regdmp to export Registry key permissions?

garryshape
garryshape used Ask the Experts™
on
So I'm trying to make a batch script that will modify some values in HKEY_CLASSES_ROOT\CLSID\
Problem is I need to script the modification of permissions on said keys before changing the value.

I'm told this can be done by dumping the permissions with regdmp with desired permissions, then importing via regini.
The problem is, regdmp is not giving me any thing regarding permissions on a key.

When I run the command:
regdmp \registry\machine\software\classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
It just lists the sub types and their values. it doesn't list any kind of permission representation.
Am I missing a parameter here or is there a better way?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2018
Distinguished Expert 2018
Commented:
Use setacl.exe, http://helgeklein.com/setacl/
To give the user or group "Name" full permissions on this key, try this (but maybe create a key "HKLM\Software\Acme" for testing):
SetACL.exe -on "HKLM\Software\Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder" -ot reg -actn ace -ace "n:DOMAIN\Name;p:full"

Open in new window

Note that if you're on a 64bit system, you should use the 64bit version of SetACL, especially if the key you want to change is the 'real' (64bit) "HKLM\Software"; a 32bit software (like regini!) on a 64bit system will only see the 32bit part, which is actually "HKLM\Software\Wow6432Node".

Author

Commented:
Thanks, I came across that but wasn't sure if it was legit.  
I am seeing some PowerShell options here with Get-ACL and Set-ACL I'm fiddling with too. It might work since I'm dealing with Windows 7 and SCCM Task Sequence supports powershell commands.
Most Valuable Expert 2018
Distinguished Expert 2018
Commented:
Yes, SetACL is legit.
And I love Powershell, but Set-ACL leaves something to be desired as far as intuitive usability (espacially in environments without access to MSDN) is concerned. In your case, it should be comparatively simple, assuming you want to give full control:
$Account = "SomeDomain\SomeName"
$Key = "HKLM:\Software\Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder"
$ACL = Get-ACL -Path $Key
$RegistryAccessRule = New-Object -TypeName System.Security.AccessControl.RegistryAccessRule -ArgumentList $Account, "FullControl", "Allow"
$ACL.SetAccessRule($RegistryAccessRule)
Set-Acl -Path $Key -AclObject $ACL

Open in new window

Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

Author

Commented:
Ok great, ty, works great!

Author

Commented:
So for name would it be "NT AUTHORITY\SYSTEM" if I wanted to give the System account the access? SCCM 2012 OSD Task Sequence runs commands as System so that's why I ask.
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
Yes, either that, or just "SYSTEM".

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial