Change Registry Key

Hi, Im trying to change the access of a registry key and its subkeys to READ only for Administrators, while keeping everything else. A new rule is created with only READ access for Administrators, but the original FullControl one is still there. How can I just change the FullControl to Read, to make things easier? Can anyone please help ?

$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\MyKey",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::ChangePermissions)
$acl = $key.GetAccessControl()
$person = [System.Security.Principal.NTAccount]"Administrators"
$access = [System.Security.AccessControl.RegistryRights]"ReadKey"
$inheritance = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit"
$propagation = [System.Security.AccessControl.PropagationFlags]"NoPropagateInherit"
$type = [System.Security.AccessControl.AccessControlType]"Allow"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule($person,$access,$inheritance,$propagation,$type)



Welcome to the forum. :wave:t3:

Did you get this code from an AI? :smirk:

I’d recommend using the PowerShell cmdlet

And you may pay special attention to the example 5.

Regardless of that …

When you post code, sample data, console output or error messages please format it as code using the preformatted text button ( </> ). Simply place your cursor on an empty line, click the button and paste your code.

Thanks in advance

How to format code in 1 <---- Click :point_up_2:t4: :wink:

( !! Sometimes the preformatted text button hides behind the settings gear symbol. :wink: )

I do not know how to change for registry key.

Have you tried to search for it?

I used this search pattern …

and this is one of the first hits:

Yes, I have searched other sites for information too, but they talk about different stuff. There are not enough examples to show in the tutorials, too. It is hard to understand.

In PowerShell you can navigate the registry like a file system. Try this:

cd HKLM:\System

You should see MyKey there. You can then use Get-ItemProperty and Set-ItemProperty to view and modify registry keys.

Once you find the item you need to modify the ACLs for, you can use Get-ACL and Set-Acl to do that.

1 Like

its not that. I successfully disabled inheritance for registry key, but when I try to just change Administrators permissions to READ only, it creates a whole one, while the original is still there, if you try the script above on a random registry key, you’ll see what I mean. I don’t know what’s missing or wrong

If it applies to a different scope (this folder vs all folders/files) then it will be a different entry.

This is not about folders, its about registry key. And my script has applied to “This Key and Subkeys”. If you run my script, you will see the error im referring to.

Ahh my apologies, the example is about ACLs, not folders. I wasn’t aware there was an error. I thought you said “but when I try to just change Administrators permissions to READ only, it creates a whole one, while the original is still there.” Can you clarify the error for me?

How do I use these 2 commands on main registry key and recurse thru its subkeys ??