none
REG UNLOAD Access Denied in CMD

    Question

  • Greetings,

    I'm trying to write a simple batch file to load a hive from another hard drive, create a key, create a subkey, and then unload the hive. It all works well until I try to unload the hive. It says access denied. Here is what I have

    REG LOAD HKLM\MINWIN E:\Windows\System32\config\system
    REG ADD HKLM\MINWIN\xxxxxxxx\xxxxxxx\xxxxxx /f
    REG ADD HKLM\MINWIN\xxxxxxxx\xxxxxxx\xxxxxx /f /v xxxxxxxxxxxxxxxx /t REG_DWORD /d 0
    REG UNLOAD HKLM\MINWIN

    Also, I am running these commands in cmd (ran as administrator) using windows 7.

    Thursday, November 01, 2012 9:26 PM

Answers

  • What's the registry path you're modifying?

    Generally, this issue will only crop up under 1 of 2 circumstances:

    (1) You're attempting to modify a registry path which you don't have sufficient permissions for, even as administrator. I believe this only errors out at unload time. Checking permissions on the path in regedit should confirm if this is the issue.

    (2) Something else on the PC has open handles to the key you opened - possibly a background scan tool of some kind. Using the Systinternals handle.exe tool (http://technet.microsoft.com/en-us/sysinternals/bb896655) with the -a option will show you open registry handles, although you'll have to sort through a lot of output.

    And by the way, questions about non-PowerShell console tools normally work better over in The Official Scripting Guys forum. Same people typically hang out in both places, but the question over here is kind of like getting the hot fudge sauce on your steamed asparagus - it tastes odd, even if you will be eating both of them at the same meal. |)


    Thursday, November 01, 2012 11:03 PM

All replies

  • What's the registry path you're modifying?

    Generally, this issue will only crop up under 1 of 2 circumstances:

    (1) You're attempting to modify a registry path which you don't have sufficient permissions for, even as administrator. I believe this only errors out at unload time. Checking permissions on the path in regedit should confirm if this is the issue.

    (2) Something else on the PC has open handles to the key you opened - possibly a background scan tool of some kind. Using the Systinternals handle.exe tool (http://technet.microsoft.com/en-us/sysinternals/bb896655) with the -a option will show you open registry handles, although you'll have to sort through a lot of output.

    And by the way, questions about non-PowerShell console tools normally work better over in The Official Scripting Guys forum. Same people typically hang out in both places, but the question over here is kind of like getting the hot fudge sauce on your steamed asparagus - it tastes odd, even if you will be eating both of them at the same meal. |)


    Thursday, November 01, 2012 11:03 PM
  • Thanks for the heads up on the category to post this question, but since it's here I will continue through with it anyway. Here is what I have tried:

    ____________________________________________________________________________________________________________________________

    #1:    After executing the command "REG ADD HKLM\xxxxxx \xxxxxxxx\xxxxxxx\xxxxxx /f /v zzzzzzzzzzzzzzzzz /t REG_DWORD /d 0",

              I can only unload the hive through regedit gui in windows (if I try to do it through the command line I get access denied).

    #2:     C:\Windows>REG LOAD HKLM\xxxxxx E:\Windows\System32\config\system

                    The operation completed successfully.

              C:\Windows>REG UNLOAD HKLM\xxxxxx

                    The operation completed successfully.

    #3:     C:\Windows>REG LOAD HKLM\xxxxxx E:\Windows\System32\config\system

                    The operation completed successfully.

               C:\Windows>REG ADD HKEY_LOCAL_MACHINE\xxxxxx\ControlSet001\services\xxxxx /f                                                  //This adds the key xxxxx

                    The operation completed successfully.

               C:\Windows>REG UNLOAD HKLM\xxxxxx

                    The operation completed successfully.

    #4:      C:\Windows>REG LOAD HKLM\xxxxxx E:\Windows\System32\config\system

                    The operation completed successfully.

                C:\Windows>REG ADD HKEY_LOCAL_MACHINE\xxxxxx\ControlSet001\services\xxxxx /f /v zzzzzz /t REG_DWORD /d 0    //This adds the subkey “zzzzzzz"

                    The operation completed successfully.

                C:\Windows>REG UNLOAD HKLM\xxxxxx

                    ERROR: Access is denied.  <---------------------------------------------------------- Problem

    #5:       *Note* Restored the system file before trying this again (only this time with the query command)

                 C:\Windows>REG LOAD HKLM\xxxxxx E:\Windows\System32\config\system

                    The operation completed successfully.

