Remove a 'Deny' rule (permission) from the

2019-04-10 05:27发布

问题:

I am working on File Associations. I have identified that there is a key called UserChoice in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\[ext].

I have been able to read from and write to the UserChoice key provided that I create it and that it has not already been created by Windows. However, if the UserChoice key has already been created by Windows, then I need to run as Administrator to get access to the key. My ultimate goal is to delete the UserChoice key.

I have noted that Windows places a Deny rule on the UserChoice key which is preventing me from deleting that key. If I can succeed in removing that rule, I believe that I'll be able to delete the UserChoice key. Here is the code that I have tried:

public static void ShowSecurity(RegistryKey regKeyRoot, string user) {
    RegistrySecurity security = regKeyRoot.GetAccessControl(AccessControlSections.All);

    foreach (RegistryAccessRule ar in
        security.GetAccessRules(true, true, typeof(NTAccount))) {

        if (ar.IdentityReference.Value.Contains(User) &&
                ar.AccessControlType.ToString().ToLower() == "deny") {

            security.RemoveAccessRuleSpecific(ar);
            regKeyRoot.SetAccessControl(security);
        }
    }
}

When Windows creates the UserChoice key it adds a security rule for the current user of Type Deny; permission: Special. This rule is not inherited and applies to the UserChoice key only.

With some messing about and running as Administrator I am able to access that RegistryAccessRule. However even running as Administrator, I cannot remove this rule. I have read somewhere in my research that there is not a programmatic way to do it. I can remove this rule via RegEdit. I can also remove the UserChoice key using File Types Manager from NirSoft. So I assume there is some way to do this.

Summary: Is there a way that I can remove the Deny rule so that I can delete the UserChoice key?

回答1:

Your code example and the revisions suggested in the answer by @ali lead me to a solution for overcoming the security setting that Windows places on the UserChoice key which enabled me to delete that key.

My solution presumes that the UserChoice key is present in the HKEY_CURRENT_USER (HKCU) hive. If that is the case, the user owns the UserChoice key and therefore has the necessary privileges to change the security settings on that key and ultimately delete it. (This means that the user does not need to be a member of the Administrators group.)

The extensionKey parameter of this method is the parent key of the UserChoice key.

static void DeleteUserChoiceKey(RegistryKey extensionKey)
{
    const string userChoiceKeyName = "UserChoice";

    using (RegistryKey userChoiceKey =
        extensionKey.OpenSubKey(userChoiceKeyName,
            RegistryKeyPermissionCheck.ReadWriteSubTree,
            RegistryRights.ChangePermissions))
    {
        if (userChoiceKey == null) { return; }
        string userName = WindowsIdentity.GetCurrent().Name;
        RegistrySecurity security = userChoiceKey.GetAccessControl();

        AuthorizationRuleCollection accRules =
            security.GetAccessRules(true, true, typeof(NTAccount));

        foreach (RegistryAccessRule ar in accRules)
        {
            if (ar.IdentityReference.Value == userName &&
                ar.AccessControlType == AccessControlType.Deny)
            {
                security.RemoveAccessRuleSpecific(ar); // remove the 'Deny' permission
            }
        }

        userChoiceKey.SetAccessControl(security); // restore all original permissions
                                                  // *except* for the 'Deny' permission
    }

    extensionKey.DeleteSubKeyTree(userChoiceKeyName, true);
}


回答2:

A quick thought. Does it work if you take ownership og the regKey, before changing the rules on it



回答3:

public static void ShowSecurity(RegistryKey regKeyRoot, string user) 
{

regKeyRoot.OpenSubKey("", RegistryKeyPermissionCheck.ReadWriteSubTree,
                    RegistryRights.ChangePermissions);

RegistrySecurity security = regKeyRoot.GetAccessControl(AccessControlSections.All);

security.SetGroup( new NTAccount("Administrators") );
security.SetOwner( new NTAccount("ali") ); //Your account name
security.SetAccessRuleProtection(true, false);
regKeyRoot.SetAccessControl(security);

//---------

  foreach (RegistryAccessRule ar in security.GetAccessRules(true, true, typeof(NTAccount))) 
  {
    if (ar.IdentityReference.Value.Contains(User) && ar.AccessControlType ==  AccessControlType.Deny )
       security.RemoveAccessRuleSpecific(ar);
  }

regKeyRoot.SetAccessControl(security);


}