Hi all.. Like many folk on here I have been messing about removing this, removing that from Win 10. This lead me to start using the "install_wim_tweaker" - Works well, not knocking it This got me to thinking how it works and I am slowly, very slowly.. NO. Even slower than that beginning to understand it. I like to do things manually then I know what's going on and I know nowt else is going on. I have a thread on the matter my little thread As always I want to do summet but don't really know what I have to do. I would like to learn how to amend reg keys via scripts. First though I am trying to wrap my head round taking full control of a reg key. been reading up on the net and well I find it a bit confusing. I found some info on "regini.exe" but when I write a little script I just get errors. I have this Picked up the codes from a site. the error I keep getting is It does not matter which reg key I point to or what combination of codes I put in, same error pops up. So I thought you clever lot on here could give me some pointers on where I am going wrong. by the way, 7-zip was the first reg key I saw. Not the one I am intending of amending.
Hi tnx, I found out that some registry hive keys are locked in windows 10 , but there is a way around that with a program called SetACL.exe (there are two versions one for x86 and one for x64 within the zip download from the website as listed below). The way i found out to use that was for example below: Code: x86 setaclx86.exe -on "hkcr\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell" -ot reg -actn setowner -ownr "n:Administrators" >nul setaclx86.exe -on "hkcr\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell" -ot reg -actn ace -ace "n:Administrators;p:full" >nul x64 setaclx64.exe -on "hkcr\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell" -ot reg -actn setowner -ownr "n:Administrators" >nul setaclx64.exe -on "hkcr\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell" -ot reg -actn ace -ace "n:Administrators;p:full" >nul In your example change the hkcr\blah blah in the setacl lines to "hklm\Software\7-Zip" https://helgeklein.com/setacl/ is the website for the program tells you more about what it does. https://helgeklein.com/download/# scroll down to SetACL (not the studio one) Administrators: Download the EXE version of SetACL 3.0.6 for 32-bit and 64-bit Windows., it is a free program. Disclaimer Note: Becareful as some of the registry keys are very fussy and can cause win 10 to crash and burn! Found that out by blindly unlocking all registry keys (when i was doing the Telemetry stuff lol). I renamed the SetACL.exe files for x86 and x64 as i was unsure if just the x86 one would do the x64 registry as well so i did both with a processor arch IF which cpu check type commands. My above example was so i could add links to registry editor etc to right click This PC as win10 locked that key, no idea why! Hope this helps you and others struggling with why win 10 is blocking registry changes. Mx
I have not had time to look into this further tonight. But I was thinking, maybe daft. If you load a reg hive, take control of the reg key then unmount the image and commit the changes will the reg key in the install.wim still have the my PC as full control. What if I put it in another PC. Would this mess things right up ? Does that make sense ?
Not sure, but i don't see why not as once you set the reg key unlocked via that setacl program and set its data it should stay as set even when committed , saved and unmounted. So later in a working pc environment the registry key should still be set unlocked and can be edited. Personally I have only tried the setacl bits via a script, -- setupcomplete for my installs. Edit : Have just tried mounting my win 10 install.wim and unlocking a few keys, edited then saved/commit/unmount and when i installed windows those keys was still unlocked so i could re-edit those keys. So yes , it seems to "stick" unlocked - Thanks i never thought of that way lol, saves me farting about with scripts as my edits are now set in the wim file It seems only win 10 on a fresh install has some registry areas locked, but if you do an upgrade from say win 7 with edits in-place those carry over to the upgrade and the keys are unlocked, very strange! As i said on my previous post becareful which hive keys are unlocked, the HKEY\USERS one is VERY VERY sensitive!! On win7/8.1 very few keys are locked by the system. I only found out about the 10 ones when i wondered why my context menu tweaks kept failing, so tried editing manually and got xxx key is locked - then tried the manual way of setting permissions - gave up as it was messy and failed. So read up on the net and found that setacl program , its so much easier. I know its far more powerful than what bit of it i use but for my use it does the job Sorry if this post looks odd, i hit preview and not submit so i left browser open to test the wim way, came back to edit and realised it had not posted! LOL
Cheers for that info. The key I want to change is the packages once the hive is loaded. Just got in from work and cant remember the whole keys name. Giving me full controll is easy manually and allows me to amend and delete specific keys. I suppose it cant be hard to to set the permisions back to default manually again, once my teaking is done. Never tried to be honest. I really wanted to do it without a third party app I have been messing with install_wim_tweaker but I like to do things manually. Will definatly check that app you mentioned though.
