Take Ownership of Registry Key & Assign Permissions Using Command-line

We’ve seen how to use the Registry Editor (regedit.exe) to change ownership of a registry key and subkeys. This article tells you how to change registry key ownership and grant permissions using the command-line.

Windows has the takeown.exe and icacls.exe console utilities to change file/folder ownership and permissions, but there are no such built-in tools for changing the registry key ownership using command-line. You’ll need a third-party tool named SetACL for the task.

SetACL: Command-line arguments

Before proceeding, let’s see the command-line syntax for changing file/registry ownership and permissions using SetACL.

SetACL -on objectname -ot objecttype -actn action
  • -on: Specify the path to the object SetACL should operate on (e.g., file, registry key, network share, service, or printer).
  • -ot: Specify the object type. To change ownership or permissions for a file or folder, use the object type file. For registry keys, use the object type reg
  • -actn: Specify the action as to what should SetACL do against the object specified. For taking ownership, set the action as setowner. To change permissions, set the action as ace.

(See SetACL documentation for the full list of objects, types, and supported actions.)

Take Ownership of Registry Key & Assign Permissions Using Command-line

To change registry key ownership and permissions using SetACL:

  1. Download SetACL, unzip the contents to a folder.
  2. Copy the appropriate version of setacl.exe (32-bit vs 64-bit) of the tool to a folder — e.g., d:\tools.
  3. Let’s say you want to change ownership of the registry branch HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160} and to grant the Administrators group full control permissions. Run these two commands from an admin Command Prompt window:
    SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn setowner -ownr "n:Administrators"
    SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn ace -ace "n:Administrators;p:full"
    take ownership registry command-line - setacl
    SetACL: Change Ownership of a Registry key & assign Full Permissions
    • The 1st command sets Administrators group as the owner of the key
    • The 2nd command assigns the Administrators group Full Control permissions for the key.

The Administrators group owns the key and its subkeys, and also has full control permissions, which you can check using the Registry Editor.

take ownership registry command-line - setacl administrators


Important: For changing the ownership and permissions for this key and subkeys, add the -rec Yes argument at the end. See illustration below for more information.




Error when changing registry key permissions?

SetACL reports the following error when attempting to change the permissions for a file/folder or a registry key for which you don’t have access to. To prevent this error, make sure you first take ownership of the key before changing its permissions.

SetACL finished with error(s):
SetACL error message: The call to SetNamedSecurityInfo () failed
Operating system error message: Access is denied.

Take Ownership & Assign Permissions Recursively (this key & subkeys)

To change ownership and grant full control permission (to Administrators) for the specified key along with its subkeys, include the -rec Yes switch at the end, as given below:

SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn setowner -ownr "n:Administrators" -rec Yes
SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn ace -ace "n:Administrators;p:full" -rec Yes

take ownership registry command-line - setacl trustedinstaller

Set TrustedInstaller as the owner

To set TrustedInstaller as the owner of the above registry key and assign it full control permissions recursively, use the same command-line syntax. You only need to change the account/group name. Here are the commands you need to run this time:

SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn setowner -ownr "n:nt service\trustedinstaller" -rec Yes
SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn ace -ace "n:"nt service\trustedinstaller";p:full" -rec Yes

After running the above command sets TrustedInstaller (NT SERVICE\TrustedInstaller) as the owner of the key and subkeys.

take ownership registry command-line - setacl trustedinstaller

Additional Information

  • Microsoft’s SubInACL: There is also another console tool named SubInACL released by Microsoft during the Windows XP-era. It’s part of the Windows XP/2003 Resource Kit Tools. SubInACL can be used to set ownership and permissions for files/folders and registry. However, as SubInACL has been discontinued by Microsoft and it defaults to 32-bit file and registry paths (on Windows 64-bit systems) which makes it unusable in 64-bit versions of Windows in some situations.
  • Microsoft’s Regini.exe: You have another built-in console tool named regini.exe which lets you change the registry permissions using a text-based file. However, regini.exe can’t change the ownership of a registry key. For more information on regini.exe, open a Command Prompt window and type regini.exe /?
  • Helge Klein’s SetACL is widely recommended tool and it certainly has filled the void left by SubInACL and also addresses the shortcomings of regini.exe. SetACL can do many more things than what’s discussed in this article.

See SetACL documentation for more details: SetACL Command Line-Version (SetACL.exe) – Syntax and Description.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support, my reader. It won't take more than 10 seconds of your time. The share buttons are right below. :)

About the author

Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and he has been a Microsoft Most Valuable Professional (MVP) for 10 consecutive years from 2003 to 2012.

Leave a Comment