[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1216
  • Last Modified:

regdmp to export Registry key permissions?

So I'm trying to make a batch script that will modify some values in HKEY_CLASSES_ROOT\CLSID\
Problem is I need to script the modification of permissions on said keys before changing the value.

I'm told this can be done by dumping the permissions with regdmp with desired permissions, then importing via regini.
The problem is, regdmp is not giving me any thing regarding permissions on a key.

When I run the command:
regdmp \registry\machine\software\classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
It just lists the sub types and their values. it doesn't list any kind of permission representation.
Am I missing a parameter here or is there a better way?
0
garryshape
Asked:
garryshape
  • 3
  • 3
2 Solutions
 
oBdACommented:
Use setacl.exe, http://helgeklein.com/setacl/
To give the user or group "Name" full permissions on this key, try this (but maybe create a key "HKLM\Software\Acme" for testing):
SetACL.exe -on "HKLM\Software\Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder" -ot reg -actn ace -ace "n:DOMAIN\Name;p:full"

Open in new window

Note that if you're on a 64bit system, you should use the 64bit version of SetACL, especially if the key you want to change is the 'real' (64bit) "HKLM\Software"; a 32bit software (like regini!) on a 64bit system will only see the 32bit part, which is actually "HKLM\Software\Wow6432Node".
0
 
garryshapeAuthor Commented:
Thanks, I came across that but wasn't sure if it was legit.  
I am seeing some PowerShell options here with Get-ACL and Set-ACL I'm fiddling with too. It might work since I'm dealing with Windows 7 and SCCM Task Sequence supports powershell commands.
0
 
oBdACommented:
Yes, SetACL is legit.
And I love Powershell, but Set-ACL leaves something to be desired as far as intuitive usability (espacially in environments without access to MSDN) is concerned. In your case, it should be comparatively simple, assuming you want to give full control:
$Account = "SomeDomain\SomeName"
$Key = "HKLM:\Software\Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder"
$ACL = Get-ACL -Path $Key
$RegistryAccessRule = New-Object -TypeName System.Security.AccessControl.RegistryAccessRule -ArgumentList $Account, "FullControl", "Allow"
$ACL.SetAccessRule($RegistryAccessRule)
Set-Acl -Path $Key -AclObject $ACL

Open in new window

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
garryshapeAuthor Commented:
Ok great, ty, works great!
0
 
garryshapeAuthor Commented:
So for name would it be "NT AUTHORITY\SYSTEM" if I wanted to give the System account the access? SCCM 2012 OSD Task Sequence runs commands as System so that's why I ask.
0
 
oBdACommented:
Yes, either that, or just "SYSTEM".
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now