stackoom
  简体   繁体   中英

How to Remove Registry Audit Rules?

 原文  2015-09-15 11:52:15       powershell/ registry/ acl

Question

I am trying to remove registry auditing rules I've previously set, but it's not working and I have no idea what I'm missing/doing wrong.

Setting auditing rules on a registry key works fine:

$RegistryKey = 'HKCU:\Control Panel\Desktop'
$AuditIdentityReference = "Everyone"
$AuditRegistryRights = "SetValue,Delete"
$AuditInheritanceFlags = "ContainerInherit,ObjectInherit"
$AuditPropagationFlags = "None"
$AuditFlags = "success"
$AuditRule = New-Object System.Security.AccessControl.RegistryAuditRule ($AuditIdentityReference,$AuditRegistryRights,$AuditInheritanceFlags,$AuditPropagationFlags,$AuditFlags)
$ACL = Get-Acl $RegistryKey
$ACL.AddAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey
Get-Acl $RegistryKey -Audit | Select Path -ExpandProperty Audit | fl *

My understanding is I need to build the $Rule I wish to remove and then use .RemoveAuditRule($Rule) . But although the method returns 'true', the audit rule is still in place:

$RegistryKey = 'HKCU\Control Panel\Desktop'
$AuditIdentityReference = "Everyone"
$AuditRegistryRights = "SetValue,Delete"
$AuditInheritanceFlags = "ContainerInherit,ObjectInherit"
$AuditPropagationFlags = "None"
$AuditFlags = "success"
$AuditRule = New-Object System.Security.AccessControl.RegistryAuditRule ($AuditIdentityReference,$AuditRegistryRights,$AuditInheritanceFlags,$AuditPropagationFlags,$AuditFlags)
$ACL = Get-Acl $RegistryKey
$ACL.RemoveAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey
Get-Acl $RegistryKey -Audit | Select Path -ExpandProperty Audit | fl *

Doing something similar on the file system though works fine:

$Dir = 'C:\Testing'
$ACL = get-acl $Dir
$Rule = new-object System.Security.AccessControl.FileSystemAuditRule("Everyone","CreateDirectories,CreateFiles,Delete,DeleteSubdirectoriesAndFiles,Write,WriteData","ContainerInherit,ObjectInherit","None","Success,Failure")
$ACL.AddAuditRule($Rule)
$ACL | Set-Acl -Path $Dir
$ACL.RemoveAuditRule($Rule)
$ACL | Set-Acl -Path $Dir

1 answers

solution1
 1 ACCPTED  2015-09-15 18:00:12

When fetching the ACL you didn't include SACLs, so there was nothing to remove.

Change this:

$ACL = Get-Acl $RegistryKey
$ACL.RemoveAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey

into this:

$ACL = Get-Acl $RegistryKey 
$ACL.RemoveAuditRule($AuditRule)
$ACL | Set-Acl -Path $RegistryKey

and the problem will disappear.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question how to get audit rule in acl object with getauditrules() on registry key in powershell? Windows command to display advanced audit settings of Registry Keys Powershell command to find registry key advanced audit settings (permissions) How could I remove/delete the rules from “FTP Authorization Rules” in Powershell? Powershell - Remove (Default) registry key? How do I use PowerShell to remove registry keys from a remote computer? PowerShell - How can I use regex in the middle of registry file path to perform remove-item operation? Windows Audit Policy/Registry Key Command Check To Only Apply On Domain Controllers How to use batch file to change permissions of registry to remove network from navigation pane Remove rules with command Remove-InboxRule
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM