I ran into a bizarre issue when I upgraded some machines to Windows 10 where incorrect permissions on RuntimeBroker caused problems. I found a solution online that recommended changing permissions (first in the registry, then in DCOM configuration), and I'm trying to write a Powershell script to automate the process.
I'm trying to execute the following Powershell script, which should (in theory) do what I need to do. However, at the last command (Set-Acl) I get a SecurityException saying "Requested registry access is not allowed."
$path = "Registry::HKEY_CLASSES_ROOT\AppID\{9CA88EE3-ACB7-47c8-AFC4-AB702511C276}";
$account = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList 'Administrators';
$acl = Get-Acl -Path $path;
$acl.SetOwner($account);
Set-Acl -Path $path -AclObject $acl;
Presently the owner of that Registry Key is NT SERVICE\TrustedInstaller, and I'm trying to change it to Administrators. I am already running Powershell with Administrative privileges but that obviously doesn't seem sufficient… my guess is that I'm running into a bit of a chicken and egg problem here.
If I manually edit the permissions of that key using regedit, I'm allowed to do that without problems. What is that regedit is doing differently from my script here? How can I accomplish this programmatically?
UPDATE: Per briantist's suggestion, I tried running these commands as SYSTEM using psexec. I saved the Powershell commands posted above into a file on my desktop called chowner.ps1 and then ran the following command:
PsExec64.exe -accepteula -d -i -s powershell -ExecutionPolicy Bypass -File C:\Users\User\Desktop\chowner.ps1
Unfortunately, I still get the same SecurityException message. I believe the reason is because not even SYSTEM has access rights to this particular Registry key; remember that TrustedInstaller owns it.
Best Answer
You could use Helge Kleins excellent Set-ACL CLI tool: https://helgeklein.com/setacl/.
That one would do the trick I think. Must be run with elevated permissions.