

为了到一个新的属性页安装到Active Directory管理单元,我需要编写成W2K8 R2(的记录)

In order to install a new property page into the Active Directory SnapIn, I need to write into the following registry key of W2K8 R2 (as documented by Microsoft)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\ SnapIns {E355E538-1C2E-11D0-8C37-00C04FD8FE93} \NodeTypes


这关键是通过被称为一个特殊的用户自己的的TrustedInstaller 。我发现在NET角落找寻一个很多事情

This key is own by a special user called TrustedInstaller. I found a lots of thing on the NET arround that.


At the moment here is the way it works doing the following (user is member of administrator group):

  1. 我给用户的权限,取得所有权。

  2. 的用户获取所有权

  3. 用户写注册表

  4. 用户给予所有权Administrators组中。

  1. I give the user the privilege to take ownership.
  2. The user take ownership
  3. The user write the registry
  4. the user give ownership to the administrators group.


My project is full written in C# and there are two things that I don't like in the way I'am doing it.

  • 我用InteropServices来调用Win32 API AdjustTokenPrivileges。有谁知道这样做纯C#的方式吗?

  • 在年底的TrustedInstaller不再是密钥的所有者,而我'不能给他的所有权,他保持完全控制,但我不希望我的安装单元中后为损坏我的服务器进行分类。


So my question is : Do I miss something, is there a documented way to modify such a key which is documented as modifiable ?


There is a Stack overflow question existing about that, the answer say that TrustedInstaller ownership, means the key is part of system installation and not application installation. For me if Microsoft documents how to modify a key it's application installation.




So I found one of my problem.

当你想取得所有权的资源上添加启用的 SeTakeOwnershipPrivilege 这允许您更改所有者SID。但新业主希德必须在调用者的令牌,再加上,希德必须具备的属性SE_GROUP_OWNER。所以在我的情况下,我无法SID所有者更改回的 S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 的(的TrustedInstaller)。我只是能够采取所有权,或者给予所有权到组管理员。我发现,有一个国王变通,让你可以指定任意用户作为所有者,即使
的SID是不是在令牌。 SeRestorePrivilege 授予特权的管理员和备份操作员,但不是的启用的默认。 。Enbling它让我有机会回报所有权的TrustedInstaller

When you want to take ownership on a resource you add to enable the SeTakeOwnershipPrivilege this allow you to change the owner SID. But the new Owner Sid must be in the caller’s token, plus, that Sid must have attribute SE_GROUP_OWNER. So in my case I was not able to change back SID owner to S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 (TrustedInstaller). I was just able to take ownership, or to give ownership to the group "Administrators". I discover that there is a king of work-around whereby you can assign any arbitrary user as the owner, even ifits SID is not in the token. SeRestorePrivilege privilege that is granted to administrators and backup operators, but NOT enabled by default. Enbling it allow me to give back ownership to TrustedInstaller.


So it works doing the following (user is member of administrator group):

  1. 我给用户的权限,采取所有权和启用特权恢复

  2. 用户获取所有权

  3. 用户写注册表

  4. 用户给予所有权到以前的所有者的TrustedInstaller。

  1. I give the user the privilege to take ownership and enable the privilege of restore
  2. The user take ownership
  3. The user write the registry
  4. the user give ownership to the previous owner TrustedInstaller.

我用InteropServices来调用Win32 AdjustTokenPrivileges API,它似乎是做在C#中的唯一途径。

I use InteropServices to call Win32 AdjustTokenPrivileges API, and it seems to be the only way to do it in C#


I will soon post on my blog a small tool that allow to give back ownership to TrustedInstaller.


Edited :Sorry for the delay I just forget it, you can find the code on Gist.
