Last active
September 6, 2024 22:47
-
-
Save domhoward14/6cdbcc809baf4386bd15f93ee7401562 to your computer and use it in GitHub Desktop.
view windows registry 32 and 64 bit subkeys
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-64BitRegistrySubKeys { | |
| param ( | |
| [string]$RegistryPath | |
| ) | |
| # Open the 64-bit registry key | |
| $key = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64).OpenSubKey($RegistryPath) | |
| if ($key -eq $null) { | |
| Write-Host "Registry key not found: $RegistryPath" | |
| return | |
| } | |
| # Get all subkey names and display them | |
| $subKeyNames = $key.GetSubKeyNames() | |
| foreach ($subKeyName in $subKeyNames) { | |
| Write-Host "Subkey: $subKeyName" | |
| } | |
| } | |
| function Get-32BitRegistrySubKeys { | |
| param ( | |
| [string]$RegistryPath | |
| ) | |
| # Open the 32-bit registry key | |
| $key = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry32).OpenSubKey($RegistryPath) | |
| if ($key -eq $null) { | |
| Write-Host "Registry key not found: $RegistryPath" | |
| return | |
| } | |
| # Get all subkey names and display them | |
| $subKeyNames = $key.GetSubKeyNames() | |
| foreach ($subKeyName in $subKeyNames) { | |
| Write-Host "Subkey: $subKeyName" | |
| } | |
| } | |
| # Example usage, replace with your key path | |
| Get-32BitRegistrySubKeys "SOFTWARE\Microsoft\Windows Defender" | |
| # Example usage, replace with your key path | |
| Get-64BitRegistrySubKeys "SOFTWARE\Microsoft\Windows Defender" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Set-RegistryPermissionsWithInheritance { | |
| param ( | |
| [string]$RegistryPath | |
| ) | |
| # Try to open the registry key with FullControl access rights | |
| try { | |
| # Open the 64-bit registry key | |
| $key = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64).OpenSubKey( | |
| $RegistryPath, | |
| [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, | |
| [System.Security.AccessControl.RegistryRights]::FullControl | |
| ) | |
| if ($key -eq $null) { | |
| Write-Host "Registry key not found: $RegistryPath" | |
| return | |
| } | |
| # Get the current access control | |
| $acl = $key.GetAccessControl() | |
| # Add a new rule granting your user account full control with inheritance | |
| $user = [System.Security.Principal.NTAccount]"$env:USERDOMAIN\$env:USERNAME" | |
| $rule = New-Object System.Security.AccessControl.RegistryAccessRule( | |
| $user, | |
| "FullControl", | |
| [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, | |
| [System.Security.AccessControl.PropagationFlags]::None, | |
| "Allow" | |
| ) | |
| # Add the access rule to the ACL | |
| $acl.AddAccessRule($rule) | |
| # Apply the updated ACL to the registry key | |
| $key.SetAccessControl($acl) | |
| Write-Host "Permissions updated with inheritance for $RegistryPath" | |
| } catch { | |
| Write-Host "Error: $_" -ForegroundColor Red | |
| } | |
| } | |
| # Example usage, replace with your key path | |
| Set-RegistryPermissionsWithInheritance "SOFTWARE\Microsoft\Windows Defender" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Set-RegistryPermissions { | |
| param( | |
| [string]$rootKey, | |
| [string]$keyPath, | |
| [System.Security.Principal.SecurityIdentifier]$sid = ([System.Security.Principal.WindowsIdentity]::GetCurrent().User), # Default to current user | |
| [bool]$recurse = $true | |
| ) | |
| switch ($rootKey) { | |
| 'HKCU', 'HKEY_CURRENT_USER' { $rootKey = 'CurrentUser' } | |
| 'HKLM', 'HKEY_LOCAL_MACHINE' { $rootKey = 'LocalMachine' } | |
| 'HKCR', 'HKEY_CLASSES_ROOT' { $rootKey = 'ClassesRoot' } | |
| 'HKCC', 'HKEY_CURRENT_CONFIG' { $rootKey = 'CurrentConfig' } | |
| 'HKU', 'HKEY_USERS' { $rootKey = 'Users' } | |
| } | |
| # Escalate privileges | |
| function Enable-Privileges { | |
| $import = '[DllImport("ntdll.dll")] public static extern int RtlAdjustPrivilege(ulong a, bool b, bool c, ref bool d);' | |
