Hey guys! On Windows 11 is there a way to prevent registry values (not keys) modification using batch scripts (cmd or powershell commands)? Thanks!!!
Sorry Dark Dino, but no. Denying write will apply to all values under a key, you can't have a protected value and unprotected values under a key at the same time. Scripts only automate what you can already do via regedit. If unsure, don't mess with the registry, you can easily break your windows installation.
That's part of the fun. You can't make an good omelette Windows, without breaking a few eggs installations.
Forgot to give a script example of locking all values modification under a key: Code: @(set '(=)||' <# lean and mean cmd / ps1 hybrid, can paste into powershell console #> @' @echo off & set title=reg_own playground title %title% ::# elevate with native shell by AveYo >nul reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%%2\"& call \"%%2\" %%3"& set _= %* >nul fltmc|| if "%f0%" neq "%~f0" (cd.>"%temp%\runas.Admin" & start "%~n0" /high "%temp%\runas.Admin" "%~f0" "%_:"=""%" & exit /b) echo; echo target key echo set KEY=HKCU\Environment set KEY=HKCU\Environment echo; echo test write access - should succeed echo reg add %KEY% /f /v owned /d yes reg add %KEY% /f /v owned /d yes echo; echo lock key modification for all local accounts and set owner to batch echo call :reg_own %KEY% -user S-1-2-0 -owner S-1-5-3 -acc Deny -perm "SetValue,Delete,ChangePermissions,TakeOwnership" -list call :reg_own %KEY% -user S-1-2-0 -owner S-1-5-3 -acc Deny -perm "SetValue,Delete,ChangePermissions,TakeOwnership" -list echo; echo test write access again - should fail echo reg add %KEY% /f /v owned /d no reg add %KEY% /f /v owned /d no echo; echo unlock key for all local accounts and set owner back to system echo call :reg_own %KEY% -recurse Delete -user S-1-2-0 -owner S-1-5-18 -list call :reg_own %KEY% -recurse Delete -user S-1-2-0 -owner S-1-5-18 -list echo; echo remove test - should succeed echo reg delete %KEY% /f /v owned reg delete %KEY% /f /v owned choice /c EX1T exit /b :reg_own: [USAGE] call :reg_own "HKCU\Key" -recurse [Inherit|Replace|Delete] -user S-1-5-32-545 -owner '' -acc Allow -perm ReadKey set ^ #=&set "0=%~f0"&set 1=%*& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':reg_own\: .*')[1]);# --%% %*&exit /b function reg_own { param ( $key, $recurse='', $user='S-1-5-32-544', $owner='', $acc='Allow', $perm='FullControl', [switch]$list ) $D1=[uri].module.gettype('System.Diagnostics.Process')."GetM`ember"('SetPrivilege',42)[0]; $u=$user; $o=$owner; $p=524288 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$D1.Invoke($null, @("$_",2))} $reg=$key-split':?\\',2; $key=$reg-join'\'; $HK=gi -lit Registry::$($reg[0]) -force; $re=$recurse; $in=(1,0)[$re-eq'Inherit'] $own=$o-eq''; if($own){$o=$u}; $sid=[Security.Principal.SecurityIdentifier]; $w='S-1-1-0',$u,$o |% {new-object $sid($_)} $r=($w[0],$p,1,0,0),($w[1],$perm,1,0,$acc) |% {new-object Security.AccessControl.RegistryAccessRule($_)}; function _own($k,$l) { $t=$HK.OpenSubKey($k,2,'TakeOwnership'); if($t) { try {$n=$t.GetAccessControl(4)} catch {$n=$HK.GetAccessControl(4)} $u=$n.GetOwner($sid); if($own-and $u) {$w[2]=$u}; $n.SetOwner($w[0]); $t.SetAccessControl($n); $d=$HK.GetAccessControl(2) $c=$HK.OpenSubKey($k,2,'ChangePermissions'); $b=$c.GetAccessControl(2); $d.RemoveAccessRuleAll($r[1]); $d.ResetAccessRule($r[0]) $c.SetAccessControl($d); if($re-ne'') {$sk=$HK.OpenSubKey($k).GetSubKeyNames(); foreach($i in $sk) {_own "$k\$i" $false}} if($re-ne'') {$b.SetAccessRuleProtection($in,1)}; $b.ResetAccessRule($r[1]); if($re-eq'Delete') {$b.RemoveAccessRuleAll($r[1])} $c.SetAccessControl($b); $b,$n |% {$_.SetOwner($w[2])}; $t.SetAccessControl($n)}; if($l) {return $b|fl} }; _own $reg[1] $list }; iex "reg_own $(([environment]::get_CommandLine()-split'-[-]%+ ?')[1])" # :reg_own: lean & mean snippet by AveYo, 2022.01.15 :reg_var: [USAGE] call :reg_var "HKCU\Volatile Environment" Value variable (for /f "tokens=2*" %%R in ('reg query "%~1" /v "%~2" /se "|" %4 2^>nul') do set "%~3=%%S") & exit /b '@); $0 = "$env:temp\_$env:title.bat"; ${(=)||} | out-file $0 -encoding default -force; & $0 # press enter