使用NSIS安装程序向注册表项授予权限的有效方法是什么？ [英] What is an effective way to grant permissions to a registry key using an NSIS installer?

问题描述

我正在尝试使用NSIS中的 AccessControl插件来设置注册表项的权限。它不起作用。安装程序运行后，所有用户组将没有完全控制权限。

I am attempting to use the AccessControl plugin in NSIS to set the permissions on a registry key. It is not working. After the installer runs, the All Users group does not have Full Control.

我在下面创建了一个示例。这里有什么问题吗？是否有另一种机制可以完成同一件事？我也曾尝试使用Everyone组S-1-1-0的数字形式我还没有尝试使用所有人。

I've created a sample below. Is there anything wrong here? Is there another mechanism to accomplish the same thing? I've also attempted to use the numeric form of the Everyone group S-1-1-0 I have not tried using "Everyone" yet.

  ; Create the key for local machine settings (could be a 32 bit or 64 bit location)
  SetRegView 32
  WriteRegStr HKLM "SOFTWARE\MyApp" "x" "y"
  SetRegView 64
  WriteRegStr HKLM "SOFTWARE\MyApp" "x" "y"

  ; Give all authenticated users (BUILTIN\Users) full access on the registry key HKEY_LOCAL_MACHINE\Software\MyApp
  SetRegView 32
  AccessControl::GrantOnRegKey HKLM "SOFTWARE\MyApp" "BUILTIN\USERS" "FullAccess"
  SetRegView 64
  AccessControl::GrantOnRegKey HKLM "SOFTWARE\MyApp" "BUILTIN\USERS" "FullAccess"

起初，我没有理会这两个注册表视图。但是，经过实验之后，为了排除WOW6432Node的问题，我将命令加倍了。我希望没有必要。

At first, I did not bother with the two registry views. But after experimentation, in an attempt to rule out issues with WOW6432Node, I doubled the commands. I hope it is not necessary.

推荐答案

在插件中使用SID时，语法为（S -1 -....）：

When using a SID with the plugin the syntax is (S-1-....):

WriteRegStr HKCU "Software\test" hello world
AccessControl::GrantOnRegKey HKCU "Software\test" "(S-1-1-0)" "FullAccess" ; Everyone

您可以找到此处的SID列表。

您可以使用 AccessControl :: NameToSid 将名称转换为其SID，但这样做会在非英语系统上出现本地化问题：

You can use AccessControl::NameToSid to transform a name to its SID but doing this can have localization issues on non-English systems:

AccessControl::NameToSid "BUILTIN\USERS"
Pop $0
StrCmp $0 "error" +2
AccessControl::GrantOnRegKey HKCU "Software\test" "($0)" "FullAccess"

更改所有者时，还可以使用 Machine\Username 语法。

When changing the owner you can also use the Machine\Username syntax.

诸如（BU）之类的别名仅适用于unicode版本，并且还取决于Windows版本因此最好坚持使用SID。

Aliases like (BU) only work in the unicode version and also depend on the Windows version so it is better to just stick with SIDs.

这篇关于使用NSIS安装程序向注册表项授予权限的有效方法是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！