Advertisement
aveyo

reg_own lean and mean snippet

Sep 27th, 2018 (edited)
10,858
1
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Batch 7.65 KB | None | 1 0
  1. @title reg_own snippet usage - 2020.11.07
  2. :: AveYo: csc-less; support any hive; recursively add or delete rights and try to preserve owner; still 12 lines
  3. :: Changelog: abort early if key not found, print cmdline for examples. thanks pastebin for restoring this gem
  4. :: To those reporting it: this provides legitimate registry permission tasks to admins, similar to built-in regini
  5. @echo off & color 07
  6. echo Usage:
  7. echo call :reg_own "key" all[""=key-only] user[""=Administrators] owner[""=Original] access[""=Allow] perm[""=FullControl]
  8. echo;
  9. echo Denying permissions works fine for a specific key, but when doing it recursively you need to be smart about it,
  10. echo as you could get a "cart before the horses" situation, denying yourself making further permission changes to subkeys.
  11. echo Never use FullControl with deny permissions recursively. WriteKey will deny "Read Control" so dont use that either.
  12. echo Instead, deny write permissions explicitly: "SetValue,CreateSubkey,CreateLink,Delete,ChangePermissions,TakeOwnership"
  13. echo Also advised not to set deny permissions for Everyone sid, but use instead non-global individual users or groups
  14. echo;
  15.  
  16. :::: Define TI sid (TrustedInstaller)
  17. for /f "tokens=3" %%a in ('sc.exe showsid TrustedInstaller') do set TI=%%a >nul
  18. :::: Define USER sid before asking for elevation since it gets replaced for limited accounts
  19. set _=call "%~f0" %* &if "%USER%"=="" for /f "tokens=2" %%u in ('whoami /user /fo list') do set USER=%%u
  20. :::: Ask for elevation passing USER and any batch arguments - ps also enables debug priviledge unlike vbs
  21. reg query HKU\S-1-5-19>nul 2>nul||(powershell -nop -c start cmd -args '/d/x/q/rset USER=%USER%^&',$env:_ -verb runas &exit)
  22.  
  23. :: lean xp+ color macros by AveYo:  %<%:af " hello "%>>%  &  %<%:cf " w\"or\"ld "%>%    for single \ / " use .%|%\  .%|%/  \"%|%\"
  24. for /f "delims=:" %%\ in ('echo/prompt $h$s$h:^|cmd/d') do set "|=%%\" &set ">>=\..\c nul &set/p \=%%\%%\%%\%%\%%\%%\%%\<nul&popd"
  25. set "<=pushd "%allusersprofile%"&2>nul findstr /c:\ /a" &set ">=%>>%&echo;" &set "|=%!!|%" &set/p \=\<nul>"%allusersprofile%\c"
  26.  
  27. :: Setup a test key
  28. reg delete HKCU\TEMP\REG_OWN /f >nul 2>nul & reg add HKCU\TEMP\REG_OWN\DEL\ME /f >nul 2>nul
  29.  
  30. set VO=verbose-output :: now silent by default, only lists rights if VO is defined; to undefine: set "VO="
  31.  
  32. %<%:af " Allow FullControl from Administrators "%>>% & %<%:f0 " default, just this key "%>%
  33. echo call :reg_own "HKEY_CURRENT_USER\TEMP\REG_OWN"
  34. call :reg_own "HKEY_CURRENT_USER\TEMP\REG_OWN"
  35.  
  36. %<%:6f " Allow READ from Users "%>>% & %<%:f0 " recursive, disable inheritance "%>%
  37. echo call :reg_own "HKCU\TEMP\REG_OWN" all S-1-5-32-545 "" Allow "ReadPermissions, ReadKey"
  38. call :reg_own "HKCU\TEMP\REG_OWN" all S-1-5-32-545 "" Allow "ReadPermissions, ReadKey"
  39.  
  40. %<%:cf " Deny changes from %%USER%% and set owner to TrustedInstaller "%>>% & %<%:f0 " just this key "%>%
  41. echo call :reg_own "HKCU\TEMP\REG_OWN" "" %%USER%% %%TI%% Deny "SetValue,CreateSubkey,CreateLink,Delete,ChangePermissions,TakeOwnership"
  42. call :reg_own "HKCU\TEMP\REG_OWN" "" %USER% %TI% Deny "SetValue,CreateSubkey,CreateLink,Delete,ChangePermissions,TakeOwnership"
  43.  
  44. %<%:5f " Allow FullControl from %%USER%% and set owner to SYSTEM "%>>% & %<%:f0 " all subkeys "%>%
  45. echo call :reg_own "HKCU\TEMP\REG_OWN" all %%USER%% S-1-5-18 Allow FullControl
  46. call :reg_own "HKCU\TEMP\REG_OWN" all %USER% S-1-5-18 Allow FullControl
  47.  
  48. echo;
  49. %<%:0e " TO SIMPLY ADJUST VALUES THEN RESTORE PERMISSIONS I RECOMMEND THE FOLLOWING:"%>%
  50.  
  51. %<%:2f " Allow FullControl from Everyone "%>>% & %<%:f0 " recursive, preserve inheritance "%>%
  52. echo call :reg_own "HKEY_CURRENT_USER\TEMP\REG_OWN" preserve S-1-1-0
  53. call :reg_own "HKEY_CURRENT_USER\TEMP\REG_OWN" preserve S-1-1-0
  54.  
  55. %<%:0e " DO WHATEVER MODIFICATIONS NEEDED IN THE TARGET REGKEY:"%>%
  56. echo reg add "HKEY_CURRENT_USER\TEMP\REG_OWN" /v somevalue /d somedata /f
  57. reg add "HKEY_CURRENT_USER\TEMP\REG_OWN" /v somevalue /d somedata /f
  58.  
