Author Posts

May 25, 2018 at 2:13 pm

Is there a way to reset permissions on a registry key to it's original permissions after a permission change? Kind of like reverting all changes. I can change permissions on users, but I just don't know how to revert the changes dynamically. Here's what I'm working with:

        $KeyPath="Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionsPending"
        $OrgACLOwner=Get-Acl -Path "HKLM:\$KeyPath"
        $Key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("$KeyPath", [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,`
        [System.Security.AccessControl.RegistryRights]::ReadKey)
        $Rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Administrators","FullControl","Allow")
        $Acl.SetAccessRule($Rule)
        $Key.SetAccessControl($Acl)
        $Key.Close

I know I could probably use this remove the permission I set:

        $Acl.RemoveAccessRule($Rule)
        $Key.SetAccessControl($Acl)

What if I set 10 special permissions and need to revert it? I know in batch you could use icacls /reset to reset permissions on files/folders. I'm just lookin for something similar. I did try $Acl.ResetAccessRule($Acl), but that didn't do anything.

May 25, 2018 at 2:21 pm

So, you're really in .NET more than PowerShell, but we can take a stab at it :).

There's no "revert to factory defaults," no, because the OS doesn't keep track of what those factory defaults were. The closest you could potentially come would be to apply a security template, but that's not granular – it's the whole thing or bust, and you'd have to find one that included whatever key(s) you've messed with.

ResetAccessRule doesn't "reset to factory defaults;" it accepts a new ACL and replaces everything with that new one. From the docs, "Removes all access control rules with the same user as the specified rule, regardless of AccessControlType, and then adds the specified rule." So you're still supply a new rule.

May 25, 2018 at 2:32 pm

As Don said, there's no magic 'revert to defaults' button. If the special permissions were set on a key that inherits all of its permissions, then you could look for ACEs that have the .IsInherited property set to $false and remove those since those would have been explicitly set (but just because it's explicitly set doesn't mean it doesn't actually belong). You could also user another computer's registry hive as a reference and steal the SDDL from that and apply it to the key you're looking to revert (see the SetSecurityDescriptorSddlForm() method) (be careful of local user/group SIDs here...normally ACEs the system sets are well known SIDs that are the same everywhere).

I'm sure you already know this, but I feel like I have to mention it anyway since I've suggested a few ways to modify registry permissions: be very careful with this. If you're looking to revert some permissions for some keys that belong to a single application that don't have an insane number of children, then have at it, as recovering from that isn't that big of a deal. The same goes for modifying a user's registry hive: recovering from a mistake just takes rebuilding it. But I wouldn't recommend trying to create a script to set loose on almost anything outside of those scenarios. There's way too much stuff you can mess up to the point where a complete reload is the easiest way to recover.