reg_own lean and mean snippet

@title reg_own snippet usage - 2020.11.07
:: AveYo: csc-less; support any hive; recursively add or delete rights and try to preserve owner; still 12 lines
:: Changelog: abort early if key not found, print cmdline for examples. thanks pastebin for restoring this gem
:: To those reporting it: this provides legitimate registry permission tasks to admins, similar to built-in regini
@echo off & color 07
echo Usage:
echo call :reg_own "key" all[""=key-only] user[""=Administrators] owner[""=Original] access[""=Allow] perm[""=FullControl]
echo;
echo Denying permissions works fine for a specific key, but when doing it recursively you need to be smart about it,
echo as you could get a "cart before the horses" situation, denying yourself making further permission changes to subkeys.
echo Never use FullControl with deny permissions recursively. WriteKey will deny "Read Control" so dont use that either.
echo Instead, deny write permissions explicitly: "SetValue,CreateSubkey,CreateLink,Delete,ChangePermissions,TakeOwnership"
echo Also advised not to set deny permissions for Everyone sid, but use instead non-global individual users or groups
echo;

:::: Define TI sid (TrustedInstaller)
for /f "tokens=3" %%a in ('sc.exe showsid TrustedInstaller') do set TI=%%a >nul
:::: Define USER sid before asking for elevation since it gets replaced for limited accounts
set _=call "%~f0" %* &if "%USER%"=="" for /f "tokens=2" %%u in ('whoami /user /fo list') do set USER=%%u
:::: Ask for elevation passing USER and any batch arguments - ps also enables debug priviledge unlike vbs
reg query HKU\S-1-5-19>nul 2>nul||(powershell -nop -c start cmd -args '/d/x/q/rset USER=%USER%^&',$env:_ -verb runas &exit)

:: lean xp+ color macros by AveYo:  %<%:af " hello "%>>%  &  %<%:cf " w\"or\"ld "%>%    for single \ / " use .%|%\  .%|%/  \"%|%\"
for /f "delims=:" %%\ in ('echo/prompt $h$s$h:^|cmd/d') do set "|=%%\" &set ">>=\..\c nul &set/p \=%%\%%\%%\%%\%%\%%\%%\<nul&popd"
set "<=pushd "%allusersprofile%"&2>nul findstr /c:\ /a" &set ">=%>>%&echo;" &set "|=%!!|%" &set/p \=\<nul>"%allusersprofile%\c"

:: Setup a test key
reg delete HKCU\TEMP\REG_OWN /f >nul 2>nul & reg add HKCU\TEMP\REG_OWN\DEL\ME /f >nul 2>nul

set VO=verbose-output :: now silent by default, only lists rights if VO is defined; to undefine: set "VO="

%<%:af " Allow FullControl from Administrators "%>>% & %<%:f0 " default, just this key "%>%
echo call :reg_own "HKEY_CURRENT_USER\TEMP\REG_OWN"
call :reg_own "HKEY_CURRENT_USER\TEMP\REG_OWN"

%<%:6f " Allow READ from Users "%>>% & %<%:f0 " recursive, disable inheritance "%>%
echo call :reg_own "HKCU\TEMP\REG_OWN" all S-1-5-32-545 "" Allow "ReadPermissions, ReadKey"
call :reg_own "HKCU\TEMP\REG_OWN" all S-1-5-32-545 "" Allow "ReadPermissions, ReadKey"

%<%:cf " Deny changes from %%USER%% and set owner to TrustedInstaller "%>>% & %<%:f0 " just this key "%>%
echo call :reg_own "HKCU\TEMP\REG_OWN" "" %%USER%% %%TI%% Deny "SetValue,CreateSubkey,CreateLink,Delete,ChangePermissions,TakeOwnership"
call :reg_own "HKCU\TEMP\REG_OWN" "" %USER% %TI% Deny "SetValue,CreateSubkey,CreateLink,Delete,ChangePermissions,TakeOwnership"

%<%:5f " Allow FullControl from %%USER%% and set owner to SYSTEM "%>>% & %<%:f0 " all subkeys "%>%
echo call :reg_own "HKCU\TEMP\REG_OWN" all %%USER%% S-1-5-18 Allow FullControl
call :reg_own "HKCU\TEMP\REG_OWN" all %USER% S-1-5-18 Allow FullControl

echo;
%<%:0e " TO SIMPLY ADJUST VALUES THEN RESTORE PERMISSIONS I RECOMMEND THE FOLLOWING:"%>%

%<%:2f " Allow FullControl from Everyone "%>>% & %<%:f0 " recursive, preserve inheritance "%>%
echo call :reg_own "HKEY_CURRENT_USER\TEMP\REG_OWN" preserve S-1-1-0
call :reg_own "HKEY_CURRENT_USER\TEMP\REG_OWN" preserve S-1-1-0