Your welcome I also prefer to do things manually, but sometimes as we know, things don't always go as planned lol. For scripting use the app does what is needed quick and easy. Useful app to have in the technical toolbox For safety i guess it would be wise to unlock a hive key that is locked, do the tweaks, then reset back to original permissions as Win10 can be very flaky especially on the HKLM\USERS area, also some in HK LocalMachine section is sensitive.
Well this is pretty exciting stuff. ( or is that just being sad ) Been testing the setacl.exe out and it works a real treat. I downloaded the .exe from that link you put up. Took the x64 one a copied into my DISM dir. wrote this code It worked really well. Then tested out an unhide package reg file I have made and the re-hide code It works so smoothly. then I tested resetting the permission to default manually and trying those two reg files. Error, insufficient privileges. What's needed now is to find out if that setacl can restore permissions..
Nice one , i not read how to reset default yet lol, I must read the website instructions Yes it works a treat, there must be a way to find out original permissions, store that in a variable then do what you need to edit, then reset back to the original permissions... I saw within the examples on the website about using variables and vbscript , got a bit too technical for me lol
It's funny really cause once the reg hive is loaded it only takes a min to navigate to the exact key I want then change the permissions. Then of course once you run regedit again it automatically opens at the last key you were at. So it could be easier to do it manually. BUT WHERE IS THE FUN IN THAT
just been thinking, and I wont have time to test tonight. I check my REG KEY and the permissions by default is "TrustedInstaller" I wonder if we just change the "Administrators" to "TrustedInstaller" then run the script again. wonder if that would work ??? EDIT Tested and nope that does not work... It seems to add another owner, and does not release the control of the administrators.
a little update on this just in case anybody is watching this. I have been messing about testing removing packages, writing various little scripts. All working well and I find myself feeling pretty happy. Summet was bugging me though at setting full control to ALL of the packages by using the SetACL.exe. Still gunna use this .exe, not dissing it what so ever. Initially I had this code Worked well. Then I have been refining my scripts to remove packages and doing it one set at a time. i.e One Drive as one REG Key where as Defender as seven REG Keys. So I thought I would just set the permissions on the packages I want to remove and not all them of them. Just tested it out on One Drive and it worked a treat.. so I changed it to So the remaining packages permission is un altered thus not making any problems for a fresh install.
Been messing with stuff including the install_wim_tweaker and the SetACL tools. I wanted to learn how to restore the permissions back to default. On the Setacl site it mentions on how to make a backup of the permissions on the chosen file or reg key. You then take control, make your amendments then restore the permissions. It does this and makes a file and I knew I had seen this file before and it is the file the tweaker makes while it does it's thing. So i am guessing the tweaker employs the setacl.exe to help things along. Find that interesting. Not got the restoring permissions locked down as yet, more play time is needed.
