Modifying registry key permission from CMD line

Very simple question:

I need to incorporate into my logon script batch file for Win 7 x64 Domain Computers that changes permissions and then deletes a particular Registry Key:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\{Key name here}

Probably best to give EVERYONE Full Control, and then delete.

Can anyone help?
hhnetworksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

chekov666Commented:
Hi,

with the following command you can change permissions:
CACLS files /e /p {USERNAME}:{PERMISSION}

with the following command you can delete the Registry Key:
reg delete HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\{Key name here}

greetings
Markus
0
hhnetworksAuthor Commented:
CACLS if for files...not Registry Keys. I need to change permissions on the Key to take ownership, then delete the key.
0
chekov666Commented:
sorry I missed that. For Permissions on Registry Keys u need this:

SubiNACL
http://www.laurierhodes.info/?q=node/39

But as i know the logonscript runs with user permissions, so it could be u get an no access on the HKLM-Path
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

hhnetworksAuthor Commented:
I appreciate your responses.

 On my test workstation from a command prompt though, for both subiNACL or SetACL  I get "... is not recognized as an internal or external command...."

I was hoping to use REGINI, but I cant get the syntax right. I keep getting "Failed to Load..." error message when specifying the key
0
chekov666Commented:
ok, as i understand regini syntax u have to use an scriptfile with it.

"PathToRegin\regini.exe" scriptfile

scriptfile content your Keys and Permissions:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\{Key name here} [10]


---------
Numbers of Permission in the brackets with spaces between them

              1  - Administrators Full Access
              2  - Administrators Read Access
              3  - Administrators Read and Write Access
              4  - Administrators Read, Write and Delete Access
              5  - Creator Full Access
              6  - Creator Read and Write Access
              7  - World Full Access
              8  - World Read Access
              9  - World Read and Write Access
              10 - World Read, Write and Delete Access
              11 - Power Users Full Access
              12 - Power Users Read and Write Access
              13 - Power Users Read, Write and Delete Access
              14 - System Operators Full Access
              15 - System Operators Read and Write Access
              16 - System Operators Read, Write and Delete Access
              17 - System Full Access
              18 - System Read and Write Access
              19 - System Read Access
              20 - Administrators Read, Write and Execute Access
              21 - Interactive User Full Access
              22 - Interactive User Read and Write Access
              23 - Interactive User Read, Write and Delete Access
0
NVITEnd-user supportCommented:
One way to avoid this is to run your script via Computer Startup and Shutdown Scripts. The script runs under the Local System account of the workstation: https://technet.microsoft.com/en-us/magazine/dd630947.aspx
0
McKnifeCommented:
Right. No logon script, it lacks permissions to change permissions.
Startup script or group policy preferences.
0
hhnetworksAuthor Commented:
Thanks for everyone's help.

I'd be happy to run this as a Startup Script...what I need help with is the exact syntax. My client workstations are not understanding the 'subiNACLS' or 'SetACL' commands....these are just basic Win 7 x64 workstations.

The Reg Key is:
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\bla bla"

Current permissions are: (see screenshot attached)
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Having a startup or GPO script also removes the need for permission changes. Executing the reg delete its sufficient. Make sure to enclose the complete reg path in double quotes (because of the spaces).
0
hhnetworksAuthor Commented:
Olemo, I will try this out and advise soon
0
hhnetworksAuthor Commented:
Just updating everyone on this: Running the REG DELETE in a Startup Script has not worked for this particular Key, and Im sure it's because the current owner and the only one with Full Control is "Trusted Installer".

My System Admin has been trying various Powershell and various other scripts to try to accomplish this, but we havent got it yet.
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Don't get that - the WinLogon key is not restricted to Trusted Installer. Is your particular key restricted that way? Would be very uncommon.
0
hhnetworksAuthor Commented:
The full key Im trying to delete is:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

This is a workaround to another issue for another question I have posted at:
http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_28668343.html
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Ah, a GPO. Yes, that sounds plausible. In that case obtaining privs or acting as the owner is required indeed.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hhnetworksAuthor Commented:
Olemo,

Thanks for your contributions on this. Due to the fact that my other question (link above) has been finally resolved by Microsoft, there is no longer a need for us to pursue this.

Unfortunately, using vbs, powershell, Startup scripts etc, we were never able to programmatically find a way to capture ownership of that particular registry key.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.