2

I ran into a bizarre issue when I upgraded some machines to Windows 10 where incorrect permissions on RuntimeBroker caused problems. I found a solution online that recommended changing permissions (first in the registry, then in DCOM configuration), and I'm trying to write a Powershell script to automate the process.

I'm trying to execute the following Powershell script, which should (in theory) do what I need to do. However, at the last command (Set-Acl) I get a SecurityException saying "Requested registry access is not allowed."

$path = "Registry::HKEY_CLASSES_ROOT\AppID\{9CA88EE3-ACB7-47c8-AFC4-AB702511C276}";
$account = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList 'Administrators';
$acl = Get-Acl -Path $path;
$acl.SetOwner($account);
Set-Acl -Path $path -AclObject $acl;

Presently the owner of that Registry Key is NT SERVICE\TrustedInstaller, and I'm trying to change it to Administrators. I am already running Powershell with Administrative privileges but that obviously doesn't seem sufficient... my guess is that I'm running into a bit of a chicken and egg problem here.

If I manually edit the permissions of that key using regedit, I'm allowed to do that without problems. What is that regedit is doing differently from my script here? How can I accomplish this programmatically?

UPDATE: Per briantist's suggestion, I tried running these commands as SYSTEM using psexec. I saved the Powershell commands posted above into a file on my desktop called chowner.ps1 and then ran the following command:

PsExec64.exe -accepteula -d -i -s powershell -ExecutionPolicy Bypass -File C:\Users\User\Desktop\chowner.ps1

Unfortunately, I still get the same SecurityException message. I believe the reason is because not even SYSTEM has access rights to this particular Registry key; remember that TrustedInstaller owns it.

soapergem
  • 719
  • 4
  • 13
  • 29

2 Answers2

2

You could use Helge Kleins excellent Set-ACL CLI tool: https://helgeklein.com/setacl/.

SetACL.exe -on "hkcr\AppID\{9CA88EE3-ACB7-47c8-AFC4-AB702511C276}" -ot reg -actn setowner -ownr "n:S-1-5-32-544"

That one would do the trick I think. Must be run with elevated permissions.

Gomibushi
  • 1,303
  • 1
  • 12
  • 20
0

You should run your code as SYSTEM, a.k.a. Local System.

To do that, you can use psexec from SysInternals, or your could run the code as a scheduled task that is set to run as SYSTEM. That should allow you to change any permissions.

briantist
  • 2,535
  • 18
  • 34
  • Ok, I just spent a lot of time trying to get it working with psexec, but I still end up with exactly the same error message (SecurityException: Requested registry access is not allowed). With psexec I'm running as SYSTEM. – soapergem Jul 19 '16 at 19:49
  • @SoaperGEM hm that's surprising. I suppose as SYSTEM you could try to impersonate Trusted Installer, but I don't know of an easy way to accomplish that. – briantist Jul 19 '16 at 19:55
  • @SoaperGEM or what if instead of trying to change the owner first, see if you can add full control permissions, and then try to change the owner? – briantist Jul 19 '16 at 19:57
  • I can try it, but since both actions funnel through the same command (Set-Acl) I would immediately suspect I'll run into the same issue. – soapergem Jul 19 '16 at 19:58
  • @SoaperGEM possibly, but SYSTEM is specially privileged, or at least should be; I figured it would be worth a try. – briantist Jul 19 '16 at 19:59
  • Confirmed: same error – soapergem Jul 19 '16 at 20:06