Modify registry key ownership "access denied"

didier · March 23, 2020, 1:00pm

Hi,

I’m trying to modify the registry key ownership of the following key:

$path = ‘AppID{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’

I’m using a local administrator account to try some ownership changes. If I’m using registry.exe to modify the ownership of the key from “TRUSTEDINSTALLER” TO “BUILTIN\ADMINISTRATORS”, it works without problems!

The problem is, that I need to script it with powershell, but unfortunately I can’t get it to work … I’m getting an “access denied” with ever method I’m trying.

f.ex. via dotnet:

[Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("$path",System.Security.AccessControl.RegistryRights]::TakeOwnership)
Exception calling "OpenSubKey" with "2" argument(s): "Requested registry access is not allowed."

Or via psprovider + modifying the acl and set-acl … I keep getting an “access denied” …

Does someone have an idea, how I can modify the $path key (see above) registry ownership from “TrustedInstaller” to “BUILTIN\ADMINISTRATORS” via powershell?

Thanks a lot for any help!
Kind regards,
Didier

grokkit · March 25, 2020, 11:54am

Just to eliminate the obvious, are you running PowerShell as admin when you execute your script?

Also there appears to be a typo in this line, but I think it’s just a missing open bracket:
[Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”,System.Security.AccessControl.RegistryRights]::TakeOwnership)

You may need to use OpenSubKey() with [RegistryKeyPermissionCheck]::ReadWriteSubTree as it’s used in this example in order to skip the security check and make the key writable.

didier · March 27, 2020, 11:26am

Hi,

Thank you very much for replying.

Yes, I’m using a privileged powershell session as a local administrator.

Sorry for the typo, yes there was a missing bracket.

Unfortunately, both methods do not work … including your suggested method.

PS C:\WINDOWS\system32> $path = ‘AppID{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’
PS C:\WINDOWS\system32> [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”,[System.Security.AccessControl.RegistryRights]::TakeOwnership)
Exception calling “OpenSubKey” with “2” argument(s): “Requested registry access is not allowed.”
At line:1 char:1

[Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”,[System.Se …
CategoryInfo : NotSpecified: ( , MethodInvocationException
FullyQualifiedErrorId : SecurityException

PS C:\WINDOWS\system32> [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”,[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
Exception calling “OpenSubKey” with “3” argument(s): “Requested registry access is not allowed.”
At line:1 char:1

[Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(“$path”,[Microsoft …
CategoryInfo : NotSpecified: ( , MethodInvocationException
FullyQualifiedErrorId : SecurityException

Or via get-acl/set-acl:

$owner = ‘BUILTIN\Administrators’
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
$key = ‘HKCR:AppID{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’
$originalRegistrySecurity = (Get-Acl $key)
$newAcl = New-Object -TypeName System.Security.AccessControl.RegistrySecurity
$newAcl.setOwner([System.Security.Principal.NTAccount]::new($owner))
Set-Acl -Path $key -AclObject $newAcl

Set-Acl : Requested registry access is not allowed.
At line:1 char:1

Set-Acl -Path $key -AclObject $newAcl
CategoryInfo : PermissionDenied: (HKEY_CLASSES_RO…2-0E02075250C2}:String) [Set-Acl], SecurityExceptio
n
FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.SetAclCommand

So it seems to me that is currently not possible to do this via powershell as a (get-acl or set-acl) do result in an “access denied” method too …

Didier

didier · March 28, 2020, 11:11am

Hello,

Thank you very much for replaying.

Yes it is an elevated administrator powershell session.

$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
Write-Output $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

True

All methods, I tried, fail with an access denied:

$path = ‘AppID{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’

method:

Exception calling “OpenSubKey” with “2” argument(s): “Requested registry access is not allowed.”

method:

Microsoft.Win32.Registry::ClassesRoot.OpenSubKey(“$path”, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)

Exception calling “OpenSubKey” with “3” argument(s): “Requested registry access is not allowed.”

method:

$owner = ‘BUILTIN\Administrators’
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
$key = ‘HKCR:AppID{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’
$originalRegistrySecurity = (Get-Acl $key)
$newAcl = New-Object -TypeName System.Security.AccessControl.RegistrySecurity
$newAcl.setOwner([System.Security.Principal.NTAccount]::new($owner))
Set-Acl -Path $key -AclObject $newAcl
Set-Acl : Requested registry access is not allowed.
At line:1 char:1

Set-Acl -Path $key -AclObject $newAcl
CategoryInfo : PermissionDenied: (HKEY_CLASSES_RO…2-0E02075250C2}:String) [Set-Acl], SecurityException

I honestly think that it isn’t possible to do this via powershell …

Any other ideas welcome.

Regards,

Didier

belton72 · June 9, 2020, 10:38am

Sadly cant help on this one yet - going bald trying to solve the exact same problem. Did you ge any further with this problem?

krzydoug · June 10, 2020, 5:51am

This worked for me. The link posted by grokkit is interesting, but it appears the code is incomplete (set’s variable $res after importing ntdll, but is never used) so I’m sure there are more options by calling windows APIs directly.

$path = 'AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}'
$regkey = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey($path,
    [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
    [System.Security.AccessControl.RegistryRights]::takeownership)
$acl = New-Object System.Security.AccessControl.RegistrySecurity
$acl.SetOwner([System.Security.Principal.NTAccount]"Domain\User")
$regkey.SetAccessControl($acl)

Now once you’re set as the owner, you can pull the actual ACL and add permissions. (You may also be able to use [System.Security.AccessControl.RegistryRights]::ChangePermissions instead of TakeOwnership, I did not try)

$acl = $regkey.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Domain\User","FullControl","Allow")
$acl.AddAccessRule($rule)
$regkey.SetAccessControl($acl)
$regkey.Close()

This does not cover inheritance or propagation, as it’s outside the scope of the question. Hopefully this helps.

Topic		Replies	Views
Change Registry Key PowerShell Help	10	148	April 15, 2024
Take Ownership of RegKey and All SubKeys PowerShell Help	32	130	April 17, 2024
Create a registry key without permissions PowerShell Help	2	169	April 12, 2016
Setting permissions on Registry Key PowerShell Help	4	208	July 7, 2020
Replace owner on subcontainers and objects PowerShell Help	0	231	June 3, 2020

Modify registry key ownership "access denied"

Related Topics