none
Как стать владельцем ветки реестра и удалить ее? RRS feed

  • Вопрос

  • Стоит задача, массово удалить ветку реестра HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells на многих компах. Владельцем этой ветки является: TrustedInstaller. Поэтому пытаюсь для начала стать владельцем этой ветки

    Набросал скриптик на PS:

    $acl = Get-Acl "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells"
    $person = [System.Security.Principal.NTAccount]"BUILTIN\Administrators"          
    $access = [System.Security.AccessControl.RegistryRights]"FullControl"
    $inheritance = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit"
    $propagation = [System.Security.AccessControl.PropagationFlags]"None"
    $type = [System.Security.AccessControl.AccessControlType]"Allow"
    $rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)
    $acl.AddAccessRule($rule)
    $acl |Set-Acl

    Скрипт выполняется с ошибкой: Set-Acl : Requested registry access is not allowed.

    Т.е. не получается стать владельцем этой ветки реестра. Если делать смену владельца руками - то все проходит нормально. Что я делаю не так?

    15 июля 2019 г. 6:38

Ответы

  • Спасибо за помощь. Решилось обычным батником :)

    SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells" -ot reg -actn setowner -ownr "n:Administrators"
    SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells" -ot reg -actn ace -ace "n:Administrators;p:full"
    SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells" -ot reg -actn setowner -ownr "n:Administrators"
    SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells" -ot reg -actn ace -ace "n:Administrators;p:full"
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells" /f	

    • Помечено в качестве ответа Dshumov 15 июля 2019 г. 10:05
    15 июля 2019 г. 9:35

Все ответы

  • Увы, не помогает....
    15 июля 2019 г. 7:23
  • Пробую такой вот вариант: 

    $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey('\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells',[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::ChangePermissions)
    $key |Format-List
    $acl = $key.GetAccessControl()
    $rule = New-Object System.Security.AccessControl.RegistryAccessRule ("nasta\shdma","FullControl","Allow")
    $acl.SetAccessRule($rule)
    $key.SetAccessControl($acl)

    Отсюда. Но тоже не выходит.... Ошибки:

    You cannot call a method on a null-valued expression.
    At line:3 char:1
    + $acl = $key.GetAccessControl()
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:6 char:1
    + $key.SetAccessControl($acl)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull

    15 июля 2019 г. 8:18
  • Этот скрипт добавляет права, но не меняет владельца (owner). В ссылке, которую я вам выше привёл, есть как раз скрипт, который меняет владельца (Enable Privilege) . Вы пробовали его? Какой результат?  
    15 июля 2019 г. 8:34
  • Пробовал. Вот такие ошибки:

    You cannot call a method on a null-valued expression.
    At line:35 char:9
    +         $regKey.SetAccessControl($acl)
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:39 char:9
    +         $regKey.SetAccessControl($acl)
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:52 char:32
    +             foreach($subKey in $regKey.OpenSubKey('').GetSubKeyNames()) {
    +                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:35 char:9
    +         $regKey.SetAccessControl($acl)
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:39 char:9
    +         $regKey.SetAccessControl($acl)
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:52 char:32
    +             foreach($subKey in $regKey.OpenSubKey('').GetSubKeyNames()) {
    +                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:35 char:9
    +         $regKey.SetAccessControl($acl)
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:39 char:9
    +         $regKey.SetAccessControl($acl)
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:52 char:32
    +             foreach($subKey in $regKey.OpenSubKey('').GetSubKeyNames()) {
    +                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:35 char:9
    +         $regKey.SetAccessControl($acl)
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:39 char:9
    +         $regKey.SetAccessControl($acl)
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:52 char:32
    +             foreach($subKey in $regKey.OpenSubKey('').GetSubKeyNames()) {
    +                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:35 char:9
    +         $regKey.SetAccessControl($acl)
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:39 char:9
    +         $regKey.SetAccessControl($acl)
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:52 char:32
    +             foreach($subKey in $regKey.OpenSubKey('').GetSubKeyNames()) {
    +                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:35 char:9
    +         $regKey.SetAccessControl($acl)
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:39 char:9
    +         $regKey.SetAccessControl($acl)
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:52 char:32
    +             foreach($subKey in $regKey.OpenSubKey('').GetSubKeyNames()) {
    +                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:35 char:9
    +         $regKey.SetAccessControl($acl)
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:39 char:9
    +         $regKey.SetAccessControl($acl)
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull
     
    You cannot call a method on a null-valued expression.
    At line:52 char:32
    +             foreach($subKey in $regKey.OpenSubKey('').GetSubKeyNames()) {
    +                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
        + FullyQualifiedErrorId : InvokeMethodOnNull

    15 июля 2019 г. 8:39
  • не тот скрипт. 

    Вот этот попробуйте. И с повышенными привелегиями (от администратора) Должен только сменить владельца:

    Function Enable-Privilege {
        param($Privilege)
        $Definition = @'
      using System;
      using System.Runtime.InteropServices;
      public class AdjPriv {
        [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
        internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
          ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr rele);
        [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
        internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
        [DllImport("advapi32.dll", SetLastError = true)]
        internal static extern bool LookupPrivilegeValue(string host, string name,
          ref long pluid);
        [StructLayout(LayoutKind.Sequential, Pack = 1)]
        internal struct TokPriv1Luid {
          public int Count;
          public long Luid;
          public int Attr;
        }
        internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
        internal const int TOKEN_QUERY = 0x00000008;
        internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
        public static bool EnablePrivilege(long processHandle, string privilege) {
          bool retVal;
          TokPriv1Luid tp;
          IntPtr hproc = new IntPtr(processHandle);
          IntPtr htok = IntPtr.Zero;
          retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
            ref htok);
          tp.Count = 1;
          tp.Luid = 0;
          tp.Attr = SE_PRIVILEGE_ENABLED;
          retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
          retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero,
            IntPtr.Zero);
          return retVal;
        }
      }
    '@
        $ProcessHandle = (Get-Process -id $pid).Handle
        $type = Add-Type $definition -PassThru
        $type[0]::EnablePrivilege($processHandle, $Privilege)
      }
      
      do {} until (Enable-Privilege SeTakeOwnershipPrivilege)
      $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
        'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells',
        'ReadWriteSubTree', 'TakeOwnership')
      $owner = [Security.Principal.NTAccount]'Administrators'
      $acl = $key.GetAccessControl()
      $acl.SetOwner($owner)
      $key.SetAccessControl($acl)

    а уже потом пробовать права накинуть

    15 июля 2019 г. 8:51
  • Спасибо за помощь. Решилось обычным батником :)

    SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells" -ot reg -actn setowner -ownr "n:Administrators"
    SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells" -ot reg -actn ace -ace "n:Administrators;p:full"
    SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells" -ot reg -actn setowner -ownr "n:Administrators"
    SetACL.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells" -ot reg -actn ace -ace "n:Administrators;p:full"
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells" /f	

    • Помечено в качестве ответа Dshumov 15 июля 2019 г. 10:05
    15 июля 2019 г. 9:35