Setting Registry Permissions without RegEdit

« The Elephant Security Descriptor Definition Language Editor
Blog
Setting vSphere Log Directory »

Last week a colleague of mine tried to configure registry permissions using C#’s RegistryKey.SetAccessControl().

It turns out this fails when the user owns the registry key but does not have the “Set Value” permission set in the ACL.

I tried repeating the experiment with PowerShell with the same result:

BenoitPosh

(Benoit Brisefer is my non-admin test user. I have others.)

In RegEdit Benoit could modify permissions on his key:

BenoitWithFullControl

And once “Full Control” (or simply “Set Value”) was set, the Set-Acl command would work.

This is a bit annoying since it is not clear how one should set “Set Value” if one doesn’t already have it, or why “Set Value” is required not to set a value but to modify the key’s security descriptor.

I tried it out using in C and got the same results with opening a registry key and trying to set its security descriptor. Again with “Set Value” set I could set permissions and without “Set Value” I could not. This was using the RegOpenKeyEx() and RegOpenRegSetSecurity() APIs.

But there is another C API SetNamedSecurityInfo() which does work!

I assume the first method does not work because it opens the registry key first and modifies its security descriptor via the open key (whatever that means) and then “Set Value” is required. Perhaps .NET does it the same way and this affects both C#’s RegistryKey class as well as PowerShell’s Set-Acl cmdlet.

The second method works.

Benoit can configure his own key’s permissions with RegEdit but also with SetNamedSecurityInfo(). Output is given in SDDL format.

First RegACL call is outputting the security descriptor with “Full Control”, second and third are showing the security descriptor with “Set Value” and “Write DAC” respectively not set. Benoit does not have special privileges.

BenoitFullControlNoSetValueNoWriteDACL

And then Benoit can write the access control list giving him “Full Control” even when the key’s DACL is empty:

BenoitSetsFullControl

You can find my badly-tested and entirely non-error-checking code here:

https://github.com/ajbrehm/ABTokenTools/tree/master/RegACL

Use with care on a computer you don’t care about!

Update: This has since become part of AclEdit.exe in ABTokenTools.

But it remains an experimental tool.


6 Mar 2022
 © Andrew Brehm 2016