[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Set "deny" permission to a registry key via command line

Posted on 2016-11-28
17
Medium Priority
?
237 Views
Last Modified: 2017-01-17
Using a single console command line, we need to deny SYSTEM account access to a specific registry key.

Subinacl worked for that without issues on past operating systems, but it doesn't seem to behave properly with Windows 10 x64, and other sources are reporting the same.

SetACL doesn't seem to know anything about denying permissions on registry, or I couldn't find the proper syntax for it.

How you guys would recommend us to achieve this?
0
Comment
Question by:technet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
17 Comments
 
LVL 56

Expert Comment

by:McKnife
ID: 41904712
Why use the command line and not GPOs? Or is the key in HKCU?
1
 

Author Comment

by:technet
ID: 41904731
GPO is not an option. Surprisingly, doesn't seem to exist a CLI tool to accomplish this on W10, so even a powershell script would make us happy.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41904791
Could you help me helping you by answering these 2 questions, please? So just that I understand it.
Where's the key, and why not use GPO registry permission deployment?
1
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:technet
ID: 41904799
Sure. Thanks for taking this issue into attention, McKnife.

Key is at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion;

No GPOs because machines targeted for this are not part of a domain. Deployment of this change should be as straightforward as possible, wiht no GUI;
0
 
LVL 56

Accepted Solution

by:
McKnife earned 2000 total points
ID: 41904895
subinacl.exe /subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\3ware /deny=system=f

Open in new window

works here as expected. Try it on an elevated command prompt.
1
 

Author Comment

by:technet
ID: 41904949
Almost there, McKnife! Works but not on the key that we need to change. Even running as nt authority\system (!).
On your system you can deny system account on a subkey of the key that I've provided?
What could be stopping us?
0
 

Author Comment

by:technet
ID: 41904952
When I try to take key's ownership , I receive an "access denied".
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 41904968
Why do you need to deny system? System is the top of the heap for ownership. you would have to explicitly ALLOW a n account before removing system otherwise NOTHING can change it.
0
 

Author Comment

by:technet
ID: 41905012
I know, it's not an easy task on W10. Administrators group has full control by default, but they aren't the owner.

Can't change owner of those keys using:
subinacl /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /setowner=administrators /grant=administrators=f

Changing owner using elevated regedit GUI still doesn't allow subinacl to /deny=system=f.

What changed from Windows 7 to disallow this change, and how overcome it?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41905013
it works. It will not work on all subkeys, maybe. Please tell me on what subkeys it doesn't work for you.
1
 
LVL 56

Expert Comment

by:McKnife
ID: 41905015
show th output of your command.
1
 

Author Comment

by:technet
ID: 41905035
Output says that permissions were changed, but it doesn't happen.

For practical effects, I'm considering as a good approach McKnife's solution.

Thank you all!
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41905267
Give me one example of a subkey that does not work, please.
1
 

Author Comment

by:technet
ID: 41905522
Winlogon is one of them that didn't worked on our machines.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41906567
It works as long as you use an account that may change permissions. The administrator account does not have full access to all subkeys of winlogon - that's why it fails without first doing these 3:
1 take ownership of the regkey and all of the subkeys you are going to modify
2 give yourself full permissions
3 change permissions for others
1
 

Author Comment

by:technet
ID: 41906616
I wasn't able to change those permissions even running CMD under system credentials. This worked perfectly with XP and 7.

Could you please show the commands needed for that which worked on your setup?

As always, thank you, McKnife.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41906852
I have to admit that I hardly find the time to look for the syntax to automate all this: registry taking ownership and disabling inheritance. BUt I can assure you that I did not see a difference to win7, yet. When a key is not modifiable although you should have permissions to do it, it might be that it is protected. Some keys are protected by filter drivers, for example the keys for windows defender cannot be modified by a script because Microsoft wants to keep malware from doing that.

I might find the time later, will make a calendar entry.
1

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article summaries thoughts and ideas from two years of sustained use. It provides good reasoning to make the jump to Windows 10.
Windows 10 Creator Update has just been released and I have it working very well on my laptop. Read below for issues, fixes and ideas.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question