locked
Write to the Registry with Powershell 2.0 RRS feed

  • Question

  • Hi there,

    I'm trying to create a registry key and then write some settings to it using Powershell, but I'm running into some problems. Here's what I'm trying to do:

    New-Item -Path HKLM:\Software\TestKey
    New-Item : Requested registry access is not allowed.
    At line:1 char:9
    

    I'm running as an administrator, but still no love. Any thoughts?

     - Liam

    Tuesday, June 14, 2011 9:53 PM

Answers

  • Hi,

    You can do "domain admin" things from a non-elevated process if you are connecting remotely. Connecting to the domain or other servers using administrative credentials is not the same thing as running the current process elevated.

    The three lines of PowerShell code I posted will tell you whether the current process is running elevated. Have you tried it?

    Bill

    • Marked as answer by liso Wednesday, June 15, 2011 2:05 PM
    Wednesday, June 15, 2011 2:00 PM

All replies

  • You might be a member of Administrators, but on Vista and later, you must also elevate your PowerShell session if UAC is enabled (right-click icon, choose 'Run as administrator').

    Bill

    Tuesday, June 14, 2011 9:58 PM
  • Hi Bill,

    Thanks for the speedy response! I have launched Powershell as a Domain Admin.

     - Liam

    Tuesday, June 14, 2011 10:00 PM
  • Hi,

    Being a member of Domain Admins doesn't matter (especially if it is not a member of Administrators on the computer you are using). You must elevate the PowerShell session using 'Run as administrator' if you are using Vista or later with UAC enabled.

    Bill

    Tuesday, June 14, 2011 10:02 PM
  • Hi again,

    I was launching Powershell using the "Run as a different user" option to specify my Domain Admin account (which is a local admin on the PC). In testing your suggestion, it works, but how are the two different?

     - Liam

    Tuesday, June 14, 2011 10:05 PM
  • Hi,

    Domain Admins is a global group that has lots of powerful default memberships.

    Administrators is a local group that grants administrative privileges on an individual computer (or the domain).

    UAC is a security technology that disables the Administrators group token for users that are logged on as members of the Administrators group.

    Which of these do you mean?

    Bill

    Tuesday, June 14, 2011 10:42 PM
  • Neither ;)

    How are the two scenarios different, assuming I'm logged on as a regular user:

    1. I launch Powershell selecting "Run as Administrator"
    2. I launch Powershell selecting "Run as different user" -> specify domain admin credentials

    Given that a Domain Admin is a local administrator through it's membership in first the Domain Level Administrators group, then the local Administrators group, how are these two any different?

     - Liam

    Tuesday, June 14, 2011 10:59 PM
  • Bill was referring to three different things: 1) membership in BUILTIN\Administrators; 2) membership in DOMAIN\Domain Admins; and 3) access tokens. When you log into a system as an administrator with User Account Control enabled, your session receives two access tokens, one with administrator privileges enabled and one with administrator privileges disabled.

    By default, all processes run using the access token with administrator privileges disabled. To use the "elevated" access token, you must "Run as Administrator," regardless of the account used to run the application.

    You can use the following PowerShell functions to test for an elevated token:

    function Test-Role
    {
      param(
        [parameter(Mandatory=$true)]
        [System.Security.Principal.WindowsBuiltInRole]
        $Role
      )
    
      $windowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
      $windowsPrincipal = new-object System.Security.Principal.WindowsPrincipal($windowsIdentity)
      $windowsPrincipal.IsInRole($role)
    }
    
    function Test-Elevation
    {
      param(
        [switch]
        $Quiet
      )
    
      $elevated = test-role -role Administrator
    
      if ((-not $elevated) -and (-not $quiet)) {
        throw "Access is denied. You need to run this script from an elevated process."
      }
    
      $elevated
    }
    
    if (-not (test-elevation -quiet)) {
      throw "Oops. You're not running from an elevated process."
    }
    

     

    Tuesday, June 14, 2011 11:15 PM
  • If you select "Run as administrator", and your are already authenticated as a user that is a member of the local Administrators group, then you are not prompted for credentials. However, your admin token is used. If you select "Run as administrator" and your are authenticated as a normal user, you are prompted for credentials. When you select "Run as different user" (I don't remember seeing that option) I assume your are always prompted for credentials. As you noted, the group "Domain Admins" is added to the local Administrators group when the computer is joined to the domain.

     


    Richard Mueller - MVP Directory Services
    Wednesday, June 15, 2011 12:44 AM
  • Hi again,

    Thanks for the responses. The "Run as a different user" prompt becomes visible if you hold Shift while right clicking the Powershell shortcut. I use this when using RSAT to open ADUC as my admin account, not the local Admin. Since admin_me is a domain admin, and domain admins are builtin\administrators which, in turn, are local administrators, why won't this work the same as "Run as (Local) Administrator"?

     - Liam

    Wednesday, June 15, 2011 1:28 PM
  • Since admin_me is a domain admin, and domain admins are builtin\administrators which, in turn, are local administrators, why won't this work the same as "Run as (Local) Administrator"?

    Because the administrator token is disabled. You must use "Run as administrator" (translation: "Run this process elevated") to start an elevated process.

    You can use PowerShell code like this (slightly shorter version of what was posted earlier) to determine if the current process is elevated:

    $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
    $p = New-Object System.Security.Principal.WindowsPrincipal($id)
    $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)

    HTH,

    Bill

    Wednesday, June 15, 2011 1:45 PM
  • As far as I can tell, 'Run as a Different User' does elevate, since I'm able to do Domain Admin-y things when I use this to run ADUC.
    Wednesday, June 15, 2011 1:55 PM
  • Hi,

    You can do "domain admin" things from a non-elevated process if you are connecting remotely. Connecting to the domain or other servers using administrative credentials is not the same thing as running the current process elevated.

    The three lines of PowerShell code I posted will tell you whether the current process is running elevated. Have you tried it?

    Bill

    • Marked as answer by liso Wednesday, June 15, 2011 2:05 PM
    Wednesday, June 15, 2011 2:00 PM
  • Strangely enough, no. I'm definitely missing something here, but since my initial question was answered, I'll just pass along the thanks!

     - Liam

    Wednesday, June 15, 2011 2:05 PM