[英]How to Remove Registry Audit Rules?
I am trying to remove registry auditing rules I've previously set, but it's not working and I have no idea what I'm missing/doing wrong.我正在尝试删除我之前设置的注册表审核规则,但它不起作用,我不知道我遗漏了什么/做错了什么。
Setting auditing rules on a registry key works fine:在注册表项上设置审计规则工作正常:
$RegistryKey = 'HKCU:\Control Panel\Desktop'
$AuditIdentityReference = "Everyone"
$AuditRegistryRights = "SetValue,Delete"
$AuditInheritanceFlags = "ContainerInherit,ObjectInherit"
$AuditPropagationFlags = "None"
$AuditFlags = "success"
$AuditRule = New-Object System.Security.AccessControl.RegistryAuditRule ($AuditIdentityReference,$AuditRegistryRights,$AuditInheritanceFlags,$AuditPropagationFlags,$AuditFlags)
$ACL = Get-Acl $RegistryKey
$ACL.AddAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey
Get-Acl $RegistryKey -Audit | Select Path -ExpandProperty Audit | fl *
My understanding is I need to build the $Rule
I wish to remove and then use .RemoveAuditRule($Rule)
.我的理解是我需要构建我希望删除的
$Rule
然后使用.RemoveAuditRule($Rule)
。 But although the method returns 'true', the audit rule is still in place:但是尽管该方法返回了 'true',审计规则仍然存在:
$RegistryKey = 'HKCU\Control Panel\Desktop'
$AuditIdentityReference = "Everyone"
$AuditRegistryRights = "SetValue,Delete"
$AuditInheritanceFlags = "ContainerInherit,ObjectInherit"
$AuditPropagationFlags = "None"
$AuditFlags = "success"
$AuditRule = New-Object System.Security.AccessControl.RegistryAuditRule ($AuditIdentityReference,$AuditRegistryRights,$AuditInheritanceFlags,$AuditPropagationFlags,$AuditFlags)
$ACL = Get-Acl $RegistryKey
$ACL.RemoveAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey
Get-Acl $RegistryKey -Audit | Select Path -ExpandProperty Audit | fl *
Doing something similar on the file system though works fine:在文件系统上做类似的事情虽然工作正常:
$Dir = 'C:\Testing'
$ACL = get-acl $Dir
$Rule = new-object System.Security.AccessControl.FileSystemAuditRule("Everyone","CreateDirectories,CreateFiles,Delete,DeleteSubdirectoriesAndFiles,Write,WriteData","ContainerInherit,ObjectInherit","None","Success,Failure")
$ACL.AddAuditRule($Rule)
$ACL | Set-Acl -Path $Dir
$ACL.RemoveAuditRule($Rule)
$ACL | Set-Acl -Path $Dir
When fetching the ACL you didn't include SACLs, so there was nothing to remove.在获取 ACL 时,您没有包含 SACL,因此没有什么可删除的。
Change this:改变这个:
$ACL = Get-Acl $RegistryKey
$ACL.RemoveAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey
into this:进入这个:
$ACL = Get-Acl $RegistryKey
-Audit
$ACL.RemoveAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey
and the problem will disappear.问题就会消失。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.