I need to change COM security permissions programmatically using .NET methods. I mean these settings:
我需要使用。net方法以编程方式更改COM安全权限。我的意思是这些设置:
How can I do this? Thanks!
我该怎么做呢?谢谢!
2 个解决方案
#1
2
As far as I know there is no API to do this. However COM and DCOM access control are set in the registry, mainly under the "incognito" OLE (because of historical reasons). At the same time .NET has standard classes to manipulate registry.
据我所知,目前还没有API来实现这一点。然而,COM和DCOM访问控制是在注册表中设置的,主要是在“隐身”OLE(由于历史原因)下。同时。net有标准的类来操作注册表。
So here is what I should do when facing this task:
所以面对这个任务,我应该做的是:
-
Launch a registry monitor, like Mark Russinovich's formerly SysInternals, now Microsoft
启动一个注册表监视器,就像Mark Russinovich以前的SysInternals,现在是微软。
-
Set some COM setting interactively using the windows UI, and monitor registry changes.
使用windows UI交互式地设置一些COM设置,并监视注册表更改。
-
Optional but strongly recommended: After having some very well targeted search keyword (the registry keys) try to in google for doc/code, or what is better search in github within the code
可选但强烈推荐:在拥有一些目标明确的搜索关键字(注册表键)之后,尝试在谷歌中搜索doc/代码,或者在代码中的github中进行更好的搜索
-
Implement my C# classes what are manipulating the appropriate registry classes
实现我的c#类,什么是操作适当的注册表类。
#2
1
I know this tropic is old, but here is the solution I ended up using in case any one needs it. As stated above I could not find any API to do it and had to work directly on the registry key that stores the sitting. The fillowing keys should be edited:
我知道这个回归线很古老,但这是我最后用的解决方案,以防有人需要它。如上所述,我找不到任何API来实现它,并且必须直接使用存储sit的注册表键。应编辑填充键:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
- 微软HKEY_LOCAL_MACHINE \ SOFTWARE \ \ Ole \ DefaultAccessPermission
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultLaunchPermission
- 微软HKEY_LOCAL_MACHINE \ SOFTWARE \ \ Ole \ DefaultLaunchPermission
The permissions are stored in binary form. You can try my code:
权限以二进制形式存储。你可以试试我的代码:
static class ComACLRights
{
public const int COM_RIGHTS_EXECUTE = 1;
public const int COM_RIGHTS_EXECUTE_LOCAL = 2;
public const int COM_RIGHTS_EXECUTE_REMOTE = 4;
public const int COM_RIGHTS_ACTIVATE_LOCAL = 8;
public const int COM_RIGHTS_ACTIVATE_REMOTE = 16;
}
static void Main(string[] args)
{
SetCOMSercurityAccess("testuser", "DefaultAccessPermission");
SetCOMSercurityAccess("testuser", "DefaultLaunchPermission");
}
private static void SetCOMSercurityAccess(string username, string regKey)
{
//Get sid from username
NTAccount f = new NTAccount(username);
SecurityIdentifier sid = (SecurityIdentifier)f.Translate(typeof(SecurityIdentifier));
//Read reg key responsible for COM Sercurity
var accessKey = Registry.GetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole", regKey, null);
RawSecurityDescriptor sd;
if (accessKey == null)
{
//Key does not exist
sd = new RawSecurityDescriptor("");
}
else
{
//read security settings
sd = new RawSecurityDescriptor(accessKey as byte[], 0);
}
//Look fo input foruser
var acl = sd.DiscretionaryAcl;
var found = false;
foreach (CommonAce ca in acl)
{
if (ca.SecurityIdentifier == sid)
{
//ensure local access is set
ca.AccessMask |= ComACLRights.COM_RIGHTS_EXECUTE | ComACLRights.COM_RIGHTS_EXECUTE_LOCAL | ComACLRights.COM_RIGHTS_ACTIVATE_LOCAL; //set local access. Always set execute
found = true;
break;
}
}
if (!found)
{
CommonAce ca = new CommonAce(
AceFlags.None,
AceQualifier.AccessAllowed,
ComACLRights.COM_RIGHTS_EXECUTE | ComACLRights.COM_RIGHTS_EXECUTE_LOCAL | ComACLRights.COM_RIGHTS_ACTIVATE_LOCAL,
sid,
false,
null);
acl.InsertAce(acl.Count, ca);
}
//re-set the ACL
sd.DiscretionaryAcl = acl;
//Convert back to binary and save
byte[] binaryform = new byte[sd.BinaryLength];
sd.GetBinaryForm(binaryform, 0);
Registry.SetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole", regKey, binaryform, RegistryValueKind.Binary);
}
This code is mostly inspired by this answer
这个代码主要是受到这个答案的启发
#1
2
As far as I know there is no API to do this. However COM and DCOM access control are set in the registry, mainly under the "incognito" OLE (because of historical reasons). At the same time .NET has standard classes to manipulate registry.
