Безопасность реестра с спецсимволами.

amel27 · Отправлено: **11:41, 26-03-2009** | #2

гляньте тут: VBS/WSH/JS - [решено] Изменение разрешения на ветку реестра

thebas · Отправлено: **13:36, 26-03-2009** | #3

Прочитал статью заинсталил себе adsi sdk
Скопировал с сайта скрипт

Код:

 
'//////////////////////////////////////////////////////////////////////////
'/// Name:	RegPerm.vbs
'/// Version:	1.0
'/// Date:	09/01/02
'/// Purpose: 	displaying and setting permissions on the registry keys
'/// OS:	Windows 2000, XP
'/// Reqs:	ADsSecurity.dll (registered)
'/// Syntax:	cscript /nologo RegPerm.vbs ACTION=SET TARGET=Registry_Key _
'///			ACCOUNT=Domain\Account PERM=Read|Change|Full|NoAccess INH=YES|NO"
'///		where	ACTION is set to SHOW or SET (to display or set permissions)"
'///			TARGET is full path to registry key (computer name is optional)
'///			e.g. "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows"
'///			if computer name is omitted, local system is used
'///			ACCOUNT is user or group in DOMAIN\AccountName format
'///			PERM specifies type of permissions to be set
'///			INH determines permission inheritance (Yes or No)
'//////////////////////////////////////////////////////////////////////////

Option Explicit
'On Error Resume Next

'////////////////////////////////////////////////////
'/// Constant Declarations

'////////////////////////////////////////////////////
'/// Access Control Entry Inheritance Flags
'/// Allowed values for the IADsAccessControlEntry::AceFlags property.

const ADS_ACEFLAG_UNKNOWN                  	= &h1

'/// child objects will inherit ACE of current object
const ADS_ACEFLAG_INHERIT_ACE 			= &h2
'/// prevents ACE inherited by the object from further propagation
const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE 	= &h4
'/// indicates ACE used only for inheritance (it does not affect permissions    on object itself)
const ADS_ACEFLAG_INHERIT_ONLY_ACE 		= &h8
'/// indicates that ACE was inherited
const ADS_ACEFLAG_INHERITED_ACE 		= &h10
'/// indicates that inherit flags are valid (provides confirmation of valid settings)
const ADS_ACEFLAG_VALID_INHERIT_FLAGS 		= &h1f
'/// for auditing success in system audit ACE
const ADS_ACEFLAG_SUCCESSFUL_ACCESS 		= &h40
'/// for auditing failure in system audit ACE
const ADS_ACEFLAG_FAILED_ACCESS 		= &h80

'//////////////////////////////////////////////////
'/// Access Control Entry Type Values
'/// Allowed values for the IADsAccessContronEntry::AceType property.

const ADS_ACETYPE_ACCESS_ALLOWED           	= 0
const ADS_ACETYPE_ACCESS_DENIED            	= &h1
const ADS_ACETYPE_SYSTEM_AUDIT             	= &h2
const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT    	= &h5
const ADS_ACETYPE_ACCESS_DENIED_OBJECT    	= &h6
const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT     	= &h7

'//////////////////////////////////////////////////
'/// Registry Permission Type Values

Const KEY_QUERY_VALUE 		= &H0001
Const KEY_SET_VALUE 		= &H0002
Const KEY_CREATE_SUB_KEY 	= &H0004
Const KEY_ENUMERATE_SUB_KEYS 	= &H0008
Const KEY_NOTIFY 		= &H0010
Const KEY_CREATE_LINK 		= &H0020
Const DELETE 			= &H00010000
Const READ_CONTROL 		= &H00020000
Const WRITE_DAC 		= &H00040000
Const WRITE_OWNER 		= &H00080000

Dim KEY_READ		'access mask designating read access to registry key
Dim KEY_WRITE		'access mask designating write access to registry key
Dim KEY_ALL_ACCESS	'access mask designating full access to registry key

Dim iOffset		'used for display only (left justifying displayed values)
Dim sAction		'type of action to perform (show or set)
Dim sPermission		'permission type (read, change, full, or no access)
Dim sAccount		'user or group account for which permissions are set
Dim sTarget		'string representing path to target registry key
Dim sInh		'value representing inheritance behavior (1 yes, 0 no)

Dim oADSSecurity	'object representing ADsSecurity class
Dim oTargetSD		'object representing security descriptor of registry key
Dim oDACL		'object representing Discretionary Access Control List

