We’ve seen how to use the Registry Editor (regedit.exe) to change ownership of a registry key and subkeys. This article tells you how to change registry key ownership and grant permissions using the command-line.
Windows has the takeown.exe and icacls.exe console utilities to change file/folder ownership and permissions, but there are no such built-in tools for changing the registry key ownership using command-line. You’ll need a third-party tool named SetACL for the task.
SetACL: Command-line arguments
Before proceeding, let’s see the command-line syntax for changing file/registry ownership and permissions using SetACL.
SetACL -on objectname -ot objecttype -actn action
-on
: Specify the path to the object SetACL should operate on (e.g., file, registry key, network share, service, or printer).-ot
: Specify the object type. To change ownership or permissions for a file or folder, use the object typefile
. For registry keys, use the object typereg
-actn
: Specify the action as to what should SetACL do against the object specified. For taking ownership, set the action assetowner
. To change permissions, set the action asace
.
(See SetACL documentation for the full list of objects, types, and supported actions.)
Take Ownership of Registry Key & Assign Permissions Using Command-line
To change registry key ownership and permissions using SetACL:
- Download SetACL, unzip the contents to a folder.
- Copy the appropriate version of
setacl.exe
(32-bit vs 64-bit) of the tool to a folder — e.g.,d:\tools
. - Let’s say you want to change ownership of the registry branch
HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}
and to grant theAdministrators
group full control permissions. Run these two commands from an admin Command Prompt window:SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn setowner -ownr "n:Administrators" SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn ace -ace "n:Administrators;p:full"
SetACL: Change Ownership of a Registry key & assign Full Permissions - The 1st command sets
Administrators
group as the owner of the key - The 2nd command assigns the
Administrators
group Full Control permissions for the key.
- The 1st command sets
The Administrators
group owns the key and its subkeys, and also has full control permissions, which you can check using the Registry Editor.
Important: For changing the ownership and permissions for this key and subkeys, add the
-rec Yes
argument at the end. See illustration below for more information.
Error when changing registry key permissions?
SetACL reports the following error when attempting to change the permissions for a file/folder or a registry key for which you don’t have access to. To prevent this error, make sure you first take ownership of the key before changing its permissions.
SetACL finished with error(s): SetACL error message: The call to SetNamedSecurityInfo () failed Operating system error message: Access is denied.
Take Ownership & Assign Permissions Recursively (this key & subkeys)
To change ownership and grant full control permission (to Administrators
) for the specified key along with its subkeys, include the -rec Yes
switch at the end, as given below:
SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn setowner -ownr "n:Administrators" -rec Yes SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn ace -ace "n:Administrators;p:full" -rec Yes
Set TrustedInstaller as the owner
To set TrustedInstaller
as the owner of the above registry key and assign it full control permissions recursively, use the same command-line syntax. You only need to change the account/group name. Here are the commands you need to run this time:
SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn setowner -ownr "n:nt service\trustedinstaller" -rec Yes SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn ace -ace "n:"nt service\trustedinstaller";p:full" -rec Yes
After running the above command sets TrustedInstaller
(NT SERVICE\TrustedInstaller
) as the owner of the key and subkeys.
Additional Information
- Microsoft’s SubInACL: There is also another console tool named SubInACL released by Microsoft during the Windows XP-era. It’s part of the Windows XP/2003 Resource Kit Tools. SubInACL can be used to set ownership and permissions for files/folders and registry. However, as SubInACL has been discontinued by Microsoft and it defaults to 32-bit file and registry paths (on Windows 64-bit systems) which makes it unusable in 64-bit versions of Windows in some situations.
- Microsoft’s Regini.exe: You have another built-in console tool named regini.exe which lets you change the registry permissions using a text-based file. However, regini.exe can’t change the ownership of a registry key. For more information on regini.exe, open a Command Prompt window and type
regini.exe /?
- Helge Klein’s SetACL is widely recommended tool and it certainly has filled the void left by SubInACL and also addresses the shortcomings of
regini.exe
. SetACL can do many more things than what’s discussed in this article.
See SetACL documentation for more details: SetACL Command Line-Version (SetACL.exe) – Syntax and Description.
One small request: If you liked this post, please share this?
One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!