Reading Remote Registry ACLs with PowerShell - PowerShellCommunity.org - Windows PowerShell Discussion Forums - Using PowerShell

Forums > Using PowerShell > General PowerShell

Reading Remote Registry ACLs with PowerShell

Last Post 11 Aug 2010 09:35 AM by jcridge. 2 Replies.

Sort:

	Prev Next
You are not authorized to post a reply.

Author

Messages

jcridge

New Member
Posts:4
Avatar

10 Aug 2010 07:42 PM
I'm working on a PowerShell script that will execute security audits on machines going into our commercial environmnet. One part of this script checks the permissions on specific registry keys. In the process of doing this I've found I'm sometimes able to remotely read the ACL of some regsitry keys and with other registry keys I am not. I should point out that I have FULL Admin rights on all the machines I'm running this script against. For example, the following PowerShell script runs correctly. It is looking at the ACL for the registry key "SOFTWARE\Microsoft\Windows\CurrentVersion": PS C:\> $RemoteKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $machineName) PS C:\> $regKey = $RemoteKey.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion") PS C:\> $regAcl = $regKey.GetAccessControl() PS C:\> $regAcl.accesstostring BUILTIN\Users Allow ReadKey BUILTIN\Users Allow -2147483648 BUILTIN\Power Users Allow SetValue, CreateSubKey, Delete, ReadKey BUILTIN\Power Users Allow -1073676288 BUILTIN\Administrators Allow FullControl BUILTIN\Administrators Allow 268435456 NT AUTHORITY\SYSTEM Allow FullControl NT AUTHORITY\SYSTEM Allow 268435456 CREATOR OWNER Allow 268435456 NT AUTHORITY\TERMINAL SERVER USER Allow SetValue, CreateSubKey, Delete, ReadKey NT AUTHORITY\TERMINAL SERVER USER Allow -1073676288 PS C:\> But if I change the registry key to "SOFTWARE\Microsoft\Windows\CurrentVersion\Installer" or "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" and run the same commands I get the following exception: PS C:\> $RemoteKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $machineName) PS C:\> $regKey = $RemoteKey.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Policies") PS C:\> $regAcl = $regKey.GetAccessControl() Exception calling "GetAccessControl" with "0" argument(s): "The supplied handle is invalid. This can happen when trying to set an ACL on an anonymous kernel object." At line:1 char:35 + $regAcl = $regKey.GetAccessControl <<<< () + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : DotNetMethodException PS C:\> What is it about these specific keys that prevents me from remotely viewing their permissions??? Thanks for any tips or advice anyone can provide.

Mihail Stacanov User is Offline

New Member
Posts:15
Avatar

11 Aug 2010 01:27 AM
The .NET FCL GetAccessControl method cannot be used to get the permission on the remote machine registry key, the FCL doesn't provide this functionality If you have WinRM, and PowerShell installed remotely, you can call PowerShell on the remote system to run your commands as if local on the remote computer using Get-PSDrive and Get-ACL CmdLets

http://proproit.com

jcridge

New Member
Posts:4
Avatar

11 Aug 2010 09:35 AM
Thanks for the information. I had read that the .NET FCL GetAccessControl method could not be used to retrieve permissions from a remote registry key, but I could never fnd the reason articulated anywhere and given the fact that it has worked for me on some remote registry keys gave me hope. I wil have to request that PowerShell be installed on all new servers headed into our commercial environment. Thanks again for the assistance.

You are not authorized to post a reply.

Forums > Using PowerShell > General PowerShell

Active Forums 4.3