Help me with this tweak please

Discussion in 'Scripting' started by Ultra Male, Feb 15, 2019.

  1. Ultra Male

    Ultra Male MDL Expert

    May 30, 2014
    1,320
    678
    60
    So this tweak removes the "Move to OneDrive" context menu. When I apply the reg tweak, it removes that key and I do not see the Move to OneDrive context menu but upon reboot, it comes back.

    Is there a better way of doing this? like maybe leaving the key but revoking all permissions from all users so OneDrive is not able to recreate it again but still have it not being active/working so I don't get that context menu?

    Here is the key:

    Code:
    Windows Registry Editor Version 5.00
    
    [-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ FileSyncEx]
    [​IMG]
     
  2. boyonthebus

    boyonthebus MDL Senior Member

    Sep 16, 2018
    365
    186
    10
    You could create a task in task scheduler. I use it to get rid of Access file in new right-click. It would pop-up all the time. You could also give yourself ownership over ContextMenuHandlers and set permissions to read only. I am not sure how it would affect other programs you install.
     
  3. Ultra Male

    Ultra Male MDL Expert

    May 30, 2014
    1,320
    678
    60
    #3 Ultra Male, Feb 15, 2019
    Last edited: Feb 15, 2019
    (OP)
    Ok this worked, the guide was updated to include the permissions part:
    https://www.tenforums.com/tutorials/127208-add-remove-move-onedrive-context-menu-windows-10-a.html

    Now can someone help me create a batch file to do add the Everyone group to the following reg keys and give them a DENY permission?

    Code:
    Windows Registry Editor Version 5.00
    
    [-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ FileSyncEx]
    [-HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx]
    [-HKEY_CLASSES_ROOT\IE.AssocFile.URL\shellex\ContextMenuHandlers\ FileSyncEx]
    [-HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx]
     
  4. Ultra Male

    Ultra Male MDL Expert

    May 30, 2014
    1,320
    678
    60
    anyone?
     
  5. boyonthebus

    boyonthebus MDL Senior Member

    Sep 16, 2018
    365
    186
    10
    Do you have subinacl.exe ?
     
  6. Ultra Male

    Ultra Male MDL Expert

    May 30, 2014
    1,320
    678
    60
    dunno what's that even
     
  7. boyonthebus

    boyonthebus MDL Senior Member

    Sep 16, 2018
    365
    186
    10
    It is a MS file which edits reg permissions. I am trying it out. I have used it before, but not in your context. If I find a solution I will let you know. Meanwhile just do it manually.
     
  8. Krager

    Krager MDL Senior Member

    Jan 9, 2017
    395
    225
    10
    I've been using the following for batch processing permissions on registry entries; https://helgeklein.com/setacl/ Works on both files and registry entries, kind of one stop shop.
     
  9. Ultra Male

    Ultra Male MDL Expert

    May 30, 2014
    1,320
    678
    60
    Can someone not create a script for me .BAT to do this I have 0 knowledge about scripting

    I want to make these keys owned by the EVERYONE Group, then give them a DENY access to read/write

    [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ FileSyncEx]
    [HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx]
    [HKEY_CLASSES_ROOT\IE.AssocFile.URL\shellex\ContextMenuHandlers\ FileSyncEx]
    [HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx]
     
  10. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    256
    422
    10
    Since it seems a "one time" process why not do it manually if you can't make a script ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Ultra Male

    Ultra Male MDL Expert

    May 30, 2014
    1,320
    678
    60
  12. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    256
    422
    10
    #12 Thomas Dubreuil, Feb 16, 2019
    Last edited: Feb 16, 2019
    To "automate" the process you would need to have SetACL in windows directory...(and Nsudo to restore key in case)
    then would be something like this:
    OneDriveBlock.bat
    Code:
    @echo off
    %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && (
    goto :START
    ) || (
    NSudoG -U:T -P:E "%~dpnx0"& exit /b >NUL 2>&1
    )
    :START
    SetACL -on "HKCR\*\shellex\ContextMenuHandlers\ FileSyncEx" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn setowner -ownr "n:Everyone" >NUL 2>&1
    SetACL -on "HKCR\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn setowner -ownr "n:Everyone" >NUL 2>&1
    SetACL -on "HKCR\IE.AssocFile.URL\shellex\ContextMenuHandlers\ FileSyncEx" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn setowner -ownr "n:Everyone" >NUL 2>&1
    SetACL -on "HKCR\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx" -ot reg -actn setprot -op "dacl:p_nc" -actn clear -clr "dacl" -actn setowner -ownr "n:Everyone" >NUL 2>&1
    exit /b
    
    OneDriveRestore.bat
    Code:
    @echo off
    %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && (
    goto :START
    ) || (
    NSudoG -U:T -P:E "%~dpnx0"& exit /b >NUL 2>&1
    )
    :START
    SetACL -on "HKCR\*\shellex\ContextMenuHandlers\ FileSyncEx" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl" >NUL 2>&1
    SetACL -on "HKCR\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl" >NUL 2>&1
    SetACL -on "HKCR\IE.AssocFile.URL\shellex\ContextMenuHandlers\ FileSyncEx" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl" >NUL 2>&1
    SetACL -on "HKCR\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl" >NUL 2>&1
    exit /b
    
    Note for everyone and for info:
    As shown in the SetACL command, it will 1st disable inheritence to then be able to clear authorizations and set ownership.
    Quite logical...but people often forget that part and claim SetACL doesn't work, so I just added this note as a reminder.

    SetACL syntax : https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/

    Ps: you might like to have a look at my "personalization project" for windows, contains also lots of reg tweaks (and more) you might find some useful... ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Ultra Male

    Ultra Male MDL Expert

    May 30, 2014
    1,320
    678
    60
    Thanks a lot man!

    About your note at the end about disabling inheritance, you mean I need to disable inheritance from those 4 folders before I run the batch file?
     
  14. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    256
    422
    10
    No, no sorry if wasn't clear, it's all good like this.
    It was just an added info about the syntax I used...because I see often people claiming setacl doesn't work, and it's just because they forget the "disable inheritence part" in their setacl command.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Ultra Male

    Ultra Male MDL Expert

    May 30, 2014
    1,320
    678
    60
    Thanks a lot man! you are a champ!
     
  16. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    256
    422
    10
    I edited the "Note" to avoid confusion.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. Krager

    Krager MDL Senior Member

    Jan 9, 2017
    395
    225
    10
    On mine I only strip DACL permissions and enable inheritance. That's always the problem with stubborn registry entries, they've disabled inheritance, parent always allows admin write access. Here's an an example;
    Code:
    SetACL -on "HKCR\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}" -ot reg -actn setowner -ownr "n:Administrators" -rec yes >nul
    SetACL -on "HKCR\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}" -ot reg -actn setprot -op "dacl:np" -actn clear -clr "dacl" -actn rstchldrn -rst "dacl" >nul
    
    One note, there is a -silent switch you can use on the end to make the commands completely quiet. I use >nul because I still want to see the stderr, just not the stdout.