PowerShell Script to apply permissions for regsvr32 without being an Admin
Whilst it's possible to just grant full control of the HKCR key, that might result in granting more access than necessary. While researching how to do this, at one point I ended up hosing the permissions on HKCR, resulting in the need to reimage my machine. In order to come up with this script, I used the procmon tool, and filtered for registry permissions denied, then granted them in the script.
The following PowerShell script creates (non-inherited) permissions on just those keys that I've determined necessary for registration of DLLs (and thus OCXs). This allows a single account (in this case, a build server code builder account) to be granted access to register DLLs without being an administrator. Replace the first variable - $buildAcctUserName
- with the account to use when setting rules.
$buildAcctUserName = "AzureDevOpsBuilder"
# Create Rule for full control of keys that need to be added to/updated/deleted from
$user = New-Object System.Security.Principal.NTAccount("$($env:COMPUTERNAME)\$buildAcctUserName")
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(
$user,
[System.Security.AccessControl.RegistryRights]"FullControl",
[System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit", <# ContainerInherit / None / ObjectInherit #>
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow)
# Grant access to HKCR
$regHKCRHive=[Microsoft.Win32.RegistryHive]::ClassesRoot;
$regHKCRBaseKey=[Microsoft.Win32.RegistryKey]::OpenBaseKey($regHKCRHive,[Microsoft.Win32.RegistryView]::Default)
$regkey=$regHKCRBaseKey.OpenSubKey("", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)
# Grant access to HKLM\Software
$regHKLMHive=[Microsoft.Win32.RegistryHive]::LocalMachine
$regHKLMBaseKey=[Microsoft.Win32.RegistryKey]::OpenBaseKey($regHKLMHive,[Microsoft.Win32.RegistryView]::Default)
$regkey=$regHKLMBaseKey.OpenSubKey("SOFTWARE", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)
# Grant access to HKLM\Software\Wow6432Node
$regkey=$regHKLMBaseKey.OpenSubKey("SOFTWARE\Wow6432Node", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)
# Grant access to HKCR\Wow6432Node\CLSID
$regkey=$regHKCRBaseKey.OpenSubKey("Wow6432Node\CLSID", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)
# Grant access to HKCR\TypeLib
$regkey=$regHKCRBaseKey.OpenSubKey("TypeLib", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)
# Grant access to HKCR\Wow6432Node\Interface
$regkey=$regHKCRBaseKey.OpenSubKey("Wow6432Node\Interface", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)
# Grant access to HKCR\Interface
$regkey=$regHKCRBaseKey.OpenSubKey("Interface", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)
# Grant access to HKCR\AppID
$regkey=$regHKCRBaseKey.OpenSubKey("AppID", $true)
$acl = $regkey.GetAccessControl()
$acl.SetAccessRule($rule)
$regkey.SetAccessControl($acl)