| $ntdll = Add-Type -Member $import -Name NtDll -PassThru | |
| $privileges = @{ SeTakeOwnership = 9; SeBackup = 17; SeRestore = 18 } | |
| foreach ($i in $privileges.Values) { | |
| $null = $ntdll::RtlAdjustPrivilege($i, $true, $false, [ref]$false) | |
| } | |
| } | |
| Enable-Privileges # Elevate required privileges | |
| function Change-KeyOwnershipAndPermissions { | |
| param($regKeyPath, $sid, $recurse, $level = 0) | |
| try { | |
| # Open the registry key with permission to take ownership | |
| $regKey = [Microsoft.Win32.Registry]::$rootKey.OpenSubKey($regKeyPath, 'ReadWriteSubTree', 'TakeOwnership') | |
| if ($null -eq $regKey) { | |
| Write-Host "Key not found: $regKeyPath" -ForegroundColor Yellow | |
| return | |
| } | |
| # Step 1: Take Ownership | |
| $acl = $regKey.GetAccessControl() | |
| $acl.SetOwner($sid) | |
| $regKey.SetAccessControl($acl) | |
| # Step 2: Set permissions and inheritance | |
| if ($level -eq 0) { | |
| $rule = New-Object System.Security.AccessControl.RegistryAccessRule($sid, 'FullControl', 'ContainerInherit', 'None', 'Allow') | |
| $acl.AddAccessRule($rule) | |
| $regKey.SetAccessControl($acl) | |
| Write-Host "Ownership and permissions set for $regKeyPath" -ForegroundColor Green | |
| } | |
| # Step 3: Recursively apply permissions to subkeys | |
| if ($recurse) { | |
| $subKeys = $regKey.GetSubKeyNames() | |
| foreach ($subKey in $subKeys) { | |
| Change-KeyOwnershipAndPermissions "$regKeyPath\$subKey" $sid $recurse ($level + 1) | |
| } | |
| } | |
| } catch { | |
| Write-Host "Failed to set ownership or permissions for $regKeyPath: $_" -ForegroundColor Red | |
| } | |
| } | |
| # Start processing the registry key | |
| Change-KeyOwnershipAndPermissions $keyPath $sid $recurse | |
| } | |
| # Usage example | |
| Set-RegistryPermissions "HKLM" "SOFTWARE\Microsoft\Windows Defender" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function TakeOwnership-RegistryKey { | |
| param ( | |
| [string]$RegistryPath, | |
| [string]$UserAccount = "Phil" # Explicitly specify the user account | |
| ) | |
| # Open the 64-bit registry key | |
| try { | |
| $key = [Microsoft.Win32.RegistryKey]::OpenBaseKey( | |
| [Microsoft.Win32.RegistryHive]::LocalMachine, | |
| [Microsoft.Win32.RegistryView]::Registry64 | |
| ).OpenSubKey($RegistryPath, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership) | |
| if ($key -eq $null) { | |
| Write-Host "Registry key not found: $RegistryPath" | |
| return | |
| } | |
| # Get access control and set ownership to the specified user account | |
| $acl = $key.GetAccessControl() | |
| $owner = [System.Security.Principal.NTAccount]$UserAccount | |
| $acl.SetOwner($owner) | |
| Write-Host "Current ACL for key '$RegistryPath':" | |
| Write-Host $acl | Format-List | |
| Write-Host "Current owner of key '$RegistryPath': $owner" | |
| # Apply the new ownership | |
| $key.SetAccessControl($acl) | |
| Write-Host "Ownership of registry key '$RegistryPath' has been taken by $UserAccount" | |
| } catch { | |
| Write-Host "Error: $_" -ForegroundColor Red | |
| } | |
| } | |
| # Example usage: | |
| TakeOwnership-RegistryKey "SOFTWARE\Microsoft\Windows Defender" "Phil" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Take-Permissions { | |
| # Required Admin privileges | |
| param( | |
| $rootKey, | |
| $key, | |
| [System.Security.Principal.SecurityIdentifier]$sid = 'S-1-5-32-545', | |
| $recurse = $true | |
| ) | |
| switch -regex ($rootKey) { | |
| 'HKCU|HKEY_CURRENT_USER' { $rootKey = 'CurrentUser' } | |
| 'HKLM|HKEY_LOCAL_MACHINE' { $rootKey = 'LocalMachine' } | |
| 'HKCR|HKEY_CLASSES_ROOT' { $rootKey = 'ClassesRoot' } | |
| 'HKCC|HKEY_CURRENT_CONFIG' { $rootKey = 'CurrentConfig' } | |
| 'HKU|HKEY_USERS' { $rootKey = 'Users' } | |
| } | |
| ### Step 1 - escalate current process's privilege | |
| # Get SeTakeOwnership, SeBackup, and SeRestore privileges | |
