我正在尝试删除我之前设置的注册表审核规则,但它不起作用,而且我不知道我遗漏了什么/做错了什么。
在注册表项上设置审核规则效果很好:
$RegistryKey = 'HKCU:\Control Panel\Desktop'
$AuditIdentityReference = "Everyone"
$AuditRegistryRights = "SetValue,Delete"
$AuditInheritanceFlags = "ContainerInherit,ObjectInherit"
$AuditPropagationFlags = "None"
$AuditFlags = "success"
$AuditRule = New-Object System.Security.AccessControl.RegistryAuditRule ($AuditIdentityReference,$AuditRegistryRights,$AuditInheritanceFlags,$AuditPropagationFlags,$AuditFlags)
$ACL = Get-Acl $RegistryKey
$ACL.AddAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey
Get-Acl $RegistryKey -Audit | Select Path -ExpandProperty Audit | fl *
我的理解是我需要构建我希望删除的 $Rule,然后使用 .RemoveAuditRule($Rule)。但是尽管该方法返回“true”,审计规则仍然存在:
$RegistryKey = 'HKCU\Control Panel\Desktop'
$AuditIdentityReference = "Everyone"
$AuditRegistryRights = "SetValue,Delete"
$AuditInheritanceFlags = "ContainerInherit,ObjectInherit"
$AuditPropagationFlags = "None"
$AuditFlags = "success"
$AuditRule = New-Object System.Security.AccessControl.RegistryAuditRule ($AuditIdentityReference,$AuditRegistryRights,$AuditInheritanceFlags,$AuditPropagationFlags,$AuditFlags)
$ACL = Get-Acl $RegistryKey
$ACL.RemoveAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey
Get-Acl $RegistryKey -Audit | Select Path -ExpandProperty Audit | fl *
在文件系统上做类似的事情虽然工作正常:
$Dir = 'C:\Testing'
$ACL = get-acl $Dir
$Rule = new-object System.Security.AccessControl.FileSystemAuditRule("Everyone","CreateDirectories,CreateFiles,Delete,DeleteSubdirectoriesAndFiles,Write,WriteData","ContainerInherit,ObjectInherit","None","Success,Failure")
$ACL.AddAuditRule($Rule)
$ACL | Set-Acl -Path $Dir
$ACL.RemoveAuditRule($Rule)
$ACL | Set-Acl -Path $Dir
最佳答案
在获取 ACL 时,您没有包含 SACL,因此无需删除任何内容。
改变这个:
$ACL = Get-Acl $RegistryKey
$ACL.RemoveAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey进入这个:
$ACL = Get-Acl $RegistryKey <b>-Audit</b>
$ACL.RemoveAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey问题就会消失。
关于powershell - 如何删除注册表审核规则?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/32585386/