  59. echo;
  60. %<%:0e " FINALLY RESTORE PERMISSIONS:"%>%
  61.  
  62. %<%:9f " Remove non-inherited rules from Everyone "%>>% & %<%:f0 " recursive, remove + hide output "%>%
  63. echo set VO=^&call :reg_own "HKCU\TEMP\REG_OWN" none S-1-1-0
  64. set VO=&call :reg_own "HKCU\TEMP\REG_OWN" none S-1-1-0
  65.  
  66. echo;
  67. %<%:bf " Done! "%>%    &    %<%:00 ~%>%
  68. cmd/d/k
  69. exit
  70.  
  71. ::::::::::::::::::::::::::::::::::::::::::::::::
  72. :: Snippet to copy-paste in batch (cmd) scripts:
  73. ::::::::::::::::::::::::::::::::::::::::::::::::
  74.  
  75. :reg_own #key [optional] all user owner access permission  :        call :reg_own "HKCU\My" "" S-1-5-32-545 "" Allow FullControl
  76. powershell -nop -c $A='%~1','%~2','%~3','%~4','%~5','%~6';iex(([io.file]::ReadAllText('%~f0')-split':Own1\:.*')[1])&exit/b:Own1:
  77. $D1=[uri].module.gettype('System.Diagnostics.Process')."GetM`ethods"(42) |where {$_.Name -eq 'SetPrivilege'} #`:no-ev-warn
  78. 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege'|foreach {$D1.Invoke($null, @("$_",2))}
  79. $path=$A[0]; $rk=$path-split'\\',2; $HK=gi -lit Registry::$($rk[0]) -fo; $s=$A[1]; $sps=[Security.Principal.SecurityIdentifier]
  80. $u=($A[2],'S-1-5-32-544')[!$A[2]];$o=($A[3],$u)[!$A[3]];$w=$u,$o |% {new-object $sps($_)}; $old=!$A[3];$own=!$old; $y=$s-eq'all'
  81. $rar=new-object Security.AccessControl.RegistryAccessRule( $w[0], ($A[5],'FullControl')[!$A[5]], 1, 0, ($A[4],'Allow')[!$A[4]] )
  82. $x=$s-eq'none';function Own1($k){$t=$HK.OpenSubKey($k,2,'TakeOwnership');if($t){0,4|%{try{$o=$t.GetAccessControl($_)}catch{$old=0}
  83. };if($old){$own=1;$w[1]=$o.GetOwner($sps)};$o.SetOwner($w[0]);$t.SetAccessControl($o); $c=$HK.OpenSubKey($k,2,'ChangePermissions')
  84. $p=$c.GetAccessControl(2);if($y){$p.SetAccessRuleProtection(1,1)};$p.ResetAccessRule($rar);if($x){$p.RemoveAccessRuleAll($rar)}
  85. $c.SetAccessControl($p);if($own){$o.SetOwner($w[1]);$t.SetAccessControl($o)};if($s){$subkeys=$HK.OpenSubKey($k).GetSubKeyNames()
  86. foreach($n in $subkeys){Own1 "$k\$n"}}}};Own1 $rk[1];if($env:VO){get-acl Registry::$path|fl} #:Own1: lean & mean snippet by AveYo
  87. ::-_-::
  88.  
  89. ####################################################################
  90. # Snippet to copy-paste in ps1/hybrid scripts or powershell console:
  91. # hybrid cmd+powershell code block example: pastebin.com/8wU6Bd2j
  92. # unlike the batch version, all arguments must be separated by ,
  93. ####################################################################
  94.  
  95. function reg_own([string[]]$A){ #key [opt],all,usr,own,acc,perm  : reg_own "HKCU:\My","","S-1-5-32-545","","Allow","FullControl"
  96. $D1=[uri].module.gettype('System.Diagnostics.Process')."GetM`ethods"(42) |where {$_.Name -eq 'SetPrivilege'} #`:no-ev-warn
  97. 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege'|foreach {$D1.Invoke($null, @("$_",2))}
  98. $path=$A[0]; $rk=$path-split':\\',2; $HK=gi -lit Registry::$($rk[0]) -fo; $s=$A[1]; $sps=[Security.Principal.SecurityIdentifier]
  99. $u=($A[2],'S-1-5-32-544')[!$A[2]];$o=($A[3],$u)[!$A[3]];$w=$u,$o |% {new-object $sps($_)}; $old=!$A[3];$own=!$old; $y=$s-eq'all'
  100. $rar=new-object Security.AccessControl.RegistryAccessRule( $w[0], ($A[5],'FullControl')[!$A[5]], 1, 0, ($A[4],'Allow')[!$A[4]] )
  101. $x=$s-eq'none';function Own1($k){$t=$HK.OpenSubKey($k,2,'TakeOwnership');if($t){0,4|%{try{$o=$t.GetAccessControl($_)}catch{$old=0}
  102. };if($old){$own=1;$w[1]=$o.GetOwner($sps)};$o.SetOwner($w[0]);$t.SetAccessControl($o); $c=$HK.OpenSubKey($k,2,'ChangePermissions')
  103. $p=$c.GetAccessControl(2);if($y){$p.SetAccessRuleProtection(1,1)};$p.ResetAccessRule($rar);if($x){$p.RemoveAccessRuleAll($rar)}
  104. $c.SetAccessControl($p);if($own){$o.SetOwner($w[1]);$t.SetAccessControl($o)};if($s){$subkeys=$HK.OpenSubKey($k).GetSubKeyNames()
  105. foreach($n in $subkeys){Own1 "$k\$n"}}}}; Own1 $rk[1]; if($env:VO){get-acl Registry::$path|fl}} # lean & mean ps snippet by AveYo
  106. #-_-#
  107.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement