Identify Windows Registry Keys based on Owner?

Is there a method or utility I could use to enumerate a list of Registry keys currently configured with a particular owner - which I specify?  It would be preferable to be able to specify the desired owner by SID, but I am open to alternative methods/suggestions.

I am dealing with migrating a user from a (crashed) domain onto a local workgroup, and in this case, there is only the local copy of the user's profile (including the user's registry hive) available - no domain controller.   I have successfully copied this locally-cached domain profile onto a new profile structure (new user), but one small challenge remains.

I updated the security on the registry to provide full access to the new user, and that has worked perfectly for the majority of the software on the computer.  However, I noticed two programs which were not quite behaving 100%.  I determined that, in both cases, the Owner appeared to be the old/domain user (an unresolvable SID).  I changed the owner to be the new user, and that resolved the issues.

My concern is, there are probably a few other similar cases in the registry which are waiting to eventually make their presence known.  Rather than deal with this on a ongoing and per-complaint basis, I would rather proactively search the registry to identify any remaining keys which are flagged with the now-non-existent (domain-user) owner.  Once I have identified them, updating the ownership will be a snap.

Thanks in advance for any insight.

Who is Participating?
"I always try to respect the registry as much as possible." - that's the right attitude! For security reasons, it should stay that way, so let's look for an alternative. I think subinacl should be the right tool to substitute permissions on registry keys:
Some example for the synatx:
Why wouldn't you just take ownership at the very top and select to change ownership on subkeys and objects as well? That will reset anything to the new owner.
SingsBassAuthor Commented:
Thanks for your quick response, @McKnife.

I briefly thought about that, actually ... but I ruled it out (at least for the time being) as a "good" option, unless it ends up being the only option :-).  Perhaps I was being too picky/paranoid (?).

I always try to respect the registry as much as possible.  It seems that the majority of the User keys are owned by the Administrators group, so I figured it would be a good idea to leave it that way. Since only a miniscule percentage (I tripped over a 3rd key, since I posted my question) seem to be owned by a specific user, I thought the ideal goal would be to see if I could determine all such "exceptional" keys, and then update them by changing the ownership from the old/bad user, to the new/good user.

This way, the registry should end up being in the same condition it would have been, if everything else had happened "normally" (i.e., if a user had been set up from scratch).  At least, it sounds good in theory, yes?  :-)

I am certainly willing to entertain the idea of just loading the user hive, taking ownership at the top/root, and selecting the option to apply the changes to all subkeys ... if that is what it is going to take.

Do you have any first-hand experience actually doing this?  Any good or bad experiences to report?

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

R@f@r P@NC3RVirtualization SpecialistCommented:

You could share the screen printer, to help you better.

I remain attentive to your comments
SingsBassAuthor Commented:

Thank you very much!  

I had totally forgotten about the SubInACL tool.  I used it a couple of times years (and years) ago ... and, truthfully, I don't think I even realized (then) that it could be used for object ownership.

I am really glad I pursued your suggestion - SubInACL found 1,000's of registry entries with ownership issues, and a few with permission issues (which had previously got by my manual methods).  Although many of the ownership/permission issues would have been benign, I guarantee (from spot checking) that a number of them would eventually have reared their ugly heads.  So doing this preventatively was definintely the right call.

Not only did I get reacquainted with SubInACL, but I discovered a new (to me) and very powerful feature - the /replace action.  Wow!  That was killer.  It did exactly what I needed, all in one fell swoop.  I was able to specific the old/domain account by SID, and have SubInACL replace any occurrence of it (ownership and/or permissions) with the new/local account.  Brilliant!  

And, for good measure, I also used it at the file level on the user profile, and it fixed up a couple of latent issues there, too.  Everything that I have tested now functions 100% as expected for the migrated user.

It is too bad that the utility was apparently never updated to support 64bit platforms (i.e. Win7, etc.) - but luckily for me, I was dealing with an XP system which supports some legacy tools/processes ... so SubInACL hit a bulls-eye for me!  :-)

Thanks again, @McKnife, for an excellent, excellent suggestion and support experience.  <big thumbs-up>
SingsBassAuthor Commented:
I was doing some user migration on a WinXP system, and needed a convenient way to identify the ownership of registry keys.  @McKnife suggested I look at a Resource Kit utility called SubInACL.  

Not only did this utility solve the specific challenge I initially posted about, but it turned out to be so much more useful.  It accomplished, in minutes, security modifications which would have taken me days of manual tedium (not to mention how error-prone that would have been).

SubInACL was a great solution!
You are very welcome.

And my compliments on your summary - very few people take the time to do that although it is pretty helpful for people that find this thread in the archive looking for a solution.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.