13

I am trying to edit this registry key via the command line - been searching around for ages but can't find anything.

Really stuck at the moment so any help would be appreciated a lot. I do not mind using PowerShell or anything that calls a third party tool - just want to change it via the command line.

The reason is that local Administrators have Read only rights by default. I want to change this to Full Control. I can do it in the GUI in 2 seconds but command line is another matter.

HKEY_CLASSES_ROOT\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder
dsolimano
  • 1,290
  • 2
  • 14
  • 26
lara400
  • 445
  • 2
  • 5
  • 13

2 Answers2

9

There is an excellent rundown of how to do it in PowerShell here.

Essentially, you can use Get-Acl and Set-Acl in PowerShell like you would for any other path.

$acl = Get-Acl HKLM:\SOFTWARE\stuff
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Domain\user","FullControl","Allow")
$acl.SetAccessRule($rule)
$acl |Set-Acl -Path HKLM:\SOFTWARE\stuff
Jacob Krall
  • 114
  • 9
MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • thanks for that - the problem I face is that if I am an administrator and I want to change the permissions on a key that has Administrators as READ - it will say access denied....really annoying. I will try the powershell thing out and come back. System is also Read so can't use psexec to do it. – lara400 Nov 15 '11 at 15:48
  • 1
    @lara400 Then you need to take ownership of the key before you can assign `write` permissions. Nothing in the world will let someone with only `read` make modifications. That defeats the purpose of the `read` ACE. I suggest that you open a new question asking for to take ownership of a registry key in PowerShell. – MDMarra Nov 15 '11 at 15:52
5

Does RegIni.exe meet your needs? You can write a RegIni script that changes the permissions, and then call RegIni with the script as a parameter.

For example, if you wanted only administrators to have full access to that key, the script would look like this:

HKEY_CLASSES_ROOT\CLSID{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder [1]

Though presumably you would also want to grant the system access to the key, and perhaps read-only access to everyone else, in which case the security suffix would be

[1 8 17]

You can find the security suffix numbers in this table:

1  - Administrators Full Access
2  - Administrators Read Access
3  - Administrators Read and Write Access
4  - Administrators Read, Write and Delete Access
5  - Creator Full Access
6  - Creator Read and Write Access
7  - World Full Access
8  - World Read Access
9  - World Read and Write Access
10 - World Read, Write and Delete Access
11 - Power Users Full Access
12 - Power Users Read and Write Access
13 - Power Users Read, Write and Delete Access
14 - System Operators Full Access
15 - System Operators Read and Write Access
16 - System Operators Read, Write and Delete Access
17 - System Full Access
18 - System Read and Write Access
19 - System Read Access
20 - Administrators Read, Write and Execute Access
21 - Interactive User Full Access
22 - Interactive User Read and Write Access
23 - Interactive User Read, Write and Delete Access

And it goes without saying that you should have a good backup before playing with this for the first time, and maybe practice on a dummy registry key to avoid any unfortunate accidents.

Addison
  • 235
  • 2
  • 7
dsolimano
  • 1,290
  • 2
  • 14
  • 26