none
Powershell Get-Acl not allowed Exception RRS feed

  • Question

  • Hello

    On some objects, i get "Requested registry access is not allowed" with get-acl. But when i try to access to this object with regedit, i can enumerate Access rights.

    The perfect example is the command  get-acl hklm:\security

    i don't understand why i have sufficient access rights with regedit and not with Get-Acl ?

    Monday, March 17, 2014 6:08 PM

Answers

  • Get-ACL is basically a simplified version of some of the underlying .NET Framework and/or Win32 API calls that are necessary to read the permissions.  It must be making method calls with parameters that are different from regedit.

    This code worked for me to read the ACL of HKLM:\Security, even when Get-ACL would fail (note:  on Powershell 4.0, I don't get the error, but Get-Acl doesn't output anything either.  On a PowerShell 2.0 machine, I could reproduce the error.  I don't have a computer with 3.0 handy to test that.)

    $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey('Security', 'Default', 'ReadPermissions')
    
    $acl = $key.GetAccessControl()
    By using that particular overload of OpenSubKey (and specifying a RegistryRights value of 'ReadPermissions'), you're able to get to the ACL successfully.  This is similar to what regedit does (though regedit would be using the Win32 API directly, not the .NET Framework.)
    • Proposed as answer by jrv Monday, March 17, 2014 6:49 PM
    • Marked as answer by isaac76 Tuesday, March 18, 2014 1:18 PM
    Monday, March 17, 2014 6:38 PM

All replies

  • Are you elevated when using Get-ACL?  Regedit elevates automatically.


    ¯\_(ツ)_/¯

    Monday, March 17, 2014 6:26 PM
  • Get-ACL is basically a simplified version of some of the underlying .NET Framework and/or Win32 API calls that are necessary to read the permissions.  It must be making method calls with parameters that are different from regedit.

    This code worked for me to read the ACL of HKLM:\Security, even when Get-ACL would fail (note:  on Powershell 4.0, I don't get the error, but Get-Acl doesn't output anything either.  On a PowerShell 2.0 machine, I could reproduce the error.  I don't have a computer with 3.0 handy to test that.)

    $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey('Security', 'Default', 'ReadPermissions')
    
    $acl = $key.GetAccessControl()
    By using that particular overload of OpenSubKey (and specifying a RegistryRights value of 'ReadPermissions'), you're able to get to the ACL successfully.  This is similar to what regedit does (though regedit would be using the Win32 API directly, not the .NET Framework.)
    • Proposed as answer by jrv Monday, March 17, 2014 6:49 PM
    • Marked as answer by isaac76 Tuesday, March 18, 2014 1:18 PM
    Monday, March 17, 2014 6:38 PM
  • Actually David is closer on that key>

    If we do this you will see also why:

    PS C:\scripts> `cd hklm:
    PS HKLM:\> dir

    Name                           Property
    ----                           --------
    BCD00000000
    HARDWARE
    SAM
    dir : Requested registry access is not allowed.
    At line:1 char:1
    + dir
    + ~~~
        + CategoryInfo          : PermissionDenied: (HKEY_LOCAL_MACHINE\SECURITY:String) [Get-ChildItem], SecurityExceptio
       n
        + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.GetChildItemCommand

    SOFTWARE                       (default) :
    SYSTEM


    PS HKLM:\>


    ¯\_(ツ)_/¯

    Monday, March 17, 2014 6:44 PM
  • On Windows 7 elevated:

    PS HKLM:\> $key=[Microsoft.Win32.Registry]::LocalMachine.OpenSubKey('Security')
    Exception calling "OpenSubKey" with "1" argument(s): "Requested registry access is not allowed."
    At line:1 char:1
    + $key=[Microsoft.Win32.Registry]::LocalMachine.OpenSubKey('Security')
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : SecurityException
    
    PS HKLM:\>

    The read permissions are the key item here.

    Thank you David.


    ¯\_(ツ)_/¯


    • Edited by jrv Monday, March 17, 2014 6:49 PM
    Monday, March 17, 2014 6:48 PM
  • Later this evening I'll take a look through Get-Acl and the Registry provider with dotPeek, and see if I can figure out what it's doing differently.  You'd think that Get-Acl should work fine with only the ReadPermissions right, and Set-Acl would also require ChangePermissions.  Both of these are granted to Administrators on HKLM:\Security by default, but nothing else.

    You could also experiment a bit with changing permissions on a test key to find the bare minimum permissions Get-Acl requires.  (I suspect that it's going to be something like Read, ReadPermissions and possibly ChangePermissions)


    Monday, March 17, 2014 6:49 PM
  • Remember that the Security is protected differently and is not generally readable.  Admins have Write DAC and Rad permissions but only on the root.

    Get-ACL may ask for full read.

    SAM and Security are both set with extra and hidden protection.  If I remember correctly this can be removed under special circumstances using a safe boot.


    ¯\_(ツ)_/¯

    Monday, March 17, 2014 7:14 PM
  • Looks like the Registry provider uses this overload when opening keys:

    Microsoft.Win32.RegistryKey OpenSubKey(string name, bool writable)

    This requires at least Read permission to the key, even if your intention is just to read the ACL, so in those odd cases (such as HKLM:\Security) where you have permission to read the ACL but not the data, you'd have to use code like the example I gave earlier, instead of the Get-Acl cmdlet.

    Monday, March 17, 2014 11:59 PM
  • Good info.


    ¯\_(ツ)_/¯

    Tuesday, March 18, 2014 12:20 AM