如何通过自己的TrustedInstaller注册表项写 [英] How to write in a registry key own by TrustedInstaller
问题描述
为了到一个新的属性页安装到Active Directory管理单元,我需要编写成W2K8 R2(的as微软记录)
In order to install a new property page into the Active Directory SnapIn, I need to write into the following registry key of W2K8 R2 (as documented by Microsoft)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\ SnapIns {E355E538-1C2E-11D0-8C37-00C04FD8FE93} \NodeTypes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns{E355E538-1C2E-11D0-8C37-00C04FD8FE93}\NodeTypes
这关键是通过被称为一个特殊的用户自己的的TrustedInstaller 。我发现在NET角落找寻一个很多事情
This key is own by a special user called TrustedInstaller. I found a lots of thing on the NET arround that.
在这里的那一刻是它的工作原理以下操作的方式(用户管理员组的成员):
At the moment here is the way it works doing the following (user is member of administrator group):
- 我给用户的权限,取得所有权。
- 的用户获取所有权
- 用户写注册表
- 用户给予所有权Administrators组中。
- I give the user the privilege to take ownership.
- The user take ownership
- The user write the registry
- the user give ownership to the administrators group.
我的项目是完全用C#编写,并有一些我不这样做我'的方式喜欢的两件事情。
My project is full written in C# and there are two things that I don't like in the way I'am doing it.
- 我用InteropServices来调用Win32 API AdjustTokenPrivileges。有谁知道这样做纯C#的方式吗?
- 在年底的TrustedInstaller不再是密钥的所有者,而我'不能给他的所有权,他保持完全控制,但我不希望我的安装单元中后为损坏我的服务器进行分类。
所以我的问题是:?我错过了什么,有没有这样的修改被记录为修改一键记录方式
So my question is : Do I miss something, is there a documented way to modify such a key which is documented as modifiable ?
有一个的 现有的有关堆栈溢出的问题,答案说的TrustedInstaller所有权,意味着关键是系统的安装,而不是应用安装的一部分。对我来说,如果微软文档如何修改的关键是应用程序的安装。
There is a Stack overflow question existing about that, the answer say that TrustedInstaller ownership, means the key is part of system installation and not application installation. For me if Microsoft documents how to modify a key it's application installation.
先谢谢了。
推荐答案
所以,我发现我的问题之一。
So I found one of my problem.
当你想取得所有权的资源上添加启用的 SeTakeOwnershipPrivilege 这允许您更改所有者SID。但新业主希德必须在调用者的令牌,再加上,希德必须具备的属性SE_GROUP_OWNER。所以在我的情况下,我无法SID所有者更改回的 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 的(的TrustedInstaller)。我只是能够采取所有权,或者给予所有权到组管理员。我发现,有一个国王变通,让你可以指定任意用户作为所有者,即使
的SID是不是在令牌。 SeRestorePrivilege 是授予特权的管理员和备份操作员,但不是的启用的默认。 。Enbling它让我有机会回报所有权的TrustedInstaller
When you want to take ownership on a resource you add to enable the SeTakeOwnershipPrivilege this allow you to change the owner SID. But the new Owner Sid must be in the caller’s token, plus, that Sid must have attribute SE_GROUP_OWNER. So in my case I was not able to change back SID owner to S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 (TrustedInstaller). I was just able to take ownership, or to give ownership to the group "Administrators". I discover that there is a king of work-around whereby you can assign any arbitrary user as the owner, even if its SID is not in the token. SeRestorePrivilege privilege that is granted to administrators and backup operators, but NOT enabled by default. Enbling it allow me to give back ownership to TrustedInstaller.
因此,工程执行以下操作(用户是管理员组的成员):
So it works doing the following (user is member of administrator group):
- 我给用户的权限,采取所有权和启用特权恢复
- 用户获取所有权
- 用户写注册表
- 用户给予所有权到以前的所有者的TrustedInstaller。
- I give the user the privilege to take ownership and enable the privilege of restore
- The user take ownership
- The user write the registry
- the user give ownership to the previous owner TrustedInstaller.
我用InteropServices来调用Win32 AdjustTokenPrivileges API,它似乎是做在C#中的唯一途径。
I use InteropServices to call Win32 AdjustTokenPrivileges API, and it seems to be the only way to do it in C#
我会很快。贴在我的博客一个小工具,让回馈所有权的TrustedInstaller
I will soon post on my blog a small tool that allow to give back ownership to TrustedInstaller.
编辑:
对不起我只是忘记它的延迟,你可以找到rel=\"nofollow\">吉斯特在
Edited : Sorry for the delay I just forget it, you can find the code on Gist.
这篇关于如何通过自己的TrustedInstaller注册表项写的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