'//////////////////////////////////////////////////
'/// Set variables

'/// KEY_READ is a combination of KEY_QUERY_VALUE,
' 	KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY, and READ_CONTROL access.
KEY_READ = KEY_QUERY_VALUE + KEY_ENUMERATE_SUB_KEYS + KEY_NOTIFY + READ_CONTROL

'/// KEY_WRITE is a combination of KEY_SET_VALUE and KEY_CREATE_SUB_KEY access.
KEY_WRITE = KEY_SET_VALUE + KEY_CREATE_SUB_KEY + READ_CONTROL

'/// KEY_FULL_ACCESS is a combination of KEY_QUERY_VALUE, KEY_SET_VALUE,
'	KEY_CREATE_SUB_KEY, KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY,	KEY_CREATE_LINK,
'	DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER access.
KEY_ALL_ACCESS = KEY_QUERY_VALUE + KEY_SET_VALUE + KEY_CREATE_SUB_KEY + _
		KEY_ENUMERATE_SUB_KEYS + KEY_NOTIFY + KEY_CREATE_LINK + _
		DELETE + READ_CONTROL + WRITE_DAC + WRITE_OWNER

iOffset 		= 20

'//////////////////////////////////////////////////
'/// Retrieve script arguments

Call GetArguments(Wscript.Arguments, sAction, sTarget, sAccount, sPermission, sInh)

Set oADSSecurity 	= CreateObject("ADsSecurity")
Set oTargetSD		= oADsSecurity.GetSecurityDescriptor("RGY://" & sTarget)
Set oDACL		= oTargetSD.DiscretionaryACL

Select Case UCase(sAction)

	Case "SHOW"
			Call DisplayACLs()
	Case "SET"
			Call SetACLs(sAccount, sPermission, sInh)
	Case Else
			Call DisplayUsage("ERROR: Incorrect ACTION type")

End Select

Set oDACL		= Nothing
Set oTargetSD		= Nothing
Set oADsSecurity	= Nothing

Wscript.Quit


'///////////////////////////////////////////////////////////////////
'/// Name:	GetArguments
'/// Purpose:	Reading command line arguments
'/// Input:	oArgs		WScript.Arguments collection
'/// Output:	sAction		Action type (SET or SHOW)
'///		sTarget		Registry key
'///		sAccount	Account to set permissions for
'///		sPermission	Type of permissions to set
'///		sInh		Permission inheritance (1 yes, 0 no)
'///////////////////////////////////////////////////////////////////

Sub GetArguments(oArgs, sAction, sTarget, sAccount, sPermission, sInh)

Dim iCount

For iCount=0 To oArgs.Count - 1
	Select Case UCase(Split(WScript.Arguments(iCount), "=")(0))
		Case "ACTION" 	sAction 	= Split(WScript.Arguments(iCount), "=")(1)
		Case "TARGET"	sTarget 	= Split(WScript.Arguments(iCount), "=")(1)
		Case "ACCOUNT" 	sAccount	= Split(WScript.Arguments(iCount), "=")(1)
		Case "PERM" 	sPermission 	= Split(WScript.Arguments(iCount), "=")(1)
		Case "INH"	sInh		= Split(WScript.Arguments(iCount), "=")(1)
	End Select
Next

If sAction = "" or sTarget = "" or (sAction = "SET" and (sTarget = "" or sAccount = "")) Then
	Call DisplayUsage("ERROR: Missing argument(s)")
	WScript.Quit
End If

end sub

'///////////////////////////////////////////////////////////////////
'/// Name:	DisplayUsage
'/// Purpose:	Displaying usage of the script from the command line
'/// Input:	sHeader		Header for Message Box
'///////////////////////////////////////////////////////////////////

sub DisplayUsage(sHeader)

Dim sMsg

	sMsg = "To display permissions on a registry key, run:"
	sMsg = sMsg & VbCrLf & _
		"cscript //nologo RegPerms.vbs ACTION=SHOW TARGET=Registry_Key"
	sMsg = sMsg & VbCrLf & vbCrLf & "To set permissions on a registry key run:"
	sMsg = sMsg & VbCrLf & _
		"cscript //nologo RegPerms.vbs ACTION=SET TARGET=Registry_Key " & _
		"ACCOUNT=Domain\Account PERM=Read|Change|Full|NoAccess INH=YES|NO"
	sMsg = sMsg & VbCrLf & vbCrLf & "Where:"
	sMsg = sMsg & VbCrLf & String(7," ") & "ACTION is set to SHOW or SET (to display or set permissions, respectively)"
	sMsg = sMsg & VbCrLf & String(7," ") & "TARGET is full path to the registry key (computer name is optional)"
	sMsg = sMsg & VbCrLf & String(7," ") & "e.g. " & """Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows"""
	sMsg = sMsg & VbCrLf & String(7," ") & "ACCOUNT is user or group account in the DOMAIN\AccountName format"
	sMsg = sMsg & VbCrLf & String(7," ") & "PERM specifies type of permissions to be set"
	sMsg = sMsg & VbCrLf & String(7," ") & "INH determines permission inheritance (Yes or No)"

