Jump to content

Change registry-permission in Windows 2008 R2 via CMD


Recommended Posts

Hey guys,

I have a problem setting up a reg-key in Windows 2008 R2.

I'm talking about the following key:

[HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}]
"LocalizedString"

In Windows 2003 and 2008 (NOT R2!) it's no problem changing the key-value to "%ComputerName%", but in Windows 2008 R2

the local Administrator has no permission to edit the key, rename it, delete it or change the permission!

I can manually take the ownership of the key via "regedit" and then edit the value, but I have to do it via batch / CMD!

In Windows 2003 there is the command "REGINI" to change permissions via commandline, but how to do this in Windows 2008 R2?

Hope anyone get rid of this problem and can give me a solution for that.

Thank you

Edited by HØLLØW
Link to comment
Share on other sites


Umm, regini? :)

and just to clarify. Cluberti is not asking what regini is, he is saying that regini is included in W2K8-R2.

Edited by MrJinje
Link to comment
Share on other sites

Umm, regini? :)

and just to clarify. Cluberti is not asking what regini is, he is saying that regini is included in W2K8-R2.

Sorry, my mistake :blink:

I tested it with the following:

HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} [1]

That's not working! Administrator has just read-access!

Is there a way to change te owner of the key via commandline? Because then it's working fine :yes:

Edited by HØLLØW
Link to comment
Share on other sites

Hmmm -- seems regini can change perms, but not take any ownership (and has some limitations on HCKR as well). At this point, I'd recommend SetAcl to overcome this particular limitation - it's 32 and 64bit and quite small.

Link to comment
Share on other sites

Taking ownership of a registry key (along with everything else) can also be done from Powershell, which is built-in to W2K8-R2

$acl = Get-Acl HKCU:\Software\Testkey
$acl.Owner
$me = [System.Security.Principal.NTAccount]"$env:userdomain\$env:username"
$acl.SetOwner($me)

I think you can skip the $acl.owner line, all that does is echo the current owner as part of the example.

Edited by MrJinje
Link to comment
Share on other sites

Hmmm -- seems regini can change perms, but not take any ownership (and has some limitations on HCKR as well). At this point, I'd recommend SetAcl to overcome this particular limitation - it's 32 and 64bit and quite small.

Hi there,

I tested it today on my test-environment and it worked fine with "SetACL".

Very nice tool :thumbup

Thank you guys

Edited by HØLLØW
Link to comment
Share on other sites

  • 1 month later...

Taking ownership of a registry key (along with everything else) can also be done from Powershell, which is built-in to W2K8-R2

$acl = Get-Acl HKCU:\Software\Testkey
$acl.Owner
$me = [System.Security.Principal.NTAccount]"$env:userdomain\$env:username"
$acl.SetOwner($me)

I think you can skip the $acl.owner line, all that does is echo the current owner as part of the example.

The only problem with this is if the owner of a key is TrustedInstaller, and you lack "write" rights to a key - powershell tries to open the key as writable (to change the owner), which of course will fail. In this scenario, the only way I've found to get the above to work at all is to run powershell with psexec as a user that *does* have write access (this is usually SYSTEM), and then it works. I've resorted to using subinacl/SetAcl for this instead from script.

Link to comment
Share on other sites

  • 2 months later...

Hi Hollow, can you post how did you solve this? I'm having the same problem but I'm not able to solve using setacl

Thanks!

Hmmm -- seems regini can change perms, but not take any ownership (and has some limitations on HCKR as well). At this point, I'd recommend SetAcl to overcome this particular limitation - it's 32 and 64bit and quite small.

Hi there,

I tested it today on my test-environment and it worked fine with "SetACL".

Very nice tool :thumbup

Thank you guys

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...