[solved] take full ownership of a reg key and all sub keys to allow deletion?

You need to login to view this posts content.

 

Thanks, i managed to get there in the end

came across this ps script; (you just put the registry location at the bottom)

Code:

$global:user="Administrators"
$global:rights = "FullControl"
$global:propagationFlag="none"
$global:inheritanceFlag = "ContainerInherit"
$global:rule="Allow"
$global:disableInheritance=$true
$global:preserverInheritanceIfDisabled=$true
$global:prefix="Registry::"

Function Enable-Privilege {
  param($Privilege)
  
  #this hack is working and called from the function TakeOwnership-Object
  
  $Definition = @'
using System;
using System.Runtime.InteropServices;
public class AdjPriv {
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
    ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr rele);
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name,
    ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid {
    public int Count;
    public long Luid;
    public int Attr;
  }
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool EnablePrivilege(long processHandle, string privilege) {
    bool retVal;
    TokPriv1Luid tp;
    IntPtr hproc = new IntPtr(processHandle);
    IntPtr htok = IntPtr.Zero;
    retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
      ref htok);
    tp.Count = 1;
    tp.Luid = 0;
    tp.Attr = SE_PRIVILEGE_ENABLED;
    retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
    retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero,
      IntPtr.Zero);
    return retVal;
  }
}
'@
  $ProcessHandle = (Get-Process -id $pid).Handle
  $type = Add-Type $definition -PassThru
  $type[0]::EnablePrivilege($processHandle, $Privilege)
}

Function TakeOwnership-Object($keyPath, $owner) {

#This function is working and take the ownership

($keyHive,$keyPath) = $keyPath.split('\',2)

do {} until (Enable-Privilege SeTakeOwnershipPrivilege)
If ($keyHive -eq "HKEY_CLASSES_ROOT") {
    $objKey2 = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("$keyPath",'ReadWriteSubTree', 'TakeOwnership')
} elseIf ($keyHive -eq "HKEY_USERS") {
    $objKey2 = [Microsoft.Win32.Registry]::Users.OpenSubKey("$keyPath",'ReadWriteSubTree', 'TakeOwnership')
} elseIf ($keyHive -eq "HKEY_LOCAL_MACHINE") {
    $objKey2 = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("$keyPath",'ReadWriteSubTree', 'TakeOwnership')
} elseIf ($keyHive -eq "HKEY_CURRENT_CONFIG") {
    $objKey2 = [Microsoft.Win32.Registry]::CurrentConfig.OpenSubKey("$keyPath",'ReadWriteSubTree', 'TakeOwnership')
}
$objOwner2 = New-Object System.Security.Principal.NTAccount("$owner")

$objAcl2 = $objKey2.GetAccessControl()
$objAcl2.SetOwner($objOwner2)
$objKey2.SetAccessControl($objAcl2)
$objKey2.Close()
}

Function Add-RuleItem($keyPath, $user, $rights, $propagationFlag, $inheritanceFlag, $rule) {

#This function is working and change permissions

($keyHive,$keyPath) = $keyPath.split('\',2)

do {} until (Enable-Privilege SeTakeOwnershipPrivilege)
If ($keyHive -eq "HKEY_CLASSES_ROOT") {
    $objKey2 = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("$keyPath",'ReadWriteSubTree', 'ChangePermissions')
} elseIf ($keyHive -eq "HKEY_USERS") {
    $objKey2 = [Microsoft.Win32.Registry]::Users.OpenSubKey("$keyPath",'ReadWriteSubTree', 'ChangePermissions')
} elseIf ($keyHive -eq "HKEY_LOCAL_MACHINE") {
    $objKey2 = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("$keyPath",'ReadWriteSubTree', 'ChangePermissions')
} elseIf ($keyHive -eq "HKEY_CURRENT_CONFIG") {
    $objKey2 = [Microsoft.Win32.Registry]::CurrentConfig.OpenSubKey("$keyPath",'ReadWriteSubTree', 'ChangePermissions')
}
$objRule = New-Object System.Security.AccessControl.RegistryAccessRule ($user,$rights,$inheritanceFlag,$propagationFlag,$rule)

$objAcl2 = $objKey2.GetAccessControl()
$objAcl2.SetAccessRule($objRule)
$objKey2.SetAccessControl($objAcl2)
$objKey2.Close()
}

Function ChangeInheritance-Object($keyPath, $disableInheritance, $preserverInheritanceIfDisabled) {

#This function changes inheritance settings --- can bug ---

$keyPath = $global:prefix+$keyPath
#Value is Registry::HKEY_CLASSES_ROOT\DesktopBackground\Shell\Personalize

$objACL = Get-ACL $keyPath
$objACL.SetAccessRuleProtection($disableInheritance, $preserverInheritanceIfDisabled)
Set-ACL $keyPath $objACL
#Get the ACL and add the inheritance changes. Save modified ACL
}

Function Act-Object($key) {
    Write-Host "Changing permissions on $($key)..." -ForegroundColor Green
#Combine all actions on the current key
    TakeOwnership-Object $key $global:user
    Add-RuleItem $key $global:user $global:rights $global:propagationFlag $global:inheritanceFlag $global:rule
    ChangeInheritance-Object $key $global:disableInheritance $global:preserverInheritanceIfDisabled
}

Function GlobalAct-Object($keyPath) {
cls
foreach ($key in $(Get-ChildItem -Path $($global:prefix+$keyPath) -recurse)) {
#Browse each subkey and act on it
    Act-Object $key.Name $global:user
}
Act-Object $keyPath $global:user #Act on the parent key
}

GlobalAct-Object("HKEY_CLASSES_ROOT\somekey")

 

i already tried that, it doesn't take FULL ownership of a key and all subkeys, you still get access denied on many keys, the ps script does the job perfectly.

 

did you not see the script i posted? the matter is resolved, i search countless sites and tried various apps but nothing did what i wanted it to do.

 

You need to login to view this posts content.

 

try the ps script i posted, you can also batch execute multiple scripts if you google that.