Take Ownership of RegKey and All SubKeys

jenewa2508 · April 9, 2024, 1:20am

How do I take ownership of a registry key and ALL its subkeys. I have this but its not working for subkeys. Can anyone please help ?

$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\RandomKey",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::TakeOwnership)
$regACL = $regKey.GetAccessControl()
$regACL.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$regKey.SetAccessControl($regACL)

neemobeer · April 9, 2024, 2:03pm

I may be wrong, but I don’t think there is a built-in way to recursively do this. You would need to grab all the sub keys and in a for loop set the owner on each key.

tonyd · April 9, 2024, 3:13pm

Although this link is file system related, you may be able to apply the same principles to the Registry??

jenewa2508 · April 9, 2024, 8:05pm

@neemobeer How do I grab all subkeys and loop them recursively. Can you please provide an example?
@tonyd Thankyou very much for your link but I do not know how to translate that for registry keys. Can you please help me out ?

neemobeer · April 9, 2024, 8:14pm

You can use the following cmdlet.
Get-ChildItem

jenewa2508 · April 9, 2024, 9:32pm

This what I got so far. It does not work and it does not show any error so I don't know what's wrong. The script just ran and that's it. I don't know how to go from here

$allsubkeys = Get-ChildItem 'HKLM:\System\RandomKey' -Recurse
foreach ($value in $allsubkeys) {
$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\RandomKey",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::TakeOwnership)
$regACL = $regKey.GetAccessControl()
$regACL.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$regKey.SetAccessControl($regACL)  }

tonyd · April 9, 2024, 10:53pm

You have still hard coded the path, what happens if you change to:


OpenSubKey($value

jenewa2508 · April 9, 2024, 11:17pm

It says this error

You cannot call a method on a null-valued expression.
At line:5 char:1
+ $regACL = $regKey.GetAccessControl()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
You cannot call a method on a null-valued expression.
At line:7 char:1
+ $regKey.SetAccessControl($regACL)  }
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

tonyd · April 9, 2024, 11:32pm

So … I dug in a little bit as I have used OpenSubKey in the past and it seems to like a different Syntax for the KeyPath. It seems to like

 "SOFTWARE\\RandomKey"

versus the path returned from Get-Childitem which is:

 "HKEY_LOCAL_MACHINE\SOFTWARE\RandomKey"

Based on that theory, I put this together. It aint pretty, but it seems to work. It is also hard coded for the HKEY which I dont like, but you can play around if you need to use something other than HKLM.

$regPath = 'HKLM:\SOFTWARE\RandomKey'
$objReg = [Microsoft.Win32.RegistryKey]::OpenBaseKey('LocalMachine', 'Default')

$allSubKeys = Get-ChildItem -Path $regPath -Recurse

$allSubKeys | foreach-Object {
	if($_.PSIsContainer) {
		$var = $($($_.Name.Replace('HKEY_LOCAL_MACHINE\', '')).Replace('\', '\\'))
		Write-Output "Changing key: $var"
		$subKeyFound = $objReg.OpenSubKey($var, $true)
		$regACl = $subKeyFound.GetAccessControl()
		$regACL.SetOwner([System.Security.Principal.NTAccount]"Administrators")
		$subKeyFound.SetAccessControl($regACL)
	}
}

jenewa2508 · April 9, 2024, 11:42pm

Thankyou for your script. This script is great ! May I ask how to include the main registry key because it changed ownership for all other subkeys except the main one

tonyd · April 9, 2024, 11:54pm

Try this (not TESTED) … in a hurry, will touch back tomorrow.

$regPath = 'HKLM:\SOFTWARE\RandomKey'
$objReg = [Microsoft.Win32.RegistryKey]::OpenBaseKey('LocalMachine', 'Default')

$allSubKeys = Get-ChildItem -Path $regPath -Recurse
$allSubKeys += Get-Item -Path $regPath

$allSubKeys | foreach-Object {
	if($_.PSIsContainer) {
		$var = $($($_.Name.Replace('HKEY_LOCAL_MACHINE\', '')).Replace('\', '\\'))
		Write-Output "Changing key: $var"
		$subKeyFound = $objReg.OpenSubKey($var, $true)
		$regACl = $subKeyFound.GetAccessControl()
		$regACL.SetOwner([System.Security.Principal.NTAccount]"Administrators")
		$subKeyFound.SetAccessControl($regACL)
	}
}

jenewa2508 · April 10, 2024, 2:43am

Hi, Thankyou for your script. I am trying to Disable-Inheritance for main key and all subkeys recursively, but I just don’t know where to fit this in, in addition to your latest script.

SetAccessRuleProtection($true,$false)

tonyd · April 10, 2024, 1:38pm

You would add that method, and any other methods before you actually write the permissions with the SetAccessControl Method

Add this before SetAccessControl:

$regACL.SetAccessRuleProtection($true,$false)

jenewa2508 · April 10, 2024, 10:19pm

Thankyou for that heads-up !! May I ask how to change ownership back to SYSTEM. I tried the following 2 ways, but it gives that error.

$regACL.SetOwner([System.Security.Principal.NTAccount]"System")
$regACL.SetOwner([System.Security.Principal.NTAccount]"NT Authority\System")

Exception calling "SetAccessControl" with "1" argument(s): "The security identifier is not allowed to be the owner of this object."
At line:15 char:3
+         $subKeyFound.SetAccessControl($regACL)
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : InvalidOperationException

tonyd · April 10, 2024, 11:25pm

I would manually view and or adjust the permissions on the key from the registry editor. That might give you some clues. Looks like a permission issue to me.

jenewa2508 · April 11, 2024, 12:55am

Hello, I tried to find clues on other untouched registry keys, but I can not find other names besides “NT AUTHORITY\SYSTEM” (its not case sensitive too sooo…yup…I don’t know what’s going on)

Olaf · April 11, 2024, 6:24am

Just a wild guess … instead of

you could try “<COMPUTERNAME>\SYSTEM”

(while COMPUTERNAME refers to the system you run this code on)

jenewa2508 · April 11, 2024, 5:05pm

It shows this error. I tried actual COMPUTERNAME and “$env:computername\SYSTEM”

Exception calling "SetOwner" with "1" argument(s): "Some or all identity references could not be translated."

tonyd · April 11, 2024, 5:11pm

Based on your error message, I would conclude the identifier you chose is not the issue, as I would expect the error to be more specific on that criteria if that was the real issue. Try googling that entire string, some interesting answers and some pointing to “Inheratance” which you asked about breaking earlier in this thread.

neemobeer · April 11, 2024, 6:13pm

I think it might be a bug. I tested changing the owner on both a file and a reg key. I could set the owner on the file to both BUILTIN\Administrators and SYSTEM. I could only set a reg key to Administrators. I think there is a windows security policy bug somewhere.

Also both “NT AUTHORITY\SYSTEM” and “SYSTEM” should work

Topic		Replies	Views
Change Registry Key PowerShell Help	10	155	April 15, 2024
Modify registry key ownership "access denied" PowerShell Help	5	834	June 10, 2020
Replace owner on subcontainers and objects PowerShell Help	0	235	June 3, 2020
Must Run Script 2x to Take Effect? PowerShell Help	4	54	April 19, 2024
Setting permissions on Registry Key PowerShell Help	4	215	July 7, 2020

Take Ownership of RegKey and All SubKeys

Related Topics