| $import = '[DllImport("ntdll.dll")] public static extern int RtlAdjustPrivilege(ulong a, bool b, bool c, ref bool d);' | |
| $ntdll = Add-Type -Member $import -Name NtDll -PassThru | |
| $privileges = @{ SeTakeOwnership = 9; SeBackup = 17; SeRestore = 18 } | |
| foreach ($i in $privileges.Values) { | |
| $null = $ntdll::RtlAdjustPrivilege($i, 1, 0, [ref]0) | |
| } | |
| function Take-KeyPermissions { | |
| param($rootKey, $key, $sid, $recurse, $recurseLevel = 0) | |
| ### Step 2 - Take ownership of the key (only works for current key) | |
| $regKey = [Microsoft.Win32.Registry]::$rootKey.OpenSubKey($key, 'ReadWriteSubTree', 'TakeOwnership') | |
| $acl = New-Object System.Security.AccessControl.RegistrySecurity | |
| $acl.SetOwner($sid) | |
| $regKey.SetAccessControl($acl) | |
| ### Step 3 - Enable inheritance of permissions (not ownership) for the current key | |
| $acl.SetAccessRuleProtection($false, $false) | |
| $regKey.SetAccessControl($acl) | |
| ### Step 4 - For top-level key, change permissions and propagate to subkeys | |
| if ($recurseLevel -eq 0) { | |
| $regKey = $regKey.OpenSubKey('', 'ReadWriteSubTree', 'ChangePermissions') | |
| $rule = New-Object System.Security.AccessControl.RegistryAccessRule($sid, 'FullControl', 'ContainerInherit', 'None', 'Allow') | |
| $acl.ResetAccessRule($rule) | |
| $regKey.SetAccessControl($acl) | |
| } | |
| ### Step 5 - Recursively repeat for subkeys | |
| if ($recurse) { | |
| foreach($subKey in $regKey.OpenSubKey('').GetSubKeyNames()) { | |
| Take-KeyPermissions $rootKey ($key + '\' + $subKey) $sid $recurse ($recurseLevel + 1) | |
| } | |
| } | |
| } | |
| Take-KeyPermissions $rootKey $key $sid $recurse | |
| } | |
| # Example usage: granting full control to BUILTIN\Users for the Windows Defender key | |
| Take-Permissions "HKLM" "SOFTWARE\Microsoft\Windows Defender" | |
| # Taking ownership and giving BUILTIN\Users full control of the key and all its subkeys | |
| Take-Permissions "HKLM" "SOFTWARE\Microsoft\Windows Defender" | |
| # Giving the "Everyone" group full control over the key and all its subkeys | |
| Take-Permissions "HKLM" "SOFTWARE\Microsoft\Windows Defender" "S-1-1-0" | |
| # Giving the "Everyone" group full control of only the top-level key | |
| Take-Permissions "HKLM" "SOFTWARE\Microsoft\Windows Defender" "S-1-1-0" $false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function TakeOwnership-RegistryKey { | |
| param ( | |
| [string]$RegistryPath | |
| ) | |
| # Open the 64-bit registry key | |
| try { | |
| $key = [Microsoft.Win32.RegistryKey]::OpenBaseKey( | |
| [Microsoft.Win32.RegistryHive]::LocalMachine, | |
| [Microsoft.Win32.RegistryView]::Registry64 | |
| ).OpenSubKey($RegistryPath, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership) | |
| if ($key -eq $null) { | |
| Write-Host "Registry key not found: $RegistryPath" | |
| return | |
| } | |
| # Get access control and set ownership to the current user | |
| $acl = $key.GetAccessControl() | |
| $owner = [System.Security.Principal.NTAccount]"$env:USERDOMAIN\$env:USERNAME" | |
| $acl.SetOwner($owner) | |
| Write-Host "Current ACL for key '$RegistryPath':" | |
| Write-Host $acl | Format-List | |
| Write-Host "Attempting to change ownership to: $owner" | |
| # Apply the new ownership | |
| $key.SetAccessControl($acl) | |
| Write-Host "Ownership of registry key '$RegistryPath' has been taken by $env:USERNAME" | |
| } catch { | |
| Write-Host "Error: $_" -ForegroundColor Red | |
| } | |
| } | |
| # Call the function to take ownership of the key in the 64-bit registry view | |
| TakeOwnership-RegistryKey "SOFTWARE\Microsoft\Windows Defender" |
to add logging
<CommandLine>powershell.exe -ExecutionPolicy Bypass -NoProfile -File E:\setup.ps1 > C:\setup-script-log.txt 2>&1</CommandLine>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
may need to do this prior to running tasks