Registry Permissions
Example:
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("SOFTWARE\Wow6432Node",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::ChangePermissions)
$acl = $key.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule (".\USERS","FullControl",@("ObjectInherit","ContainerInherit"),"None","Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
This will take the registry key “SOFTWARE\Wow6432Node” and give the “\USERS” (local users) group permissions to have “FullControl” (Read/Write access).
Breakdown:
$key =
$key is the variable object the code will be set to.
[Microsoft.Win32.Registry]::
Indicates this will involve the registry, the :: operator accesses members (properties) of a namespace (hierarchy structure).
LocalMachine.OpenSubKey("SOFTWARE\Wow6432Node",
Targets a registry item, path for registry key. *Note: The ( is left open.
[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
Targets the Microsoft.Win32 namespace, RegistryKeyPermissionCheck property, and accesses the ReadWriteSubTree member. This indicates the code should save over what is there with what is provided.
[System.Security.AccessControl.RegistryRights]::ChangePermissions)
Targets the System.Security.AccessControl namespace (hierarchy), RegistryRights property, ChangePermissions member. *) closes the parenthesis left open from before. This is what the code will replace within this targeted member.
So far the code is targeting a registry item and saving over a targeted member (property under the namespace hierarchy) with provided info.
$acl = $key.GetAccessControl()
The next line sets $acl as a variable object for the above (reg path/overwrite/provided info) targeting its ACL (Windows Access Control List).
$rule = New-Object System.Security.AccessControl.RegistryAccessRule (
Sets a variable object, $rule, as something that target the System.Security.AccessControl namepsace, RegistryAccessRule property.
".\USERS","FullControl",
Give the Users group full control
@("ObjectInherit","ContainerInherit"),"None"
Allows the permissions to be inherited by child objects but not propagated .
,"Allow")
Specifies if access rights are allowed or denied.
$acl.SetAccessRule($rule)
Takes the variable $acl, targets the ACL (Access Control List) properties and sets them to the variable $rule above.
$key.SetAccessControl($acl)
This takes the target $key and applies $acl permissions that had been configured with $rule.
Results:
Targeted registry file:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node
Is updated with permissions below.
IdentityReference: “.\USERS” (local users)
RegistryRights: "FullControl" (get full control)
InheritanceFlags: "ObjectInherit","ContainerInherit" (Inherited to all child objects)
PropagationFlags: “None” (Permissions are not to be propagated to those child objects)
AccessControlType: “Allow” (Access rights are allowed)