Modify registry key ownership “access denied”

Welcome Forums General PowerShell Q&A Modify registry key ownership “access denied”

Viewing 5 reply threads
  • Author
    Posts
    • #212010
      Participant
      Topics: 1
      Replies: 2
      Points: 21
      Rank: Member

      Hi,

      I’m trying to modify the registry key ownership of the following key:

      $path = 'AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}'

      I’m using a local administrator account to try some ownership changes. If I’m using registry.exe to modify the ownership of the key from “TRUSTEDINSTALLER” TO “BUILTIN\ADMINISTRATORS”, it works without problems!

      The problem is, that I need to script it with powershell, but unfortunately I can’t get it to work … I’m getting an “access denied” with ever method I’m trying.

      f.ex. via dotnet:

      Or via psprovider + modifying the acl and set-acl … I keep getting an “access denied” …

      Does someone have an idea, how I can modify the $path key (see above) registry ownership from “TrustedInstaller” to “BUILTIN\ADMINISTRATORS” via powershell?

      Thanks a lot for any help!
      Kind regards,
      Didier

      • This topic was modified 6 months ago by grokkit. Reason: please format your code as per the forum posting instructions
    • #212475
      Senior Moderator
      Topics: 10
      Replies: 164
      Points: 880
      Helping Hand
      Rank: Major Contributor

      Just to eliminate the obvious, are you running PowerShell as admin when you execute your script?

      Also there appears to be a typo in this line, but I think it’s just a missing open bracket:
      [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("$path",System.Security.AccessControl.RegistryRights]::TakeOwnership)

      You may need to use OpenSubKey() with [RegistryKeyPermissionCheck]::ReadWriteSubTree as it’s used in this example in order to skip the security check and make the key writable.

    • #212934
      Participant
      Topics: 1
      Replies: 2
      Points: 21
      Rank: Member

      Hi,

      Thank you very much for replying.

      Yes, I’m using a privileged powershell session as a local administrator.

      Sorry for the typo, yes there was a missing bracket.

      Unfortunately, both methods do not work … including your suggested method.

      PS C:\WINDOWS\system32> $path = ‘AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’
      PS C:\WINDOWS\system32> [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”,[System.Security.AccessControl.RegistryRights]::TakeOwnership)
      Exception calling “OpenSubKey” with “2” argument(s): “Requested registry access is not allowed.”
      At line:1 char:1
      + [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”,[System.Se …
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
      + FullyQualifiedErrorId : SecurityException

      PS C:\WINDOWS\system32> [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”,[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
      Exception calling “OpenSubKey” with “3” argument(s): “Requested registry access is not allowed.”
      At line:1 char:1
      + [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”,[Microsoft …
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
      + FullyQualifiedErrorId : SecurityException

      Or via get-acl/set-acl:

      $owner = ‘BUILTIN\Administrators’
      New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
      $key = ‘HKCR:AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’
      $originalRegistrySecurity = (Get-Acl $key)
      $newAcl = New-Object -TypeName System.Security.AccessControl.RegistrySecurity
      $newAcl.setOwner([System.Security.Principal.NTAccount]::new($owner))
      Set-Acl -Path $key -AclObject $newAcl

      Set-Acl : Requested registry access is not allowed.
      At line:1 char:1
      + Set-Acl -Path $key -AclObject $newAcl
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : PermissionDenied: (HKEY_CLASSES_RO…2-0E02075250C2}:String) [Set-Acl], SecurityExceptio
      n
      + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.SetAclCommand

       

      So it seems to me that is currently not possible to do this via powershell as a (get-acl or set-acl) do result in an “access denied” method too ….

      Didier

      • This reply was modified 5 months, 4 weeks ago by didier04.
      • This reply was modified 5 months, 4 weeks ago by didier04.
    • #213048
      Participant
      Topics: 1
      Replies: 2
      Points: 21
      Rank: Member

      Hello,

      Thank you very much for replaying.

      Yes it is an elevated administrator powershell session.

      $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
      Write-Output $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

      True

      All methods, I tried, fail with an access denied:

      $path = ‘AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’

      1) method:

      [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”,[System.Security.AccessControl.RegistryRights]::TakeOwnership)
      Exception calling “OpenSubKey” with “2” argument(s): “Requested registry access is not allowed.”

      2) method:

      [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)

      Exception calling “OpenSubKey” with “3” argument(s): “Requested registry access is not allowed.”

      3) method:

      $owner = ‘BUILTIN\Administrators’
      New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
      $key = ‘HKCR:AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’
      $originalRegistrySecurity = (Get-Acl $key)
      $newAcl = New-Object -TypeName System.Security.AccessControl.RegistrySecurity
      $newAcl.setOwner([System.Security.Principal.NTAccount]::new($owner))
      Set-Acl -Path $key -AclObject $newAcl
      Set-Acl : Requested registry access is not allowed.
      At line:1 char:1
      + Set-Acl -Path $key -AclObject $newAcl
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : PermissionDenied: (HKEY_CLASSES_RO…2-0E02075250C2}:String) [Set-Acl], SecurityException

      I honestly think that it isn’t possible to do this via powershell ….

      Any other ideas welcome.

      Regards,

      Didier

    • #234577
      Participant
      Topics: 1
      Replies: 1
      Points: -2
      Rank: Member

      Sadly cant help on this one yet – going bald trying to solve the exact same problem. Did you ge any further with this problem?

    • #234697
      Participant
      Topics: 8
      Replies: 562
      Points: 2,148
      Helping Hand
      Rank: Community Hero

      This worked for me. The link posted by grokkit is interesting, but it appears the code is incomplete (set’s variable $res after importing ntdll, but is never used) so I’m sure there are more options by calling windows APIs directly.

      Now once you’re set as the owner, you can pull the actual ACL and add permissions. (You may also be able to use [System.Security.AccessControl.RegistryRights]::ChangePermissions instead of TakeOwnership, I did not try)

      This does not cover inheritance or propagation, as it’s outside the scope of the question. Hopefully this helps.

Viewing 5 reply threads
  • The topic ‘Modify registry key ownership “access denied”’ is closed to new replies.