Registry Permissions

Page Contents -

Registry Permissions

Registry keys may have security and access permissions set to protect keys from modification - security settings can be applied at an individual key level. The permissions use an Access Control Model (see here) with Access Control Lists (ACLs).

Key permissions can cause issues when attempting to modify a Windows Preinstallation Environment by writing to the registry. As an example, the following key is required in Windows 10 based WinPE for Drag and Drop support -

Attempting to manually add a value to this key resulted in the following error (Windows 8.1 Host OS) -

Attempting to import a .reg file to modify this key resulted in the following error (note that the protected key is not referenced in the error message) -

It's possible to use OfflineReg to change registry keys as this program will bypass any security permissions in the registry hive. Alternatively SetACL can be used to change permissions - at a root or subkey level.

SetACL

SetACL (available here) is a freeware utility and can be used to manage security descriptors - including registry key permissions.

The following example usage has been adapted from settings in the excellent LiveSystem Pro builder project. In this example, HKLM\_WinPE_SOFTWARE is a mounted Windows Preinstallation Environment SOFTWARE hive -

The above commands will change the security settings on all registry keys and sub keys in the HKLM\_WinPE_SOFTWARE path. Ownership and full permissions for the S-1-5-32-544 account will be granted after running these commands. Please note that S-1-5-32-544 is the built in Administrators account.

Alternative to SetACL

Changing security permissions on all keys in a registry hive can be a time consuming process. Whilst on a test system the WinPE SOFTWARE hive was processed in only 11.19 seconds, the SOFTWARE hive from a full Windows system (extracted from install.wim) took significantly longer to process - 52.25 seconds on the same test system.

The following procedure is a possible alternative to SetACL.

  1. Mount a registry hive. E.g.
  2. Export to a .reg file. E.g. -
  3. Unload the mounted Software hive. E.g. -
  4. Create a new (empty) registry hive. E.g. -
  5. Load/mount the new (empty) registry hive created in step 4, ensuring that the same keypath used in step 1 is reused. E.g. -
  6. Import the .reg file created in step 2. E.g. -
  7. Unload the mounted Software hive. E.g. -
  8. Replace the original registry hive with the new hive.

The above process can be automated with command-line tools and a batch file. To give a comparison of the differences in processing times, it took 8.31 seconds longer using SetACL when processing a WinPE SOFTWARE hive (11.19 seconds for SetACL compared with 2.88 seconds exporting and importing to a new hive).

The larger the hive being processed, the more significant the difference in processing times. As an example, a full SOFTWARE hive extracted from install.wim took 52.25 seconds to process using SetACL, compared with 8.39 seconds exporting and importing to a new hive - a difference of over 43 seconds.

Document date - 17th February 2018