堆栈内存溢出
  简体   繁体   English

如何删除注册表审核规则?

[英]How to Remove Registry Audit Rules?

 原文  2015-09-15 11:52:15       powershell/ registry/ acl

问题描述

I am trying to remove registry auditing rules I've previously set, but it's not working and I have no idea what I'm missing/doing wrong.我正在尝试删除我之前设置的注册表审核规则,但它不起作用,我不知道我遗漏了什么/做错了什么。

Setting auditing rules on a registry key works fine:在注册表项上设置审计规则工作正常:

$RegistryKey = 'HKCU:\Control Panel\Desktop'
$AuditIdentityReference = "Everyone"
$AuditRegistryRights = "SetValue,Delete"
$AuditInheritanceFlags = "ContainerInherit,ObjectInherit"
$AuditPropagationFlags = "None"
$AuditFlags = "success"
$AuditRule = New-Object System.Security.AccessControl.RegistryAuditRule ($AuditIdentityReference,$AuditRegistryRights,$AuditInheritanceFlags,$AuditPropagationFlags,$AuditFlags)
$ACL = Get-Acl $RegistryKey
$ACL.AddAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey
Get-Acl $RegistryKey -Audit | Select Path -ExpandProperty Audit | fl *

My understanding is I need to build the $Rule I wish to remove and then use .RemoveAuditRule($Rule) .我的理解是我需要构建我希望删除的$Rule然后使用.RemoveAuditRule($Rule) But although the method returns 'true', the audit rule is still in place:但是尽管该方法返回了 'true',审计规则仍然存在:

$RegistryKey = 'HKCU\Control Panel\Desktop'
$AuditIdentityReference = "Everyone"
$AuditRegistryRights = "SetValue,Delete"
$AuditInheritanceFlags = "ContainerInherit,ObjectInherit"
$AuditPropagationFlags = "None"
$AuditFlags = "success"
$AuditRule = New-Object System.Security.AccessControl.RegistryAuditRule ($AuditIdentityReference,$AuditRegistryRights,$AuditInheritanceFlags,$AuditPropagationFlags,$AuditFlags)
$ACL = Get-Acl $RegistryKey
$ACL.RemoveAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey
Get-Acl $RegistryKey -Audit | Select Path -ExpandProperty Audit | fl *

Doing something similar on the file system though works fine:在文件系统上做类似的事情虽然工作正常:

$Dir = 'C:\Testing'
$ACL = get-acl $Dir
$Rule = new-object System.Security.AccessControl.FileSystemAuditRule("Everyone","CreateDirectories,CreateFiles,Delete,DeleteSubdirectoriesAndFiles,Write,WriteData","ContainerInherit,ObjectInherit","None","Success,Failure")
$ACL.AddAuditRule($Rule)
$ACL | Set-Acl -Path $Dir
$ACL.RemoveAuditRule($Rule)
$ACL | Set-Acl -Path $Dir

1 个解决方案

解决方案1
 1 已采纳  2015-09-15 18:00:12

When fetching the ACL you didn't include SACLs, so there was nothing to remove.在获取 ACL 时,您没有包含 SACL,因此没有什么可删除的。

Change this:改变这个:

$ACL = Get-Acl $RegistryKey
$ACL.RemoveAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey

into this:进入这个:

$ACL = Get-Acl $RegistryKey -Audit
$ACL.RemoveAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey

and the problem will disappear.问题就会消失。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用powershell中的注册表项上的getauditrules()获取acl对象中的审计规则? - how to get audit rule in acl object with getauditrules() on registry key in powershell? Windows命令显示注册表项的高级审核设置 - Windows command to display advanced audit settings of Registry Keys Powershell命令查找注册表项高级审核设置(权限) - Powershell command to find registry key advanced audit settings (permissions) 如何在Powershell中从“ FTP授权规则”中删除/删除规则? - How could I remove/delete the rules from “FTP Authorization Rules” in Powershell? Powershell - 删除(默认)注册表项? - Powershell - Remove (Default) registry key? 如何使用PowerShell从远程计算机上删除注册表项? - How do I use PowerShell to remove registry keys from a remote computer? PowerShell - 如何在注册表文件路径中间使用正则表达式来执行删除项操作? - PowerShell - How can I use regex in the middle of registry file path to perform remove-item operation? Windows 审核策略/注册表键命令检查仅适用于域控制器 - Windows Audit Policy/Registry Key Command Check To Only Apply On Domain Controllers 如何使用批处理文件更改注册表权限以从导航窗格中删除网络 - How to use batch file to change permissions of registry to remove network from navigation pane 使用命令 Remove-InboxRule 删除规则 - Remove rules with command Remove-InboxRule
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM