I may be wrong, but I don’t think there is a built-in way to recursively do this. You would need to grab all the sub keys and in a for loop set the owner on each key.
@neemobeer How do I grab all subkeys and loop them recursively. Can you please provide an example? @tonyd Thankyou very much for your link but I do not know how to translate that for registry keys. Can you please help me out ?
This what I got so far. It does not work and it does not show any error so I don't know what's wrong. The script just ran and that's it. I don't know how to go from here
$allsubkeys = Get-ChildItem 'HKLM:\System\RandomKey' -Recurse
foreach ($value in $allsubkeys) {
$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\RandomKey",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::TakeOwnership)
$regACL = $regKey.GetAccessControl()
$regACL.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$regKey.SetAccessControl($regACL) }
So … I dug in a little bit as I have used OpenSubKey in the past and it seems to like a different Syntax for the KeyPath. It seems to like
"SOFTWARE\\RandomKey"
versus the path returned from Get-Childitem which is:
"HKEY_LOCAL_MACHINE\SOFTWARE\RandomKey"
Based on that theory, I put this together. It aint pretty, but it seems to work. It is also hard coded for the HKEY which I dont like, but you can play around if you need to use something other than HKLM.
Thankyou for your script. This script is great ! May I ask how to include the main registry key because it changed ownership for all other subkeys except the main one
Hi, Thankyou for your script. I am trying to Disable-Inheritance for main key and all subkeys recursively, but I just don’t know where to fit this in, in addition to your latest script.
Exception calling "SetAccessControl" with "1" argument(s): "The security identifier is not allowed to be the owner of this object."
At line:15 char:3
+ $subKeyFound.SetAccessControl($regACL)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
I would manually view and or adjust the permissions on the key from the registry editor. That might give you some clues. Looks like a permission issue to me.
Hello, I tried to find clues on other untouched registry keys, but I can not find other names besides “NT AUTHORITY\SYSTEM” (its not case sensitive too sooo…yup…I don’t know what’s going on)
Based on your error message, I would conclude the identifier you chose is not the issue, as I would expect the error to be more specific on that criteria if that was the real issue. Try googling that entire string, some interesting answers and some pointing to “Inheratance” which you asked about breaking earlier in this thread.
I think it might be a bug. I tested changing the owner on both a file and a reg key. I could set the owner on the file to both BUILTIN\Administrators and SYSTEM. I could only set a reg key to Administrators. I think there is a windows security policy bug somewhere.
Also both “NT AUTHORITY\SYSTEM” and “SYSTEM” should work