Site Loader

Hi, everyone has to change an ACL ones in a time. This time it was in the registry. Let’s start.

Check if the PSdrive exists:


Name                 Used (GB)          Free (GB)           Provider              Root
—-                      ———                ———                ——–                 —-
A                                                                                FileSystem              A:\
Alias                                                                          Alias
C                         61.19                  138.71                FileSystem              C:\
cert                                                                            Certificate              \
D                                                                                FileSystem              D:\
Env                                                                             Environment
Function                                                                    Function
HKCU                                                                         Registry              HKEY_CURRENT_USER
HKLM                                                                        Registry              HKEY_LOCAL_MACHINE
Variable                                                                    Variable
WSMan                                                                     WSMan

In my case I also had to change a key in the HKEY_CLASSES_ROOT. So I created a new drive:

#Be aware that in this example I need to change something in the * value. You cannot browse to that in PowerShell…
#So you need to create your PSdrive in there
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT\*\ -Name HKCR

I do not want that the BUILTIN\users group has access to certain keys. How do we change that:

#define the path
$path = 'HKCR:\shellex\ContextMenuHandlers\{4D421DA5-E86F-4CA8-9167-63379A6FA00B}'

#breaks inheritens.
$acl = (Get-Item $path).GetAccessControl('Access')
set-acl $path -AclObject $acl

#removes all access rules based on 'BUILTIN\Users'
$acl = (Get-Item $path).GetAccessControl('Access')
$acl.Access |where {$_.IdentityReference -eq 'BUILTIN\Users'} |%{$acl.RemoveAccessRule($_)}
set-acl $path -AclObject $acl

#optional, add a new group
#$acl = Get-Acl $path
#$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Global Groupname","ReadKey","Allow")
#set-acl $path -AclObject $acl

Sander click to find out more