	Call MsgBox(sMsg, vbOKOnly, sHeader)

end sub

'///////////////////////////////////////////////////////////////////
'/// Name:	SetACLs
'/// Purpose:	Setting Access Control List entry
'/// Input:	sAccount	Account to set permissions for
'///		sPermission	Type of permissions to set
'///		sInh		Permission inheritance (yes or no)
'///////////////////////////////////////////////////////////////////

Sub SetACLs(sAccount, sPermission, sInh)

Dim oACE

	For Each oACE in oDACL
        	If UCase(oACE.Trustee) = UCase(sAccount) Then
                	oDACL.RemoveACE oACE
		End if
	Next

	oTargetSD.DiscretionaryACL = oDACL
	oADsSecurity.SetSecurityDescriptor oTargetSD

	Set oACE = CreateObject("AccessControlEntry")
	oACE.Trustee = sAccount

	Select Case UCase(sPermission)
        	Case "FULL"
        		oACE.AccessMask = KEY_ALL_ACCESS
			oACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
		Case "CHANGE"
			oACE.AccessMask = KEY_WRITE
			oACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
        	Case "READ"
			oACE.AccessMask = KEY_READ
			oACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
		Case "NOACCESS"
        		oACE.AccessMask = KEY_ALL_ACCESS
			oACE.AceType = ADS_ACETYPE_ACCESS_DENIED
		Case ""
			Exit Sub
		Case Else
			DisplayUsage("ERROR: Incorrect Permission Type")
	End Select

	If UCase(sInh) = "YES" Then
		oACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
	Else
		oACE.AceFlags = ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE
	End If

	oDACL.AddAce oACE

	Call ReorderDACL(oDACL)

	oTargetSD.DiscretionaryACL = oDACL
	oADsSecurity.SetSecurityDescriptor oTargetSD

End Sub

'///////////////////////////////////////////////////////////////////
'/// Name:	ReorderDACL
'/// Purpose:	reordering the ACLs (per Q269159)
'/// 		ACEs need to be ordered, since AddAce method does not take care of it.
'/// 		For Windows 2000 and later, ACEs should be arranged into two main groups
'///		 - non-inherited
'///		 - inherited.
'/// 		Non-inherited ACEs should be listed first, followed by the inherited ones.
'///		Within each group, ACEs are arranged in the following fashion:
'/// 		 - access-denied ACEs that apply to the object itself
'/// 		 - access-denied ACEs that apply to subobjects of the object
'///		 - access-allowed ACEs that apply to the object itself
'///		 - access-allowed ACEs that apply to subobjects of the object
'///		Since the script does not affect inherited ACEs (but instead, it sets
'///		permission directly on target object), they do not have to be rearranged.
'///		Only non-inherited ACEs are rearranged.
'/// Input:	oOrgDACL	object representing discretionary access list for registry key
'///////////////////////////////////////////////////////////////////

Sub ReorderDACL(oDACL)

Dim oNewDACL			'object used to temporarily store DACL (during ordering)
Dim oInheritedDACL		'object representing list of all Inherited ACEs
Dim oDenyDACL			'object representing list of non-Inherited Deny ACEs
Dim oDenyObjDACL		'object representing list of non-Inherited Deny Object ACEs
Dim oAllowDACL			'object representing list of non-Inherited Allow ACEs
Dim oAllowObjDACL		'object representing list of non-Inherited Allow Object ACEs

Dim oACE			'object representing ACE (used for enumeration)

'//////////////////////////////////////////////////
'/// Create Access Control List objects

Set oNewDACL = CreateObject("AccessControlList")
Set oInheritedDACL = CreateObject("AccessControlList")
Set oAllowDACL = CreateObject("AccessControlList")
Set oDenyDACL = CreateObject("AccessControlList")
Set oDenyObjDACL = CreateObject("AccessControlList")
Set oAllowObjDACL = CreateObject("AccessControlList")

'//////////////////////////////////////////////////
'/// Add individual ACEs into each of the lists
'/// based on the ACE Flags and ACE Type values

