There is a registry key on Win Server 2008 R2,
HKCR:\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
whose owner is not Administrator. It is TrustedInstaller. Now to make Remote
DCOM/WMI connection working, I need to give Administrator the permission to have
Full Control over this key and ownership as well. As this needs to be done on
several machines, I was hoping I could do this using Powershell. I followed
these
Controlling Registry ACL Permissions with Powershell
Change the owner of directories with powershell
but I still get this error
Exception calling "OpenSubKey" with "3" argument(s):
"Requested registry access is not allowed."
The code I am trying to run is simple
$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(
"CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}",
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::TakeOwnership
)
echo $key
Any ideas on how to change ownership of this key? I believe once the ownership
is changed to Administrator, I will be able to change permissions using Set-Acl.
I was able to achieve this in powershell using the following script
# Checking OS Version and changing Registry Key permissions accordingly. We do need
# to change reg-key ownership for Win Server 2008, but in 2008 R2, owner of one of
# the required keys is TrustedInstaller instead of Administrator. Thus we need to
# change the owner back to Admin in order to make any changes to that key.
echo "Checking Operating System Version..."
$cv = (gi "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion")
$wv = $cv.GetValue("ProductName")
echo "$wv"
# Mounting HKey_ClassesRoot Registry key as a drive - Silent
New-PSDrive -name HKCR -PSProvider Registry -root HKEY_CLASSES_ROOT | Out-Null
$acl = Get-Acl "HKCR:\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}"
$owner = $acl.Owner
# Case 48188: Because Windows has server version like Windows Web Server 2008 R2, we
# cannot validate the version name using "Windows Server 2008 R2". We will only
# check if the name contains "Server 2008 R2".
if($wv.Contains("Server 2008 R2") -and !$owner.Contains("Administrators"))
{
echo "Setting Administrators Group privileges in Windows Registry..."
$boolResult = enable-privilege SeTakeOwnershipPrivilege
if(-not $boolResult)
{
echo "Privileges could not be elevated. Changing ownership of the registry"
echo "key would fail. Please change ownership of key"
echo "HKCR\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} to Administrators"
echo "Group manually."
return
}
$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey(
"CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}",
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
[System.Security.AccessControl.RegistryRights]::takeownership
)
# You must get a blank acl for the key b/c you do not currently have access
$acl = $key.GetAccessControl(
[System.Security.AccessControl.AccessControlSections]::None
)
$owner = [System.Security.Principal.NTAccount]"Administrators"
$acl.SetOwner($owner)
$key.SetAccessControl($acl)
# After you have set owner you need to get the acl with the perms so you can
# modify it.
$acl = $key.GetAccessControl()
$person = [System.Security.Principal.NTAccount]"Administrators"
$access = [System.Security.AccessControl.RegistryRights]"FullControl"
$inheritance = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit"
$propagation = [System.Security.AccessControl.PropagationFlags]"None"
$type = [System.Security.AccessControl.AccessControlType]"Allow"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(
$person,$access,$inheritance,$propagation,$type
)
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
$key.Close()
echo "Administrators Group ownership privileges set."
}
I ran into similar problem previously. Instead of trying to take ownership of the key, I changed the permission of it so that it can be readable to everyone (8). This can be done using 'regini'. I have a wrapper function that can change the permission of the provided key.
Example: RegistryPermission -server 'localhost' -key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum" -string '[1 8 17]'
For more info, run 'regini' in command prompt for the permission settings.
function Fix-RegistryPermission {
param (
[string] $server,
[string] $key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum",
[string] $permissions = "[1 8 17]"
)
$("{0} {1}" -f $key, $permissions) | Out-File $("{0}\regini_input.txt" -f $Env:Temp);
& "regini" -m \\$server $("{0}\regini_input.txt" -f $Env:Temp);
sleep 3;
Remove-Item $("{0}\regini_input.txt" -f $Env:Temp);
}
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 迷人小祖宗 的文章《Changing owner of HKCR\\CLSID\\* key to Administra》','https://www.manongdao.com/article-843720.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}