Changing permissions on a registry key

**Wheelgunr** · 12-09-2008 07:53 PM

Hi. I need to find out how to change permissions on a registry key for a specific software package. It requires the following to have FULL Control:

HKLM\SOFTWARE
Administrators (%localmachine%\administrators)
SYSTEM
Users (%localmachine%\Users)

If Reg.exe can be used, that would be great. If it needs to be a VB file, I'd need the entire script.

Thanks!

**maniac** · 12-09-2008 08:17 PM

You should be able to achieve this using regini.exe

How to Use Regini.exe to Set Permissions on Registry Keys
How to change registry values or permissions from a command line or a script

I think you can call this from machine startup script by sticking the exe on the netlogon share, or using the -m option you can do the changes remotely. I've never tried it, but the MS knowledgebase articles should help you use it.

Incidently those articles refer to windows 2000 and NT4, I've no idea if the same tool is included or will work with XP/server 2003 but it's the best I can find for what you want to do.

Mike.

**meastaugh1** · 12-09-2008 11:14 PM

Is group policy not an option?

**box_l** · 15-09-2008 07:33 PM

i have used this for an old RM app that needed user access to its own keys

save this as .vbs and call from your login script

Code:

'  VBScript.

'  

set WshShell = CreateObject("WScript.Shell")

' IN THE NEXT LINE (starting WshShell.Run..)


WshShell.Run "runas /user:administrator@domain.sch.uk ""\\server\netlogon\reg\setacl_r_snapshot.bat"""

WScript.Sleep 1000

' IN THE NEXT LINE (starting WshShell.SendKeys..)

'a) Enter an administrator password and leave the "~"

WshShell.Sendkeys "passwordhere~"

WScript.Quit()

save this as .bat

Code:

'edu-tech solutions Nov 2007

' install registry key

regedit /s \\2100-fs01\NETLOGON\reg\rm.reg

' set permissions on key
call "\\server\NETLOGON\reg\SetACL.exe" -on "HKEY_LOCAL_MACHINE\SOFTWARE\InterActual Technologies" -ot reg -actn ace -ace "n:domain.sch.uk\Domain Users;p:full"
call "\\server\NETLOGON\reg\SetACL.exe" -on "HKEY_LOCAL_MACHINE\SOFTWARE\Research Machines" -ot reg -actn ace -ace "n:domain.sch.uk\Domain Users;p:full"

and make sure that setacl.exe is in the same folder.

replace domain, server iand password in the scripts with the appropriate info

a bit messy i know, but it works.

hope this helps.

BoX

**srochford** · 15-09-2008 09:00 PM

By far the easiest way to do this is with group policy.

If you can't use group policy then run the batch file used by @Box but as a machine startup script rather than a login script . That way you don't need to use the admin password (which I really wouldn't recommend; the login script, complete with password, can be read by any of your users)

**box_l** · 16-09-2008 11:42 PM

agreed, in its current form.

i do use microsofts script encoder to obfuscate it enough that most people will not even attempt to read/decode it.

it also gets removed from its location when not in use.

BoX

**Wheelgunr** · 18-09-2008 02:14 PM

Thanks to everyone for their replies. My AD guy set up a GPO to set the permissions needed.

Thread: Changing permissions on a registry key

LinkBack

Thread Tools

Search Thread

Changing permissions on a registry key

Thanks

Thread Information

Users Browsing this Thread

Similar Threads

logoff script to delete registry key

Error 1406: Setup cannot write the value to the registry key

Getting a batch file to react to a registry key

Deleted a registry key - help!

Script To Change A Registry Key

Posting Permissions