Script permissions in .reg file?

[Alejandro85]

I'm having a little problem with a few .reg files that hold some configurations I like to have. After applying them countless times by hand, I created a couple of files to just apply the same changes by double-clicking only. So far, so good.

Problem is, some of those reg scripts touch keys that are owned by the pesky "TrustedInstaller" (which I don't trust), so if a file tries to modify/delete one of those, it would just give an error, even with regedit running as administrator.
When doing changes by hand, I just take ownership, give administrator group full control and make the changes, but I'm seeking for a way to do the same on the same .reg file.

Thanks!

 

[UsernameIssues]

....When doing changes by hand, I just take ownership, give administrator group full control....

So now that part of your registry is less secure... unless you put the security settings back as they should be.

PowerShell can change the registry permissions, but you really should test inside a frozen virtual machine that you cannot harm.

 

[Alejandro85]

There is no difference in security if I give modify permissions to admin group only, as the same admin group can modify the permissions to get those anyway. Of course, if I want to delete a key, permissions no longer matter. But that's not my concern. I also have tested everything I'm scripting, in some cases keeping the reversion scripts too. Rest assured, I know what I'm doing

My problem is TrustedInstaller. By having keys owned and locked by it, administrators are effectively deprived the permission to administer the system, so importing .reg files no longer work sometimes, depending on what I touch.

You name PowerShell. Do you have any samples or references on how to do so and manage to import the keys? I know nearly nothing about it, but seems that it may be able to do what I want. Thanks!

 

[UsernameIssues]

There is no difference in security if I give modify permissions to admin group only, as the same admin group can modify the permissions to get those anyway....

That is one way to look at it. Another way is to think of your anti-virus tool's heuristic rules. Any program/script/tool that programmatically changes such permissions should be halted until the user gives permission to go forward. But now a malicious program only needs to query the permissions to know that it can do stuff to those keys.

I figure that there is a reason for the permissions being they way that they are. I too change them, but mostly I deny the ability to change stuff I don't want changed.

I don't know/use PowerShell. Others in the forum are quite good at it. Maybe someone will stop by and help you out.