                C:\Windows>REG ADD HKEY_LOCAL_MACHINE\xxxxxx\ControlSet001\services\xxxxx /f /v zzzzzz /t REG_DWORD /d 0    //This adds the subkey “zzzzzzz"

                    The operation completed successfully.

                C:\Windows>REG QUERY HKLM\xxxxxx\ControlSet001\services\xxxxxx /v zzzzzz

                    HKEY_LOCAL_MACHINE\xxxxxx\ControlSet001\services\xxxxxx

                         zzzzzzzzzzzzzzzzzzzzzz   REG_DWORD    0x0

                C:\Windows>REG UNLOAD HKLM\xxxxxx

                    ERROR: Access is denied.  <------------------------------------------------------------------------ Problem

    ____________________________________________________________________________________________________________________________

    It seems I can only not unload the hive after the subkey through cmd.

    *Note* Again I can unload the hive using the regedit gui offered in C:\Windows\regedit.exe, but not through the command line :(

               I would like to solve this as it is part of a large batch file I have to write for setting up builds to test at my work.

    P.S. Didn't mean to piss in the wheaties here, but it is a good way to keep people on their toes :)

    Also, the link you provided is down: "We are sorry. The page you requested cannot be found."










    Friday, November 02, 2012 6:13 PM
  • Sorry, apparently the forum editing interface integrated my closing parenthesis in my post into the URL. It works fine without the unmatched paren:

    http://technet.microsoft.com/en-us/sysinternals/bb89665

    In any case, I don't think handle.exe will help. Based on the "minwin" name you were using and the fact that you're looking at services modification, I suspect your problem is (1) and you'll need to modify permissions on the loaded hive to get it to work properly; you can confirm this by visually checking inherited permissions on the terminal subkey in regedit when you've loaded the hive. This looks a lot like a problem I found discussed on the BartPE forum. Take a close look at the discussion towards the bottom of this page:

    http://www.911cd.net/forums/lofiversion/index.php/t23424.html


    Saturday, November 03, 2012 1:18 AM
  • Np, the 1st link you gave says it's not available.

    The 2nd link you gave was that someone edited the cmd.exe with some strange permissions for a dell running windows xp as a solution.  I'm running windows 7 and I know it wouldn't work for me. I noticed windows 7 has a locked down root C:\, that even if I run cmd as administrator, I cannot add any files to the root. I have to create a subdirectory and then I can add files to that subdirectory. I've read this is because microsoft doesn't trust users on how to handle there computers. I wonder if it's simular to what I'm dealing with and if someone can look further into this to figure out a work around.

    Saturday, November 03, 2012 3:05 AM
  • The link said unavailable because the close parenthesis - this symbol --> )
    was integrated into the URL, so your web browser was trying to get to .../bb89665) instead of .../bb89665

    In any case, I went through and modified the handle.exe link so it should work from either place that I posted it now. Sorry for the inconvenience.

    I'm not sure about the connection you're drawing between the C drive and the registry hive you've loaded, but the discussion in the BartPE forum really is about the exact same problem. They're loading a registry hive and then attempting to make changes to a particular subkey which has restricted permissions, disallowing even changes by administrators by default. The change can be made to the loaded hive, but when attempting to unload, the operation fails since the modified hive cannot be saved.

    Can you tell us precisely the subkey path  you're trying to modify?

    Monday, November 05, 2012 4:36 PM
  • The link said unavailable because the close parenthesis - this symbol --> )
    was integrated into the URL, so your web browser was trying to get to .../bb89665) instead of .../bb89665

    In any case, I went through and modified the handle.exe link so it should work from either place that I posted it now. Sorry for the inconvenience.

    I'm not sure about the connection you're drawing between the C drive and the registry hive you've loaded, but the discussion in the BartPE forum really is about the exact same problem. They're loading a registry hive and then attempting to make changes to a particular subkey which has restricted permissions, disallowing even changes by administrators by default. The change can be made to the loaded hive, but when attempting to unload, the operation fails since the modified hive cannot be saved.

    Can you tell us precisely the subkey path  you're trying to modify?


    I would really rather not say the subkey path considering all the work I do is very confidential. But I can tell you that I have to make a key (folder icon in regedit), then make a 32bit dwort subkey with a default 0. I have no problems doing this with regedit.exe, but when issue the commands (as listed above) that do the same thing the gui is, it doesn't want to unload the hive.

    Tuesday, November 20, 2012 9:24 PM
  • If you are testing this with the registry editor program open, you will need to close the program first then run the command.  Apparently it holds the keys open and won't allow you to unload the hive.

    Beat my head against the wall for a while on that one.  Might not be the exact answer to your question, but useful info nonetheless.

    Wednesday, November 28, 2012 3:49 PM