For Each oACE In oDACL
	If ((oACE.AceFlags AND ADS_ACEFLAG_INHERITED_ACE) = ADS_ACEFLAG_INHERITED_ACE) Then

	'//////////////////////////////////////////////////
	'/// as explained, no sorting is needed for Inherited ACEs, they are simply
	'/// added to the list and retrieved at the end of the sub in the same order

		oInheritedDACL.AddAce oACE

	Else

	'//////////////////////////////////////////////////
	'/// non-Inherited ACEs need to be placed in their respective list to be re-ordered

		Select Case oACE.AceType
			Case ADS_ACETYPE_ACCESS_ALLOWED
				oAllowDACL.AddAce oACE
			Case ADS_ACETYPE_ACCESS_DENIED
				oDenyDACL.AddAce oACE
			Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
				oAllowObjDACL.AddAce oACE
			Case ADS_ACETYPE_ACCESS_DENIED_OBJECT
				oDenyObjDACL.AddAce oACE

		End Select
	End If
Next

'//////////////////////////////////////////////////
'/// Recreate the Access Control List following the appropriate order
'/// - non-Inherited Deny ACEs
'/// - non-Inherited Allow ACEs
'/// - Inherited ACEs

For Each oACE In oDenyDACL
	 oNewDACL.AddAce oACE
Next
For Each oACE In oDenyObjDACL
	 oNewDACL.AddAce oACE
Next
For Each oACE In oAllowDACL
	  oNewDACL.AddAce oACE
Next
For Each oACE In oAllowObjDACL
	  oNewDACL.AddAce oACE
Next
For Each oACE In oInheritedDACL
	  oNewDACL.AddAce oACE
Next

Set oInheritedDACL = Nothing
Set oDenyDACL = Nothing
Set oAllowDACL = Nothing
Set oDenyObjDACL = Nothing
Set oAllowObjDACL = Nothing

'//////////////////////////////////////////////////
'/// Set appropriate DACL revision level

oNewDACL.AclRevision = oDACL.AclRevision

'//////////////////////////////////////////////////
'/// Reset the original DACL
Set oDACL = Nothing
Set oDACL = oNewDACL

end Sub

'///////////////////////////////////////////////////////////////////
'/// Name:	DisplayACLs
'/// Purpose:	Displaying Access Control List entries
'///////////////////////////////////////////////////////////////////

Sub DisplayACLs()

Dim oACE		'object representing individual ACE
Dim sMsg, sAccessMask	'strings containing message to be displayed
Dim hAccessMask		'number representing Access Mask value

	WScript.Echo "Permissions on " & sTarget

	For Each oACE in oDACL
		sMsg = vbCrLf & "Trustee:" & String(iOffset - Len("Trustee:"), Chr(32)) & _
				oACE.Trustee & vbCrLf
		sMsg = sMsg & "ACE Type:" & String(iOffset - Len("ACE Type:"), Chr(32))
		Select Case oACE.AceType
			Case ADS_ACETYPE_ACCESS_ALLOWED
				'Implicit Allow ACE
				sMsg = sMsg & "ACCESS_ALLOWED"
			Case ADS_ACETYPE_ACCESS_DENIED
				'Implicit Deny ACE
				sMsg = sMsg & "ACCESS_DENIED"
			Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
				'Object Allowed ACE
				sMsg = sMsg & "ACCESS_ALLOWED_OBJECT"
			Case ADS_ACETYPE_ACCESS_DENIED_OBJECT
				'Object Deny ACE
				sMsg = sMsg & "ACCESS_DENIED_OBJECT"
		End Select
		Wscript.Echo sMsg

