Changing/querying registry permissions

(imported topic written by sgreenwall91)

What is the proper syntax for modifying permissions on registry keys? Also, to set the relevance for the action, what is the syntax for querying existing permissions on keys?

(imported comment written by sgreenwall91)

I think I figure out the evaluation portion of this (Checks to see if “Users” has full rights):

effective access mode for “Users” of dacls of security descriptors of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing” of registry != 983103

Still working on the changing portion…

(imported comment written by jessewk)

I’ve used the open source setacl tool available here to change permissions in the past:

Works really great and very flexible. It should be able to handle any permissions problem you throw at it.

If you have trouble getting your action working with setacl, post what you’ve got so far and let us take a look.

(imported comment written by sgreenwall91)

Ended up using “Suinacl.exe” (can be used to change file or regitry permissions). This is the action scipt (after the donwload and extraction of course)

wait __Download\subinacl\subinacl.exe /keyreg “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing” /GRANT=USERS=F

wait __Download\subinacl\subinacl.exe /keyreg “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Store” /GRANT=USERS=F

The full relevance looks like this:

(name of operating system = “WinNT” OR name of operating system = “Win2000” OR name of operating system = “WinXP” OR name of operating system = “Win2003”) AND TRUE AND ((exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing” of registry and effective access mode for “Users” of dacls of security descriptors of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing” of registry != 983103)or (exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Store” of registry and effective access mode for “Users” of dacls of security descriptors of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing\Store” of registry != 983103))