Searching for Windows registry entries by permissions

0

I recently went through and changed some registry entries so that only I had ownership and access. I suspect one or more of the changes resulted in a software installation failing. The installation program indicated it could not write a certain entry, but only identified the value to be written, not the location in the registry.

Unfortunately I made the mistaken of not keeping track of which ones I changed.

Is there some way to search through the registry to identify entries based on their permission? In my case, I would be trying to find entries owned only by me.

user415851

Posted 2016-09-25T17:29:36.990

Reputation: 3

Use System Restore to go back to before you made these changes? – Mokubai – 2016-09-25T17:53:47.340

Thanks for the suggestion. Unfortunately because of the time frame over which the (rather numerous) edits were made, this would not be practical for me. – user415851 – 2016-09-26T22:40:17.620

Answers

0

PowerShell can probably help. It'd be best if you could at least narrow things down to a few keys you were playing with. Because, searching from the root of the registry hive is probably going to produce so much noise that it'll not be much better than searching through the registry manually.

This will get all the keys where your username is set as the owner:

Get-ChildItem HKLM:\ -Recurse -ErrorAction SilentlyContinue | ? { $_.PSIsContainer -and (Get-Acl $_.PSPath).Owner -like '*username.here*' } | % { $_.Name }

(note that the asterisks are there intentionally as wild cards - you could also use -eq 'COMPUTERNAME\username' if you're confident you know the exact user name)


And, this will get all the keys that have non-inherited permissions:

Get-ChildItem HKLM:\ -Recurse -ErrorAction SilentlyContinue | ? { $_.PSIsContainer -and ((Get-Acl $_.PSPath).access | ? { ! $_.IsInherited }) } | % { $_.Name }

David Woodward

Posted 2016-09-25T17:29:36.990

Reputation: 1 094

Thanks very, very much. This is most helpful. However, I seem to be encountering some errors with both in PowerShell. For the first, it seems to hang (or is busy processing) for quite some time, then the following message appears (see next comment). – user415851 – 2016-09-26T22:42:37.880

`Get-Acl : The registry key at the specified path does not exist. At line:1 char:97

  • Get-ChildItem HKLM:\ -Recurse -ErrorAction SilentlyContinue | ? { $.PSIsContainer -and (Get-Acl <<<< $.PSPath).Own

er -eq 'DOMAIN\user' } | % { $_.Name } + CategoryInfo : NotSpecified: (:) [Get-Acl], ArgumentException + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.GetAclCommand` – user415851 – 2016-09-26T22:44:13.920

It's in red. 'DOMAIN\user' was substituted with a valid domain and user. After the message appeared, it continued along for a while, then after a few minutes returned the command prompt. I should perhaps mention that I omitted the quotation mark at the very end.

The second returned the following error message, after initially starting to display some entries, right up until HKEY_LOCAL_MACHINE\SOFTWARE\Classes.... – user415851 – 2016-09-26T22:48:36.517

`HKEY_LOCAL_MACHINE\SOFTWARE\Classes Get-Acl : The registry key at the specified path does not exist. At line:1 char:98

  • Get-ChildItem HKLM:\ -Recurse -ErrorAction SilentlyContinue | ? { $.PSIsContainer -and ((Get-Acl <<<< $.PSPath).ac

cess | ? { ! $.IsInherited }) } | % { $.Name } + CategoryInfo : NotSpecified: (:) [Get-Acl], ArgumentException + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.GetAclCommand` – user415851 – 2016-09-26T22:49:11.827

It then continued processing (or hung). That was about 4 hours ago - I've just let it keep going, but so far no further entries have been displayed... – user415851 – 2016-09-26T22:52:35.197

You were right to leave out the last quote. It was just a typo (corrected now). As for the errors, maybe you should try setting the user name to SYSTEM or whatever you know the owner to be and see if it returns faster just to verify that the PowerShell commands are working. I think I had a few error messages on my system similar to that too (not at my system now) and I suspect the issue is you don't have access to view the permissions on some key being recursed into. Perhaps adding a second -ErrorAction SilentlyContinue to the Get-Acl command would catch that. – David Woodward – 2016-09-27T00:59:28.213

0

You can use Process Monitor (https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx) to log the actions of your failing installer. You can create a filter which would record only the Registry operations which result in an Access Denied failure.

kreemoweet

Posted 2016-09-25T17:29:36.990

Reputation: 3 884

Asked: 2016-09-25T17:29:36.990

Viewed: 168 times

Active: 2016-09-27T05:37:34.123