powershell - 在 Windows Server 2008 R2 上将 HKCR\CLSID\* key 的所有者更改为管理员

Question

Win Server 2008 R2 上有一个注册表项，

HKCR:\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

其所有者不是管理员。它是 TrustedInstaller。现在制作 Remote DCOM/WMI 连接正常，我需要授予管理员权限才能拥有 完全控制此 key 和所有权。因为这需要在 几台机器，我希望我可以使用 Powershell 来做到这一点。我跟着 这些

Controlling Registry ACL Permissions with Powershell

Change the owner of directories with powershell

但是我还是报错

Exception calling "OpenSubKey" with "3" argument(s):
"Requested registry access is not allowed."

The code I am trying to run is simple

$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(
  "CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}",
  [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
  [System.Security.AccessControl.RegistryRights]::TakeOwnership
)
echo $key

关于如何更改此 key 的所有权的任何想法？我相信一旦拥有 更改为管理员，我将能够使用 Set-Acl 更改权限。

Answer 1

我能够使用以下脚本在 powershell 中实现这一点

# Checking OS Version and changing Registry Key permissions accordingly. We do need
# to change reg-key ownership for Win Server 2008, but in 2008 R2, owner of one of
# the required keys is TrustedInstaller instead of Administrator. Thus we need to
# change the owner back to Admin in order to make any changes to that key.
echo "Checking Operating System Version..."
$cv = (gi "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion")
$wv = $cv.GetValue("ProductName")
echo "$wv"
# Mounting HKey_ClassesRoot Registry key as a drive - Silent
New-PSDrive -name HKCR -PSProvider Registry -root HKEY_CLASSES_ROOT | Out-Null
$acl = Get-Acl "HKCR:\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}"
$owner = $acl.Owner
# Case 48188: Because Windows has server version like Windows Web Server 2008 R2, we
# cannot validate the version name using "Windows Server 2008 R2". We will only
# check if the name contains "Server 2008 R2".
if($wv.Contains("Server 2008 R2") -and !$owner.Contains("Administrators"))
{
  echo "Setting Administrators Group privileges in Windows Registry..."
  $boolResult = enable-privilege SeTakeOwnershipPrivilege
    if(-not $boolResult)
    {
      echo "Privileges could not be elevated. Changing ownership of the registry"
      echo "key would fail. Please change ownership of key"
      echo "HKCR\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} to Administrators"
      echo "Group manually."
      return
    }
  $key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(
    "CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}",
    [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
    [System.Security.AccessControl.RegistryRights]::takeownership
  )
  # You must get a blank acl for the key b/c you do not currently have access
  $acl = $key.GetAccessControl(
    [System.Security.AccessControl.AccessControlSections]::None
  )
  $owner = [System.Security.Principal.NTAccount]"Administrators"
  $acl.SetOwner($owner)
  $key.SetAccessControl($acl)

  # After you have set owner you need to get the acl with the perms so you can
  # modify it.
  $acl = $key.GetAccessControl()
  $person = [System.Security.Principal.NTAccount]"Administrators"
  $access = [System.Security.AccessControl.RegistryRights]"FullControl"
  $inheritance = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit"
  $propagation = [System.Security.AccessControl.PropagationFlags]"None"
  $type = [System.Security.AccessControl.AccessControlType]"Allow"

  $rule = New-Object System.Security.AccessControl.RegistryAccessRule(
    $person,$access,$inheritance,$propagation,$type
  )
  $acl.SetAccessRule($rule)
  $key.SetAccessControl($acl)

  $key.Close()
  echo "Administrators Group ownership privileges set."
}