问题
Are there any methods to change the Access Permissions for COM Security using a batch file? I need to write new values to "Edit Limits..." and "Edit Default..." in both "Access Permissions" and "Launch and Activation Permissions" using a batch script. I'm using Windows XP machines with Service Pack 2 and 3.
Thank you.
回答1:
I recently had the need to create a batch script to grant default Local Activation permissions so that I could run an out-of-process COM component on Windows Azure. After much research, I used a tool called RegFromApp (download link is near bottom of page) to see what changes were made in the Windows Registry when I granted the aforementioned permissions on a Windows Server 2008 R2 VM. Here are the steps I used to determine what changes to make to the registry...
- Entered
dcomcnfgin the Command Prompt to launch Component Services - Launched RegFromApp program
- In RegFromApp, selected the mmc.exe process and clicked OK to inspect what changes it would make to registry
- Back in Component Services, expanded Component Services item in left panel
- Expanded Computers item in left panel
- Right-clicked My Computer item in left panel and selected Properties from popup menu
- Selected COM Security tab
- In Launch and Activation Permissions box, clicked Edit Default button
- Clicked Add button
- Entered
IIS_IUSRSin empty box, clicked Check Names button and clicked OK button - Ticked Allow for Local Activation and clicked OK button
- Clicked Apply button then OK button
- Back in RegFromApp program, clicked Save As from the File menu to save registry
changes as
SetDCOMPermission.regfile
Having recorded the registry changes in a .reg file (i.e. the DefaultLaunchPermission value was modified in the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE] key), I wrote the following batch script to register my COM component and apply the changes to the registry by running my .reg file...
chcp 1252>NUL
OleAutomationFeasibilityModel.exe /regserver
regedit.exe /s SetDCOMPermission.reg
exit /b 0
I'm sure you could use a similar technique to record the necessary registry changes for what you're trying to achieve in a .reg file and run this file from a batch script.
Hope that helps!
回答2:
I'm not aware of any 3rd party tool that allows you to create ACL's programmatically. In the past I've only ever seen this done using custom tooling, e.g. VBScript & a C++ COM component or a native command line tool.
If you do want to go down this route then Keith Brown's Programming Windows Security is an excellent book on the topic, if a little old these days. It's what I used to work on just such a component some years ago.
来源:https://stackoverflow.com/questions/6741928/dcom-security-using-a-batch-file