		sAccessMask = ""
		hAccessMask = 0

		If (oACE.AccessMask AND KEY_QUERY_VALUE) Then
			sAccessMask = String(iOffset, Chr(32)) & "KEY_QUERY_VALUE" & vbCrLf
			hAccessMask = hAccessMask + KEY_QUERY_VALUE
		End If
		If (oACE.AccessMask AND KEY_SET_VALUE) Then
			sAccessMask = sAccessMask & String(iOffset, Chr(32)) & "KEY_SET_VALUE" & vbCrLf
			hAccessMask = hAccessMask + KEY_SET_VALUE
		End If
		If (oACE.AccessMask AND KEY_CREATE_SUB_KEY) Then
			sAccessMask = sAccessMask & String(iOffset, Chr(32)) & "KEY_CREATE_SUB_KEY" & vbCrLf
			hAccessMask = hAccessMask + KEY_CREATE_SUB_KEY
		End If
		If (oACE.AccessMask AND KEY_ENUMERATE_SUB_KEYS) Then
			sAccessMask = sAccessMask & String(iOffset, Chr(32)) & "KEY_ENUMERATE_SUB_KEYS" & vbCrLf
			hAccessMask = hAccessMask + KEY_ENUMERATE_SUB_KEYS
		End If
		If (oACE.AccessMask AND KEY_NOTIFY) Then
			sAccessMask = sAccessMask & String(iOffset, Chr(32)) & "FILE_WRITE_EA" & vbCrLf
			hAccessMask = hAccessMask + KEY_NOTIFY
		End If
		If (oACE.AccessMask AND KEY_CREATE_LINK) Then
			sAccessMask = sAccessMask & String(iOffset, Chr(32)) & "KEY_CREATE_LINK" & vbCrLf
			hAccessMask = hAccessMask + KEY_CREATE_LINK
		End If
		If (oACE.AccessMask AND DELETE) Then
			sAccessMask = sAccessMask & String(iOffset, Chr(32)) & "DELETE" & vbCrLf
			hAccessMask = hAccessMask + DELETE
		End If
		If (oACE.AccessMask AND READ_CONTROL) Then
			sAccessMask = sAccessMask & String(iOffset, Chr(32)) & "READ_CONTROL" & vbCrLf
			hAccessMask = hAccessMask + READ_CONTROL
		End If
		If (oACE.AccessMask AND WRITE_DAC) Then
			sAccessMask = sAccessMask & String(iOffset, Chr(32)) & "WRITE_DAC" & vbCrLf
			hAccessMask = hAccessMask + WRITE_DAC
		End If
		If (oACE.AccessMask AND WRITE_OWNER) Then
			sAccessMask = sAccessMask & String(iOffset, Chr(32)) & "WRITE_OWNER" & vbCrLf
			hAccessMask = hAccessMask + WRITE_OWNER
		End If

		sMsg = "ACE Permissions:" & String(iOffset - Len("ACE Permissions:"), Chr(32))
		Select Case hAccessMask
			Case KEY_ALL_ACCESS 	Wscript.Echo sMsg & "FULL CONTROL"
			Case KEY_WRITE 	Wscript.Echo sMsg & "WRITE"
			Case KEY_READ 	Wscript.Echo sMsg & "READ"
			Case Else	WScript.Echo sMsg & oACE.AccessMask
					WScript.Echo sAccessMask
		End Select

		sMsg = "ACE Flags:" & String(iOffset - Len("ACE Flags:"), Chr(32))
		If (oACE.AceFlags AND ADS_ACEFLAG_INHERIT_ACE) Then
			WScript.Echo sMsg & "ADS_ACEFLAG_INHERIT_ACE"
		End If
		If (oACE.AceFlags AND ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE) Then
			WScript.Echo sMsg & "ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE"
		End If
		If (oACE.AceFlags AND ADS_ACEFLAG_INHERIT_ONLY_ACE) Then
			WScript.Echo sMsg & "ADS_ACEFLAG_INHERIT_ONLY_ACE"
		End If
		If (oACE.AceFlags AND ADS_ACEFLAG_INHERITED_ACE) Then
			WScript.Echo sMsg & "ADS_ACEFLAG_INHERITED_ACE"
		End If
		If (oACE.AceFlags AND ADS_ACEFLAG_VALID_INHERIT_FLAGS) Then
			WScript.Echo sMsg & "ADS_ACEFLAG_VALID_INHERIT_FLAGS"
		End If
		If (oACE.AceFlags AND ADS_ACEFLAG_SUCCESSFUL_ACCESS) Then
			WScript.Echo sMsg & "ADS_ACEFLAG_SUCCESSFUL_ACCESS"
		End If
		If (oACE.AceFlags AND ADS_ACEFLAG_FAILED_ACCESS) Then
			WScript.Echo sMsg & "ADS_ACEFLAG_FAILED_ACCESS"
		End If
		If (oACE.AceFlags AND ADS_ACEFLAG_UNKNOWN) Then
			WScript.Echo sMsg & "ADS_ACEFLAG_UNKNOWN"
		End If
	Next
End Sub

cscript /nologo RegPerm.vbs ACTION=SHOW TARGET="HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip"
Отрабатывает отлично.

cscript /nologo RegPerm.vbs ACTION=SET TARGET="HKEY_LOCAL_MACHINE\SOFTWARE\7-Zip" ACCOUNT="CORP\Domain Users" PERM=FULL INH=NO
Запись ACL не работает

пробовал разные группы в том числе и BUILTIN\Users.

Кто ни будь может мне помочь с этой проблемой?