Nice .. i found this thread! ^^ All i want is to hide some folders of the windows explorer. One Drive & Removable Drives are successfully hidden ... all i want now is to hide Network & HomeGroup where i need permission in the registry. Code: REM Remove 'HomeGroup' from Explorer REM First x86 SET "HomeGroupRegKey=HKCR\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\ShellFolder" SETACL -on "%HomeGroupRegKey%" -ot reg -actn SETowner -ownr n:Administrators SETACL -on "%HomeGroupRegKey%" -ot reg -actn ace -ace "n:Administrators;p:full" REG ADD "%HomeGroupRegKey%" /t REG_DWORD /f /v Attributes /d 0xb094010c & :: Removes 'HomeGroup' x86 Node :: REG ADD "%HomeGroupRegKey%" /t REG_DWORD /f /v Attributes /d 0xb084010c & :: Adds 'HomeGroup' x86 Node REM Second for x64 SET "HomeGroupRegKey=%HomeGroupRegKey:~0,5%Wow6432Node%HomeGroupRegKey:~4,61%" SETACL -on "%HomeGroupRegKey%" -ot reg -actn SETowner -ownr n:Administrators SETACL -on "%HomeGroupRegKey%" -ot reg -actn ace -ace "n:Administrators;p:full" REG ADD "%HomeGroupRegKey%" /t REG_DWORD /f /v Attributes /d 0xb094010c & :: Removes 'HomeGroup' x64 Node :: REG ADD "%HomeGroupRegKey%" /t REG_DWORD /f /v Attributes /d 0xb084010c & :: Adds 'HomeGroup' x64 Node REM Remove 'NetWork' from Explorer REM First x86 SET "NetWorkRegKey=HKCR\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder" SETACL -on "%NetWorkRegKey%" -ot reg -actn SETowner -ownr n:Administrators SETACL -on "%NetWorkRegKey%" -ot reg -actn ace -ace "n:Administrators;p:full" REG ADD "%NetWorkRegKey%" /t REG_DWORD /f /v Attributes /d 0xb0940064 & :: Removes 'NetWork' x86 Node :: REG ADD "%NetWorkRegKey%" /t REG_DWORD /f /v Attributes /d 0xb0040064 & :: Adds 'NetWork' x86 Node REM Second x64 SET "NetWorkRegKey=%NetWorkRegKey:~0,5%Wow6432Node%NetWorkRegKey:~4,61%" SETACL -on "%NetWorkRegKey%" -ot reg -actn SETowner -ownr n:Administrators SETACL -on "%NetWorkRegKey%" -ot reg -actn ace -ace "n:Administrators;p:full" REG ADD "%NetWorkRegKey%" /t REG_DWORD /f /v Attributes /d 0xb0940064 & :: Removes 'NetWork' x64 Node :: REG ADD "%NetWorkRegKey%" /t REG_DWORD /f /v Attributes /d 0xb0040064 & :: Adds 'NetWork' x64 Node SETACL Setowner will be executed without any errors but it failed to set the permissions. I read something about that in Windows 10 are some RegKeys restricted and not allowed to be modified or something? .. Code: Processing ACL of: <classes_root\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\ShellFolder> SetACL finished successfully. Processing ACL of: <classes_root\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\ShellFolder> SetACL finished with error(s): SetACL error message: The call to SetNamedSecurityInfo () failed Operating system error message: Access denied [...]
@Mythril I have just been looking at your problem. Using SETAcl i tried to take control of that key. No luck. Then I set it to point directly at the ShellFolder key. but using the full key And I managed to alter the reg. Maybe try this for yourself ?
Thank you for looking .. but it stucked at the same point. I figured it finally out how to change the owner & permissions manually .. nevermind xD Only after I change the owner & permission via regedit.exe it will be executed fine by SETACL. After refusing it manually via regedit.exe, SETACL fails afterwards to set the permissions. Neither HKCR or HKEY_CLASSES_ROOT. It won't matter via %var% or directly. It will be only modified by doing it manually. That can't be the way how SETACL works? Normally it should be set every rights via scripts, or it didn't? Hmm... EDIT: ARG ... I could bite my ass of off my body >.< I didn't considered the language! On Windows 10 with english language the admin should be spelled Administrators. On a machine with a german Windows 10 it will be called Administratoren. Why it is has to be complicated between all the languages. Now works everything and fine in the script..