Modify registry key ownership "access denied"

Hi,

I’m trying to modify the registry key ownership of the following key:

$path = ‘AppID{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’

I’m using a local administrator account to try some ownership changes. If I’m using registry.exe to modify the ownership of the key from “TRUSTEDINSTALLER” TO “BUILTIN\ADMINISTRATORS”, it works without problems!

The problem is, that I need to script it with powershell, but unfortunately I can’t get it to work … I’m getting an “access denied” with ever method I’m trying.

f.ex. via dotnet:

[Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("$path",System.Security.AccessControl.RegistryRights]::TakeOwnership)
Exception calling "OpenSubKey" with "2" argument(s): "Requested registry access is not allowed."

Or via psprovider + modifying the acl and set-acl … I keep getting an “access denied” …

Does someone have an idea, how I can modify the $path key (see above) registry ownership from “TrustedInstaller” to “BUILTIN\ADMINISTRATORS” via powershell?

Thanks a lot for any help!
Kind regards,
Didier

Just to eliminate the obvious, are you running PowerShell as admin when you execute your script?

Also there appears to be a typo in this line, but I think it’s just a missing open bracket:
[Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("$path",System.Security.AccessControl.RegistryRights]::TakeOwnership)

You may need to use OpenSubKey() with [RegistryKeyPermissionCheck]::ReadWriteSubTree as it’s used in this example in order to skip the security check and make the key writable.

Hi,

Thank you very much for replying.

Yes, I’m using a privileged powershell session as a local administrator.

Sorry for the typo, yes there was a missing bracket.

Unfortunately, both methods do not work … including your suggested method.

PS C:\WINDOWS\system32> $path = ‘AppID{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’
PS C:\WINDOWS\system32> [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("$path",[System.Security.AccessControl.RegistryRights]::TakeOwnership)
Exception calling “OpenSubKey” with “2” argument(s): “Requested registry access is not allowed.”
At line:1 char:1

  • [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("$path",[System.Se …
  • CategoryInfo : NotSpecified: (:slight_smile: [], MethodInvocationException
  • FullyQualifiedErrorId : SecurityException

PS C:\WINDOWS\system32> [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("$path",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
Exception calling “OpenSubKey” with “3” argument(s): “Requested registry access is not allowed.”
At line:1 char:1

  • [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("$path",[Microsoft …
  • CategoryInfo : NotSpecified: (:slight_smile: [], MethodInvocationException
  • FullyQualifiedErrorId : SecurityException

Or via get-acl/set-acl:

$owner = ‘BUILTIN\Administrators’
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
$key = ‘HKCR:AppID{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’
$originalRegistrySecurity = (Get-Acl $key)
$newAcl = New-Object -TypeName System.Security.AccessControl.RegistrySecurity
$newAcl.setOwner([System.Security.Principal.NTAccount]::new($owner))
Set-Acl -Path $key -AclObject $newAcl

Set-Acl : Requested registry access is not allowed.
At line:1 char:1

  • Set-Acl -Path $key -AclObject $newAcl
  • CategoryInfo : PermissionDenied: (HKEY_CLASSES_RO…2-0E02075250C2}:String) [Set-Acl], SecurityExceptio
    n
  • FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.SetAclCommand

 

So it seems to me that is currently not possible to do this via powershell as a (get-acl or set-acl) do result in an “access denied” method too …

Didier

Hello,

Thank you very much for replaying.

Yes it is an elevated administrator powershell session.

$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
Write-Output $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

True

All methods, I tried, fail with an access denied:

$path = ‘AppID{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’

  1. method:

Exception calling “OpenSubKey” with “2” argument(s): “Requested registry access is not allowed.”

  1. method:

Microsoft.Win32.Registry::ClassesRoot.OpenSubKey("$path", [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)

Exception calling “OpenSubKey” with “3” argument(s): “Requested registry access is not allowed.”

  1. method:

$owner = ‘BUILTIN\Administrators’
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
$key = ‘HKCR:AppID{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}’
$originalRegistrySecurity = (Get-Acl $key)
$newAcl = New-Object -TypeName System.Security.AccessControl.RegistrySecurity
$newAcl.setOwner([System.Security.Principal.NTAccount]::new($owner))
Set-Acl -Path $key -AclObject $newAcl
Set-Acl : Requested registry access is not allowed.
At line:1 char:1

  • Set-Acl -Path $key -AclObject $newAcl
  • CategoryInfo : PermissionDenied: (HKEY_CLASSES_RO…2-0E02075250C2}:String) [Set-Acl], SecurityException

I honestly think that it isn’t possible to do this via powershell …

Any other ideas welcome.

Regards,

Didier

Sadly cant help on this one yet - going bald trying to solve the exact same problem. Did you ge any further with this problem?

This worked for me. The link posted by grokkit is interesting, but it appears the code is incomplete (set’s variable $res after importing ntdll, but is never used) so I’m sure there are more options by calling windows APIs directly.

$path = 'AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}'
$regkey = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey($path,
    [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
    [System.Security.AccessControl.RegistryRights]::takeownership)
$acl = New-Object System.Security.AccessControl.RegistrySecurity
$acl.SetOwner([System.Security.Principal.NTAccount]"Domain\User")
$regkey.SetAccessControl($acl)

Now once you’re set as the owner, you can pull the actual ACL and add permissions. (You may also be able to use [System.Security.AccessControl.RegistryRights]::ChangePermissions instead of TakeOwnership, I did not try)

$acl = $regkey.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Domain\User","FullControl","Allow")
$acl.AddAccessRule($rule)
$regkey.SetAccessControl($acl)
$regkey.Close()

This does not cover inheritance or propagation, as it’s outside the scope of the question. Hopefully this helps.