据我所知,目前还没有API来实现这一点。然而,COM和DCOM访问控制是在注册表中设置的,主要是在“隐身”OLE(由于历史原因)下。同时。net有标准的类来操作注册表。
So here is what I should do when facing this task:
所以面对这个任务,我应该做的是:
-
Launch a registry monitor, like Mark Russinovich's formerly SysInternals, now Microsoft
启动一个注册表监视器,就像Mark Russinovich以前的SysInternals,现在是微软。
-
Set some COM setting interactively using the windows UI, and monitor registry changes.
使用windows UI交互式地设置一些COM设置,并监视注册表更改。
-
Optional but strongly recommended: After having some very well targeted search keyword (the registry keys) try to in google for doc/code, or what is better search in github within the code
可选但强烈推荐:在拥有一些目标明确的搜索关键字(注册表键)之后,尝试在谷歌中搜索doc/代码,或者在代码中的github中进行更好的搜索
-
Implement my C# classes what are manipulating the appropriate registry classes
实现我的c#类,什么是操作适当的注册表类。
#2
1
I know this tropic is old, but here is the solution I ended up using in case any one needs it. As stated above I could not find any API to do it and had to work directly on the registry key that stores the sitting. The fillowing keys should be edited:
我知道这个回归线很古老,但这是我最后用的解决方案,以防有人需要它。如上所述,我找不到任何API来实现它,并且必须直接使用存储sit的注册表键。应编辑填充键:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
- 微软HKEY_LOCAL_MACHINE \ SOFTWARE \ \ Ole \ DefaultAccessPermission
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultLaunchPermission
- 微软HKEY_LOCAL_MACHINE \ SOFTWARE \ \ Ole \ DefaultLaunchPermission
The permissions are stored in binary form. You can try my code:
权限以二进制形式存储。你可以试试我的代码:
static class ComACLRights
{
public const int COM_RIGHTS_EXECUTE = 1;
public const int COM_RIGHTS_EXECUTE_LOCAL = 2;
public const int COM_RIGHTS_EXECUTE_REMOTE = 4;
public const int COM_RIGHTS_ACTIVATE_LOCAL = 8;
public const int COM_RIGHTS_ACTIVATE_REMOTE = 16;
}
static void Main(string[] args)
{
SetCOMSercurityAccess("testuser", "DefaultAccessPermission");
SetCOMSercurityAccess("testuser", "DefaultLaunchPermission");
}
private static void SetCOMSercurityAccess(string username, string regKey)
{
//Get sid from username
NTAccount f = new NTAccount(username);
SecurityIdentifier sid = (SecurityIdentifier)f.Translate(typeof(SecurityIdentifier));
//Read reg key responsible for COM Sercurity
var accessKey = Registry.GetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole", regKey, null);
RawSecurityDescriptor sd;
if (accessKey == null)
{
//Key does not exist
sd = new RawSecurityDescriptor("");
}
else
{
//read security settings
sd = new RawSecurityDescriptor(accessKey as byte[], 0);
}
//Look fo input foruser
var acl = sd.DiscretionaryAcl;
var found = false;
foreach (CommonAce ca in acl)
{
if (ca.SecurityIdentifier == sid)
{
//ensure local access is set
ca.AccessMask |= ComACLRights.COM_RIGHTS_EXECUTE | ComACLRights.COM_RIGHTS_EXECUTE_LOCAL | ComACLRights.COM_RIGHTS_ACTIVATE_LOCAL; //set local access. Always set execute
found = true;
break;
}
}
if (!found)
{
CommonAce ca = new CommonAce(
AceFlags.None,
AceQualifier.AccessAllowed,
ComACLRights.COM_RIGHTS_EXECUTE | ComACLRights.COM_RIGHTS_EXECUTE_LOCAL | ComACLRights.COM_RIGHTS_ACTIVATE_LOCAL,
sid,
false,
null);
acl.InsertAce(acl.Count, ca);
}
//re-set the ACL
sd.DiscretionaryAcl = acl;
//Convert back to binary and save
byte[] binaryform = new byte[sd.BinaryLength];
sd.GetBinaryForm(binaryform, 0);
Registry.SetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Ole", regKey, binaryform, RegistryValueKind.Binary);
}
This code is mostly inspired by this answer
这个代码主要是受到这个答案的启发