Modify registry key ownership “access denied”

Welcome Forums General PowerShell Q&A Modify registry key ownership “access denied”

Viewing 3 reply threads
  • Author
    Posts
    • #212010
      Participant
      Topics: 1
      Replies: 2
      Points: 20
      Rank: Member

      Hi,

      I’m trying to modify the registry key ownership of the following key:

      $path = 'AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}'

      I’m using a local administrator account to try some ownership changes. If I’m using registry.exe to modify the ownership of the key from “TRUSTEDINSTALLER” TO “BUILTIN\ADMINISTRATORS”, it works without problems!

      The problem is, that I need to script it with powershell, but unfortunately I can’t get it to work … I’m getting an “access denied” with ever method I’m trying.

      f.ex. via dotnet:

      [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("$path",System.Security.AccessControl.RegistryRights]::TakeOwnership)
      Exception calling "OpenSubKey" with "2" argument(s): "Requested registry access is not allowed."

      Or via psprovider + modifying the acl and set-acl … I keep getting an “access denied” …

      Does someone have an idea, how I can modify the $path key (see above) registry ownership from “TrustedInstaller” to “BUILTIN\ADMINISTRATORS” via powershell?

      Thanks a lot for any help!
      Kind regards,
      Didier

      • This topic was modified 2 months ago by grokkit. Reason: please format your code as per the forum posting instructions
    • #212475
      Senior Moderator
      Topics: 3
      Replies: 123
      Points: 653
      Helping Hand
      Rank: Major Contributor

      Just to eliminate the obvious, are you running PowerShell as admin when you execute your script?

      Also there appears to be a typo in this line, but I think it’s just a missing open bracket:
      [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("$path",System.Security.AccessControl.RegistryRights]::TakeOwnership)

      You may need to use OpenSubKey() with [RegistryKeyPermissionCheck]::ReadWriteSubTree as it’s used in this example in order to skip the security check and make the key writable.

    • #212934
      Participant
      Topics: 1
      Replies: 2
      Points: 20
      Rank: Member

      Hi,

      Thank you very much for replying.

      Yes, I’m using a privileged powershell session as a local administrator.

      Sorry for the typo, yes there was a missing bracket.

      Unfortunately, both methods do not work … including your suggested method.

      PS C:\WINDOWS\system32> $path = ‘AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’
      PS C:\WINDOWS\system32> [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”,[System.Security.AccessControl.RegistryRights]::TakeOwnership)
      Exception calling “OpenSubKey” with “2” argument(s): “Requested registry access is not allowed.”
      At line:1 char:1
      + [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”,[System.Se …
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
      + FullyQualifiedErrorId : SecurityException

      PS C:\WINDOWS\system32> [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”,[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
      Exception calling “OpenSubKey” with “3” argument(s): “Requested registry access is not allowed.”
      At line:1 char:1
      + [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”,[Microsoft …
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
      + FullyQualifiedErrorId : SecurityException

      Or via get-acl/set-acl:

      $owner = ‘BUILTIN\Administrators’
      New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
      $key = ‘HKCR:AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’
      $originalRegistrySecurity = (Get-Acl $key)
      $newAcl = New-Object -TypeName System.Security.AccessControl.RegistrySecurity
      $newAcl.setOwner([System.Security.Principal.NTAccount]::new($owner))
      Set-Acl -Path $key -AclObject $newAcl

      Set-Acl : Requested registry access is not allowed.
      At line:1 char:1
      + Set-Acl -Path $key -AclObject $newAcl
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : PermissionDenied: (HKEY_CLASSES_RO…2-0E02075250C2}:String) [Set-Acl], SecurityExceptio
      n
      + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.SetAclCommand

       

      So it seems to me that is currently not possible to do this via powershell as a (get-acl or set-acl) do result in an “access denied” method too ….

      Didier

      • This reply was modified 2 months ago by didier04.
      • This reply was modified 2 months ago by didier04.
    • #213048
      Participant
      Topics: 1
      Replies: 2
      Points: 20
      Rank: Member

      Hello,

      Thank you very much for replaying.

      Yes it is an elevated administrator powershell session.

      $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
      Write-Output $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

      True

      All methods, I tried, fail with an access denied:

      $path = ‘AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’

      1) method:

      [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”,[System.Security.AccessControl.RegistryRights]::TakeOwnership)
      Exception calling “OpenSubKey” with “2” argument(s): “Requested registry access is not allowed.”

      2) method:

      [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)

      Exception calling “OpenSubKey” with “3” argument(s): “Requested registry access is not allowed.”

      3) method:

      $owner = ‘BUILTIN\Administrators’
      New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
      $key = ‘HKCR:AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’
      $originalRegistrySecurity = (Get-Acl $key)
      $newAcl = New-Object -TypeName System.Security.AccessControl.RegistrySecurity
      $newAcl.setOwner([System.Security.Principal.NTAccount]::new($owner))
      Set-Acl -Path $key -AclObject $newAcl
      Set-Acl : Requested registry access is not allowed.
      At line:1 char:1
      + Set-Acl -Path $key -AclObject $newAcl
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : PermissionDenied: (HKEY_CLASSES_RO…2-0E02075250C2}:String) [Set-Acl], SecurityException

      I honestly think that it isn’t possible to do this via powershell ….

      Any other ideas welcome.

      Regards,

      Didier

Viewing 3 reply threads
  • You must be logged in to reply to this topic.