SHARE
TWEET

reg_takeownership

aveyo Sep 27th, 2018 (edited) 505 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. @echo off &title AveYo's reg_takeownership snippet example - updated 2019.07.31
  2. :: arguments order changed; added support for setting different owner in one go by giving a second sid
  3.  
  4. ::AveYo: self-elevate passing args and preventing loop
  5. set "args="%~f0" %*" & call set "args=%%args:"=\""%%"
  6. reg query HKU\S-1-5-19>nul||(if "%?%" neq "y" powershell -c "start cmd -ArgumentList '/c set ?=y&call %args%' -verb runas" &exit)
  7.  
  8. set $=@echo -------------------------------------------------------------------- ^& echo.
  9.  
  10. ::=================================
  11. set "regkey=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost"
  12. ::=================================
  13.  
  14. echo Allow read from current user [owner will be set to current user as well if owner arg is ommited]
  15. for /f "tokens=2" %%s in ('whoami /user /fo list') do set CU=%%s
  16. call :reg_takeownership "%regkey%" "ReadPermissions, ReadKey" Allow %CU%
  17. rem can add >nul at the end of the above call to supress acl output
  18. %$%
  19.  
  20. echo Deny changes from Administrators and set owner to SYSTEM
  21. call :reg_takeownership "%regkey%" "SetValue, Delete" Deny S-1-5-32-544 S-1-5-18
  22. %$%
  23.  
  24. echo Restore FullControl to Administrators and set owner to TrustedInstaller
  25. for /f "tokens=2 delims=:" %%s in ('sc showsid TrustedInstaller ^|findstr "S-1"') do set TI=%%s & call set TI=%%TI: =%%
  26. call :reg_takeownership "%regkey%" FullControl Allow S-1-5-32-544 %TI%
  27. %$%
  28.  
  29. echo Done!
  30. timeout /t -1 &exit/b
  31.  
  32. :reg_takeownership  key:"HKCU\Console" perm:"FullControl" access:"Allow" user:"S-1-5-32-544" owner(optional):"S-1-5-18"
  33. set "pargs=$regkey='%~1'; $p='%~2'; $a='%~3'; $u='%~4'; $o='%~5';"
  34. powershell -noprofile -c "%pargs%; $f=[io.file]::ReadAllText('%~f0') -split ':ps_reg_own\:.*';iex ($f[1]);" & exit/b
  35. :ps_reg_own: [     pastebin.com/XTPt0JSC      AveYo: call :reg_takeownership "HKLM\MyKey" FullControl Allow S-1-5-18
  36. $dll0='[DllImport("ntdll.dll")]public static extern IntPtr RtlAdjustPrivilege(int a,bool b,bool c,ref bool d);';
  37. $nt=Add-Type -Member $dll0 -Name Nt -PassThru; foreach($i in @(9,17,18)){$null=$nt::RtlAdjustPrivilege($i,1,0,[ref]0)}
  38. $root=$true; if($o -eq ''){$o=$u}; $rk=$regkey -split '\\',2; $key=$rk[1];
  39. switch -regex ($rk[0]){ '[mM]'{$HK='LocalMachine'};'[uU]'{$HK='CurrentUser'};default{$HK='ClassesRoot'}; }
  40. $usr=0,0,0; $sec=0,0,0; $rule=0,0,0; $perm='FullControl',$p,$p; $access='Allow',$a,$a; $s=$o,$u,'S-1-5-32-544';
  41. for($i=0;$i -le 2;$i++){ $usr[$i]=[System.Security.Principal.SecurityIdentifier]$s[$i];
  42.  $rule[$i]=[System.Security.AccessControl.RegistryAccessRule]::new($usr[$i], $perm[$i], 3, 0, $access[$i]);
  43.  $sec[$i]=[System.Security.AccessControl.RegistrySecurity]::new(); }
  44. function Reg_TakeOwnership { param($hive, $key, $root=$false);
  45.  $reg=[Microsoft.Win32.Registry]::$hive.OpenSubKey($key,'ReadWriteSubTree','TakeOwnership'); $sec[2].SetOwner($usr[2]);
  46.  $reg.SetAccessControl($sec[2]); if($root){ $reg=$reg.OpenSubKey('','ReadWriteSubTree','ChangePermissions');
  47.   $acl=$reg.GetAccessControl(); $acl.SetAccessRuleProtection($false,$false); $acl.ResetAccessRule($rule[1]);
  48.   $reg.SetAccessControl($acl); } $sec[0].SetOwner($usr[0]); $reg.SetAccessControl($sec[0]); }
  49. Reg_TakeOwnership $HK $key $true; if($root){ $r=[Microsoft.Win32.Registry]::$HK.OpenSubKey($key);
  50.  foreach($sk in $r.GetSubKeyNames()){try{ Reg_TakeOwnership $HK "$($key+'\\'+$sk)" $false}catch{} }}
  51. Get-Acl "$($rk[0]+':\\'+$rk[1])" | fl
  52. :ps_reg_own: ]
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top