%<%:0e " DO WHATEVER MODIFICATIONS NEEDED IN THE TARGET REGKEY:"%>%
echo reg add "HKEY_CURRENT_USER\TEMP\REG_OWN" /v somevalue /d somedata /f
reg add "HKEY_CURRENT_USER\TEMP\REG_OWN" /v somevalue /d somedata /f

echo;
%<%:0e " FINALLY RESTORE PERMISSIONS:"%>%

%<%:9f " Remove non-inherited rules from Everyone "%>>% & %<%:f0 " recursive, remove + hide output "%>%
echo set VO=^&call :reg_own "HKCU\TEMP\REG_OWN" none S-1-1-0
set VO=&call :reg_own "HKCU\TEMP\REG_OWN" none S-1-1-0

echo;
%<%:bf " Done! "%>%    &    %<%:00 ~%>%
cmd/d/k
exit

::::::::::::::::::::::::::::::::::::::::::::::::
:: Snippet to copy-paste in batch (cmd) scripts:
::::::::::::::::::::::::::::::::::::::::::::::::

:reg_own #key [optional] all user owner access permission  :        call :reg_own "HKCU\My" "" S-1-5-32-545 "" Allow FullControl
powershell -nop -c $A='%~1','%~2','%~3','%~4','%~5','%~6';iex(([io.file]::ReadAllText('%~f0')-split':Own1\:.*')[1])&exit/b:Own1:
$D1=[uri].module.gettype('System.Diagnostics.Process')."GetM`ethods"(42) |where {$_.Name -eq 'SetPrivilege'} #`:no-ev-warn
'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege'|foreach {$D1.Invoke($null, @("$_",2))}
$path=$A[0]; $rk=$path-split'\\',2; $HK=gi -lit Registry::$($rk[0]) -fo; $s=$A[1]; $sps=[Security.Principal.SecurityIdentifier]
$u=($A[2],'S-1-5-32-544')[!$A[2]];$o=($A[3],$u)[!$A[3]];$w=$u,$o |% {new-object $sps($_)}; $old=!$A[3];$own=!$old; $y=$s-eq'all'
$rar=new-object Security.AccessControl.RegistryAccessRule( $w[0], ($A[5],'FullControl')[!$A[5]], 1, 0, ($A[4],'Allow')[!$A[4]] )
$x=$s-eq'none';function Own1($k){$t=$HK.OpenSubKey($k,2,'TakeOwnership');if($t){0,4|%{try{$o=$t.GetAccessControl($_)}catch{$old=0}
};if($old){$own=1;$w[1]=$o.GetOwner($sps)};$o.SetOwner($w[0]);$t.SetAccessControl($o); $c=$HK.OpenSubKey($k,2,'ChangePermissions')
$p=$c.GetAccessControl(2);if($y){$p.SetAccessRuleProtection(1,1)};$p.ResetAccessRule($rar);if($x){$p.RemoveAccessRuleAll($rar)}
$c.SetAccessControl($p);if($own){$o.SetOwner($w[1]);$t.SetAccessControl($o)};if($s){$subkeys=$HK.OpenSubKey($k).GetSubKeyNames()
foreach($n in $subkeys){Own1 "$k\$n"}}}};Own1 $rk[1];if($env:VO){get-acl Registry::$path|fl} #:Own1: lean & mean snippet by AveYo
::-_-::

####################################################################
# Snippet to copy-paste in ps1/hybrid scripts or powershell console:
# hybrid cmd+powershell code block example: pastebin.com/8wU6Bd2j
# unlike the batch version, all arguments must be separated by ,
####################################################################

function reg_own([string[]]$A){ #key [opt],all,usr,own,acc,perm  : reg_own "HKCU:\My","","S-1-5-32-545","","Allow","FullControl"
$D1=[uri].module.gettype('System.Diagnostics.Process')."GetM`ethods"(42) |where {$_.Name -eq 'SetPrivilege'} #`:no-ev-warn
'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege'|foreach {$D1.Invoke($null, @("$_",2))}
$path=$A[0]; $rk=$path-split':\\',2; $HK=gi -lit Registry::$($rk[0]) -fo; $s=$A[1]; $sps=[Security.Principal.SecurityIdentifier]
$u=($A[2],'S-1-5-32-544')[!$A[2]];$o=($A[3],$u)[!$A[3]];$w=$u,$o |% {new-object $sps($_)}; $old=!$A[3];$own=!$old; $y=$s-eq'all'
$rar=new-object Security.AccessControl.RegistryAccessRule( $w[0], ($A[5],'FullControl')[!$A[5]], 1, 0, ($A[4],'Allow')[!$A[4]] )
$x=$s-eq'none';function Own1($k){$t=$HK.OpenSubKey($k,2,'TakeOwnership');if($t){0,4|%{try{$o=$t.GetAccessControl($_)}catch{$old=0}
};if($old){$own=1;$w[1]=$o.GetOwner($sps)};$o.SetOwner($w[0]);$t.SetAccessControl($o); $c=$HK.OpenSubKey($k,2,'ChangePermissions')
$p=$c.GetAccessControl(2);if($y){$p.SetAccessRuleProtection(1,1)};$p.ResetAccessRule($rar);if($x){$p.RemoveAccessRuleAll($rar)}
$c.SetAccessControl($p);if($own){$o.SetOwner($w[1]);$t.SetAccessControl($o)};if($s){$subkeys=$HK.OpenSubKey($k).GetSubKeyNames()
foreach($n in $subkeys){Own1 "$k\$n"}}}}; Own1 $rk[1]; if($env:VO){get-acl Registry::$path|fl}} # lean & mean ps snippet by AveYo
#-_-#