RegistrySecurity.SetAccessRule(RegistryAccessRule) 方法


移除與指定規則具有相同使用者和 AccessControlType (允許或拒絕) 的所有存取控制規則,然後加入指定規則。

 void SetAccessRule(System::Security::AccessControl::RegistryAccessRule ^ rule);
public void SetAccessRule (System.Security.AccessControl.RegistryAccessRule rule);
override this.SetAccessRule : System.Security.AccessControl.RegistryAccessRule -> unit
Public Sub SetAccessRule (rule As RegistryAccessRule)



要加入的 RegistryAccessRule。 這個規則的使用者和 AccessControlType 會決定在加入這項規則之前要移除的規則。




下列程式代碼範例顯示 SetAccessRule 方法會移除符合使用者和 AccessControlTyperule的所有規則,並忽略許可權和旗標,並以 取代它們 rule

此範例會建立 RegistrySecurity 物件,並新增規則,以使用不同的繼承和傳播旗標,允許和拒絕目前使用者的各種許可權。 然後,此範例會建立新的規則,讓目前使用者只能讀取密鑰,並使用 SetAccessRule 方法來移除允許存取的兩個規則,並以新的規則取代它們。 拒絕存取的規則不會受到影響。


這個範例不會將安全性物件附加至 RegistryKey 物件。 RegistryKey.GetAccessControl請參閱 方法和 RegistryKey.SetAccessControl 方法。

using System;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Security;
using Microsoft.Win32;

public class Example
    public static void Main()
        string user = Environment.UserDomainName + "\\"
            + Environment.UserName;

        // Create a security object that grants no access.
        RegistrySecurity mSec = new RegistrySecurity();

        // Add a rule that grants the current user the right
        // to read and enumerate the name/value pairs in a key, 
        // to read its access and audit rules, to enumerate
        // its subkeys, to create subkeys, and to delete the key. 
        // The rule is inherited by all contained subkeys.
        RegistryAccessRule rule = new RegistryAccessRule(user, 
            RegistryRights.ReadKey | RegistryRights.WriteKey
                | RegistryRights.Delete, 

        // Add a rule that allows the current user the right
        // right to set the name/value pairs in a key. 
        // This rule is inherited by contained subkeys, but
        // propagation flags limit it to immediate child 
        // subkeys.
        rule = new RegistryAccessRule(user, 
            PropagationFlags.InheritOnly | PropagationFlags.NoPropagateInherit, 

        // Add a rule that denies the current user the right
        // to set the name/value pairs in a key. This rule
        // has no inheritance or propagation flags, so it 
        // affects only the key itself.
        rule = new RegistryAccessRule(user,

        // Display the rules in the security object.

        // Create a rule that allows the current user  
        // only read access to a key, with no inheritance 
        // or propagation flags. SetAccessRule removes
        // all the existing rules that allow access for
        // the current user, replacing them with this
        // rule. Rules that deny access do not match,
        // and so are not affected.
        rule = new RegistryAccessRule(user, 

        // Display the rules in the security object.
        // removed.

    private static void ShowSecurity(RegistrySecurity security)
        Console.WriteLine("\r\nCurrent access rules:\r\n");

        foreach( RegistryAccessRule ar in 
            security.GetAccessRules(true, true, typeof(NTAccount)) )
            Console.WriteLine("        User: {0}", ar.IdentityReference);
            Console.WriteLine("        Type: {0}", ar.AccessControlType);
            Console.WriteLine("      Rights: {0}", ar.RegistryRights);
            Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags);
            Console.WriteLine(" Propagation: {0}", ar.PropagationFlags);
            Console.WriteLine("   Inherited? {0}", ar.IsInherited);

/* This code example produces output similar to following:

Current access rules:

        User: TestDomain\TestUser
        Type: Deny
      Rights: SetValue
 Inheritance: None
 Propagation: None
   Inherited? False

        User: TestDomain\TestUser
        Type: Allow
      Rights: SetValue, CreateSubKey, Delete, ReadKey
 Inheritance: ContainerInherit
 Propagation: None
   Inherited? False

        User: TestDomain\TestUser
        Type: Allow
      Rights: ChangePermissions
 Inheritance: ContainerInherit
 Propagation: NoPropagateInherit, InheritOnly
   Inherited? False

Current access rules:

        User: TestDomain\TestUser
        Type: Deny
      Rights: SetValue
 Inheritance: None
 Propagation: None
   Inherited? False

        User: TestDomain\TestUser
        Type: Allow
      Rights: ReadKey
 Inheritance: None
 Propagation: None
   Inherited? False
Option Explicit
Imports System.Security.AccessControl
Imports System.Security.Principal
Imports System.Security
Imports Microsoft.Win32

Public Class Example

    Public Shared Sub Main()

        Dim user As String = Environment.UserDomainName _ 
            & "\" & Environment.UserName

        ' Create a security object that grants no access.
        Dim mSec As New RegistrySecurity()

        ' Add a rule that grants the current user the right
        ' to read and enumerate the name/value pairs in a key, 
        ' to read its access and audit rules, to enumerate
        ' its subkeys, to create subkeys, and to delete the key. 
        ' The rule is inherited by all contained subkeys.
        Dim rule As New RegistryAccessRule(user, _
            RegistryRights.ReadKey Or RegistryRights.WriteKey _
                Or RegistryRights.Delete, _
            InheritanceFlags.ContainerInherit, _
            PropagationFlags.None, _

        ' Add a rule that allows the current user the right
        ' right to set the name/value pairs in a key. 
        ' This rule is inherited by contained subkeys, but
        ' propagation flags limit it to immediate child 
        ' subkeys.
        rule = New RegistryAccessRule(user, _
            RegistryRights.ChangePermissions, _
            InheritanceFlags.ContainerInherit, _
            PropagationFlags.InheritOnly Or PropagationFlags.NoPropagateInherit, _

        ' Add a rule that denies the current user the right
        ' to set the name/value pairs in a key. This rule
        ' has no inheritance or propagation flags, so it 
        ' affects only the key itself.
        rule = New RegistryAccessRule(user, _
            RegistryRights.SetValue, _

        ' Display the rules in the security object.

        ' Create a rule that allows the current user  
        ' only read access to a key, with no inheritance 
        ' or propagation flags. SetAccessRule removes
        ' all the existing rules that allow access for
        ' the current user, replacing them with this
        ' rule. Rules that deny access do not match,
        ' and so are not affected.
        rule = New RegistryAccessRule(user, _
            RegistryRights.ReadKey, _

        ' Display the rules in the security object.

    End Sub 

    Private Shared Sub ShowSecurity(ByVal security As RegistrySecurity)
        Console.WriteLine(vbCrLf & "Current access rules:" & vbCrLf)

        For Each ar As RegistryAccessRule In _
            security.GetAccessRules(True, True, GetType(NTAccount))

            Console.WriteLine("        User: {0}", ar.IdentityReference)
            Console.WriteLine("        Type: {0}", ar.AccessControlType)
            Console.WriteLine("      Rights: {0}", ar.RegistryRights)
            Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags)
            Console.WriteLine(" Propagation: {0}", ar.PropagationFlags)
            Console.WriteLine("   Inherited? {0}", ar.IsInherited)

    End Sub
End Class 

'This code example produces output similar to following:
'Current access rules:
'        User: TestDomain\TestUser
'        Type: Deny
'      Rights: SetValue
' Inheritance: None
' Propagation: None
'   Inherited? False
'        User: TestDomain\TestUser
'        Type: Allow
'      Rights: SetValue, CreateSubKey, Delete, ReadKey
' Inheritance: ContainerInherit
' Propagation: None
'   Inherited? False
'        User: TestDomain\TestUser
'        Type: Allow
'      Rights: ChangePermissions
' Inheritance: ContainerInherit
' Propagation: NoPropagateInherit, InheritOnly
'   Inherited? False
'Current access rules:
'        User: TestDomain\TestUser
'        Type: Deny
'      Rights: SetValue
' Inheritance: None
' Propagation: None
'   Inherited? False
'        User: TestDomain\TestUser
'        Type: Allow
'      Rights: ReadKey
' Inheritance: None
' Propagation: None
'   Inherited? False


如果指定的規則具有 Allow,這個方法的效果就是移除指定使用者的所有 Allow 規則,並將規則取代為指定的規則。 如果指定的規則具有 Deny,則指定使用者的所有 Deny 規則都會取代為指定的規則。

如果沒有使用者符合 AccessControlType 指定規則的規則, rule 則會新增。
