 RegistrySecurity 对象在内部保持正确的顺序。
作安全描述符标志,该标志应仅在资源管理器控制下。
创建 ACE 标志的无效组合。
作继承的 ACE。 继承和传播由资源管理器处理,以响应对访问和审核规则所做的更改。
将无意义的 ACE 插入 ACL。
.NET 安全对象不支持的唯一功能是大多数应用程序开发人员应避免的危险活动,如下所示:
通常由资源管理器执行的低级别任务。
以不维护规范顺序的方式添加或删除访问控制条目。
若要修改注册表项的Windows访问控制安全性,请使用 RegistryKey.GetAccessControl 方法获取 RegistrySecurity 对象。 通过添加和删除规则来修改安全对象,然后使用 RegistryKey.SetAccessControl 该方法重新附加它。
Important
对 RegistrySecurity 对象的更改不会影响注册表项的访问级别,直到调用 RegistryKey.SetAccessControl 方法将更改的安全对象分配给注册表项。
若要将访问控制安全性从一个注册表项复制到另一个注册表项,请使用 RegistryKey.GetAccessControl 该方法获取表示第一 RegistrySecurity 个注册表项的访问和审核规则的对象,然后使用 RegistryKey.SetAccessControl 该方法将这些规则分配给第二个注册表项。 还可以使用采用 RegistryKey.OpenSubKey 对象参数的或 RegistryKey.CreateSubKey 方法将规则分配给第二个 RegistrySecurity 注册表项。
对安全描述符定义语言(SDDL)进行投资的用户可以使用 SetSecurityDescriptorSddlForm 该方法设置注册表项的访问规则,以及 GetSecurityDescriptorSddlForm 获取表示 SDDL 格式访问规则的字符串的方法。 不建议对新开发执行此作。
构造函数
| 名称 | 说明 |
|---|---|
| RegistrySecurity() |
使用默认值初始化类的新实例 RegistrySecurity 。 |
