Script a changing of the owner on regkeys?

[MicrodigitUK]

I am having some problems with sophos so have needed to uninstall and reinstall it. Because Sophos can be a pain to uninstall on some workstation, Sophos tech support has supplied me with a script that un installs Sophos to apply on startup.

I am still having problems uninstalling with the script on a number of workstations. And I found that there seem to be some corrupt reg keys that it can’t delete.

When I manually load regedit and try to delete the keys I still can’t. I then checked the permissions and the owner of the reg keys did not exist. After adding a owner I could manually delete the corrupt keys.

Is there any way to script a changing of the owner on regkeys? I did look at regini.exe but that only changes permissions and not the owner.

[Lithium]

I've just looked into this to prevent NetSupport School and other programs changing the DCI key to disable DirectX

The way I went about it was to use the Security Tool snap-in, change the bits I wanted, then remove all the trash and deploy this to the machines using a batch file - worked very well.

Batch Files: SeCEdit - Security Configuration Editor

[srochford]

You can also use group policy to change permissions on a registry key - given that you want to delete the key, I'd just set the permissions to "everyone - full control"

subinacl and setacl can also do reg permission but the syntax is hard :-)

[PcDude]

Script to add Administrators group and SYSTEM account to all keys. NOTE: This is just adding!

Please make a full backup of the computer before using this script.

1. Download and install SubInACL - Download details: SubInACL (SubInACL.exe)

2. Create a file named reset.cmd in C:\Program Files\Windows Resource Kits\Tools folder.

3. Edit the reset.cmd file with the following content.

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f

4. Enter the following command into the Run... box under the Start Menu:

"C:\Program Files\Windows Resource Kits\Tools\reset.cmd"

5. After a few minutes by processing subinacl, the permission will be reset.
(Errors will pop up about keys that the script does not have permission to change, this is normal behaviour)




FYI:

"setowner=owner" will change the owner of the object e.g.
subinacl /subkeyreg HKEY_LOCAL_MACHINE /setowner=MyDomain\Administrators

[MicrodigitUK]

I have tried the "SECEDIT" method but on the owner tab the "Replace Owner on subcontainers and objects" tick box that is normally on the bottom if you go through advanced permeations on regedit is not available. This means that I still can’t change the owner on the corrupted reg keys using this method.

I then tried the "subinacl" method and it worked like a dream. Below is the actual command I used in the end.

Code:

"%programfiles%\Windows Resource Kits\Tools\subinacl" /subkeyreg HKEY_LOCAL_MACHINE\Software\sophos /setowner=Administrators /grant=everyone=f

Thanks everyone for the help.