Take Ownership of RegKey and All SubKeys

How do I take ownership of a registry key and ALL its subkeys. I have this but its not working for subkeys. Can anyone please help ?

$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\RandomKey",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::TakeOwnership)
$regACL = $regKey.GetAccessControl()
$regACL.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$regKey.SetAccessControl($regACL)

I may be wrong, but I don’t think there is a built-in way to recursively do this. You would need to grab all the sub keys and in a for loop set the owner on each key.

Although this link is file system related, you may be able to apply the same principles to the Registry??

1 Like

@neemobeer How do I grab all subkeys and loop them recursively. Can you please provide an example?
@tonyd Thankyou very much for your link but I do not know how to translate that for registry keys. Can you please help me out ?

You can use the following cmdlet.
Get-ChildItem

This what I got so far. It does not work and it does not show any error so I don't know what's wrong. The script just ran and that's it. I don't know how to go from here

$allsubkeys = Get-ChildItem 'HKLM:\System\RandomKey' -Recurse
foreach ($value in $allsubkeys) {
$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SYSTEM\RandomKey",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::TakeOwnership)
$regACL = $regKey.GetAccessControl()
$regACL.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$regKey.SetAccessControl($regACL)  }

You have still hard coded the path, what happens if you change to:


OpenSubKey($value



2 Likes

It says this error

You cannot call a method on a null-valued expression.
At line:5 char:1
+ $regACL = $regKey.GetAccessControl()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull
 
You cannot call a method on a null-valued expression.
At line:7 char:1
+ $regKey.SetAccessControl($regACL)  }
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

So … I dug in a little bit as I have used OpenSubKey in the past and it seems to like a different Syntax for the KeyPath. It seems to like

 "SOFTWARE\\RandomKey" 

versus the path returned from Get-Childitem which is:

 "HKEY_LOCAL_MACHINE\SOFTWARE\RandomKey"

Based on that theory, I put this together. It aint pretty, but it seems to work. It is also hard coded for the HKEY which I dont like, but you can play around if you need to use something other than HKLM.

$regPath = 'HKLM:\SOFTWARE\RandomKey'
$objReg = [Microsoft.Win32.RegistryKey]::OpenBaseKey('LocalMachine', 'Default')

$allSubKeys = Get-ChildItem -Path $regPath -Recurse

$allSubKeys | foreach-Object {
	if($_.PSIsContainer) {
		$var = $($($_.Name.Replace('HKEY_LOCAL_MACHINE\', '')).Replace('\', '\\'))
		Write-Output "Changing key: $var"
		$subKeyFound = $objReg.OpenSubKey($var, $true)
		$regACl = $subKeyFound.GetAccessControl()
		$regACL.SetOwner([System.Security.Principal.NTAccount]"Administrators")
		$subKeyFound.SetAccessControl($regACL)
	}
}
1 Like

Thankyou for your script. This script is great ! May I ask how to include the main registry key because it changed ownership for all other subkeys except the main one

Try this (not TESTED) … in a hurry, will touch back tomorrow.

$regPath = 'HKLM:\SOFTWARE\RandomKey'
$objReg = [Microsoft.Win32.RegistryKey]::OpenBaseKey('LocalMachine', 'Default')

$allSubKeys = Get-ChildItem -Path $regPath -Recurse
$allSubKeys += Get-Item -Path $regPath

$allSubKeys | foreach-Object {
	if($_.PSIsContainer) {
		$var = $($($_.Name.Replace('HKEY_LOCAL_MACHINE\', '')).Replace('\', '\\'))
		Write-Output "Changing key: $var"
		$subKeyFound = $objReg.OpenSubKey($var, $true)
		$regACl = $subKeyFound.GetAccessControl()
		$regACL.SetOwner([System.Security.Principal.NTAccount]"Administrators")
		$subKeyFound.SetAccessControl($regACL)
	}
}
1 Like

Hi, Thankyou for your script. I am trying to Disable-Inheritance for main key and all subkeys recursively, but I just don’t know where to fit this in, in addition to your latest script.

SetAccessRuleProtection($true,$false)

You would add that method, and any other methods before you actually write the permissions with the SetAccessControl Method

Add this before SetAccessControl:

$regACL.SetAccessRuleProtection($true,$false)
1 Like

Thankyou for that heads-up !! May I ask how to change ownership back to SYSTEM. I tried the following 2 ways, but it gives that error.

$regACL.SetOwner([System.Security.Principal.NTAccount]"System")
$regACL.SetOwner([System.Security.Principal.NTAccount]"NT Authority\System")
Exception calling "SetAccessControl" with "1" argument(s): "The security identifier is not allowed to be the owner of this object."
At line:15 char:3
+         $subKeyFound.SetAccessControl($regACL)
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : InvalidOperationException

I would manually view and or adjust the permissions on the key from the registry editor. That might give you some clues. Looks like a permission issue to me.

Hello, I tried to find clues on other untouched registry keys, but I can not find other names besides “NT AUTHORITY\SYSTEM” (its not case sensitive too sooo…yup…I don’t know what’s going on)

Just a wild guess … instead of

you could try “<COMPUTERNAME>\SYSTEM

(while COMPUTERNAME refers to the system you run this code on)

It shows this error. I tried actual COMPUTERNAME and “$env:computername\SYSTEM”

Exception calling "SetOwner" with "1" argument(s): "Some or all identity references could not be translated."

Based on your error message, I would conclude the identifier you chose is not the issue, as I would expect the error to be more specific on that criteria if that was the real issue. Try googling that entire string, some interesting answers and some pointing to “Inheratance” which you asked about breaking earlier in this thread.

1 Like

I think it might be a bug. I tested changing the owner on both a file and a reg key. I could set the owner on the file to both BUILTIN\Administrators and SYSTEM. I could only set a reg key to Administrators. I think there is a windows security policy bug somewhere.

Also both “NT AUTHORITY\SYSTEM” and “SYSTEM” should work