Block registry values modification

Discussion in 'Windows 11' started by aedthuio, Sep 7, 2022.

  1. aedthuio

    aedthuio MDL Junior Member

    Aug 14, 2009
    58
    18
    0
    #1 aedthuio, Sep 7, 2022
    Hey guys! ;)

    On Windows 11 is there a way to prevent registry values (not keys) modification using batch scripts (cmd or powershell commands)?

    Thanks!!!
     
  2. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    3,734
    5,179
    120
    #2 Dark Dinosaur, Sep 7, 2022
    sure.
    using aveyo script.
    ask @AveYo ...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,693
    60
    #3 AveYo, Sep 7, 2022
    Sorry Dark Dino, but no.
    Denying write will apply to all values under a key, you can't have a protected value and unprotected values under a key at the same time.
    Scripts only automate what you can already do via regedit.
    If unsure, don't mess with the registry, you can easily break your windows installation.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Uhuru N’Uru

    Uhuru N’Uru MDL Novice

    Aug 12, 2022
    1
    1
    0
    #4 Uhuru N’Uru, Sep 9, 2022
    That's part of the fun.
    You can't make an good omelette Windows, without breaking a few eggs installations.
     
  5. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,693
    60
    #5 AveYo, Sep 9, 2022
    Forgot to give a script example of locking all values modification under a key:
    Code:
    @(set '(=)||' <# lean and mean cmd / ps1 hybrid, can paste into powershell console #> @'

@echo off & set title=reg_own playground
title %title%

::# elevate with native shell by AveYo
>nul reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%%2\"& call \"%%2\" %%3"& set _= %*
>nul fltmc|| if "%f0%" neq "%~f0" (cd.>"%temp%\runas.Admin" & start "%~n0" /high "%temp%\runas.Admin" "%~f0" "%_:"=""%" & exit /b)

echo;
echo target key
echo set KEY=HKCU\Environment
set KEY=HKCU\Environment

echo;
echo test write access - should succeed
echo reg add %KEY% /f /v owned /d yes
reg add %KEY% /f /v owned /d yes

echo;
echo lock key modification for all local accounts and set owner to batch
echo call :reg_own %KEY% -user S-1-2-0 -owner S-1-5-3 -acc Deny -perm "SetValue,Delete,ChangePermissions,TakeOwnership" -list
call :reg_own %KEY% -user S-1-2-0 -owner S-1-5-3 -acc Deny -perm "SetValue,Delete,ChangePermissions,TakeOwnership" -list

echo;
echo test write access again - should fail
echo reg add %KEY% /f /v owned /d no
reg add %KEY% /f /v owned /d no

echo;
echo unlock key for all local accounts and set owner back to system
echo call :reg_own %KEY% -recurse Delete -user S-1-2-0 -owner S-1-5-18 -list
call :reg_own %KEY% -recurse Delete -user S-1-2-0 -owner S-1-5-18 -list

echo;
echo remove test - should succeed
echo reg delete %KEY% /f /v owned
reg delete %KEY% /f /v owned

choice /c EX1T
exit /b

:reg_own: [USAGE] call :reg_own "HKCU\Key" -recurse [Inherit|Replace|Delete] -user S-1-5-32-545 -owner '' -acc Allow -perm ReadKey
set ^ #=&set "0=%~f0"&set 1=%*& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':reg_own\: .*')[1]);# --%% %*&exit /b
function reg_own { param ( $key, $recurse='', $user='S-1-5-32-544', $owner='', $acc='Allow', $perm='FullControl', [switch]$list )
  $D1=[uri].module.gettype('System.Diagnostics.Process')."GetM`ember"('SetPrivilege',42)[0]; $u=$user; $o=$owner; $p=524288
  'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$D1.Invoke($null, @("$_",2))}
  $reg=$key-split':?\\',2; $key=$reg-join'\'; $HK=gi -lit Registry::$($reg[0]) -force; $re=$recurse; $in=(1,0)[$re-eq'Inherit']
  $own=$o-eq''; if($own){$o=$u}; $sid=[Security.Principal.SecurityIdentifier]; $w='S-1-1-0',$u,$o |% {new-object $sid($_)}
  $r=($w[0],$p,1,0,0),($w[1],$perm,1,0,$acc) |% {new-object Security.AccessControl.RegistryAccessRule($_)}; function _own($k,$l) {
  $t=$HK.OpenSubKey($k,2,'TakeOwnership'); if($t) { try {$n=$t.GetAccessControl(4)} catch {$n=$HK.GetAccessControl(4)}
  $u=$n.GetOwner($sid); if($own-and $u) {$w[2]=$u}; $n.SetOwner($w[0]); $t.SetAccessControl($n); $d=$HK.GetAccessControl(2)
  $c=$HK.OpenSubKey($k,2,'ChangePermissions'); $b=$c.GetAccessControl(2); $d.RemoveAccessRuleAll($r[1]); $d.ResetAccessRule($r[0])
  $c.SetAccessControl($d); if($re-ne'') {$sk=$HK.OpenSubKey($k).GetSubKeyNames(); foreach($i in $sk) {_own "$k\$i" $false}}
  if($re-ne'') {$b.SetAccessRuleProtection($in,1)}; $b.ResetAccessRule($r[1]); if($re-eq'Delete') {$b.RemoveAccessRuleAll($r[1])}
  $c.SetAccessControl($b); $b,$n |% {$_.SetOwner($w[2])}; $t.SetAccessControl($n)}; if($l) {return $b|fl} }; _own $reg[1] $list
}; iex "reg_own $(([environment]::get_CommandLine()-split'-[-]%+ ?')[1])" # :reg_own: lean & mean snippet by AveYo, 2022.01.15

:reg_var: [USAGE] call :reg_var "HKCU\Volatile Environment" Value variable
(for /f "tokens=2*" %%R in ('reg query "%~1" /v "%~2" /se "|" %4 2^>nul') do set "%~3=%%S") & exit /b

'@); $0 = "$env:temp\_$env:title.bat"; ${(=)||} | out-file $0 -encoding default -force; & $0
# press enter
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    3,734
    5,179
    120
    #6 Dark Dinosaur, Sep 9, 2022
    but before you doing that. make sure to have a backup ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...