[Windows Tip] Take Ownership (Permission) of Registry Keys from Command Line

We here at AskVG regularly share Windows tips-n-tricks and most of these tips include Registry Editor tweaks. Sometimes to apply a Registry tweak, you need to first take ownership and control of the Registry key to be able to change the key value. To take ownership and control of a Registry key, you need to follow a set of some simple steps which have been mentioned in following exclusive tutorial:

[Guide] How to Take Ownership (Permission) of a Registry Key in Windows?

Although following these steps is not a very complicated task but many times people face problems while taking the ownership of a key. That’s why to make your life easier, we are going to share another easy way to take ownership of Registry keys in Windows quickly and easily.

Advertisement

Today in this tutorial, we are going to share a few methods which will allow you to take ownership and grant permission and full control on any Registry key in Windows from command line. It would be the simplest, easiest and quickest way to take ownership of Registry keys in Windows. You’ll just need to run one or two commands in Command Prompt and it’ll automatically take ownership of the Registry key and will grant you full permission and control on that key.

So if you also want to automate the process of taking ownership of Registry keys in Windows, check out following methods:

All of these methods will work in all Windows versions!

So without wasting time lets start the tutorial:

METHOD 1: Take Ownership of Registry Keys Using SetACL Utility

This is the best way to take ownership of Registry keys as well as any file or folder from command line in Windows. This method will work 100% in all Windows versions.

SetACL is a 3rd party free utility which basically works like a DOS command. You just need to download the utility file and then run the required commands in Command Prompt to take ownership of any desired Registry key.

STEP 1:

Advertisement

First of all download the SetACL Utility from following link:

Download SetACL Utility

Just click on the EXE version given for Administrators to download the correct file.

STEP 2:

After downloading extract the ZIP file and you’ll get 2 versions of the utility: one for 32-bit Windows edition and the other for 64-bit Windows edition. You’ll need to use the correct EXE file compatible with your Windows edition. If you are using 32-bit (x86) Windows edition, use the SetACL.exe file present in 32-bit folder and if you are using 64-bit (x64) Windows edition, use the SetACL.exe file present in 64-bit folder. You can know about your Windows edition from System Properties.

STEP 3:

Now there are 2 ways to use this utility. You can either keep the SetACL.exe file anywhere you want for example E:\SetACL folder and then open Command Prompt window as Administrator and then use the full path of SetACL command E:\SetACL\SetACL.exe to run the command. Or you can copy the SetACL.exe file to C:\Windows\System32 folder which will allow you to use the SetACL command from anywhere. We’ll advise you to copy the EXE file to C:\Windows\System32 folder so that you can open Command Prompt as Administrator from anywhere and can run SetACL command directly without any problem.

STEP 4:

Now once you have copied the SetACL.exe file, its time to use the command to take ownership of Registry keys. SetACL command can be executed using following syntax in Command Prompt opened as Administrator:

SetACL -on name -ot type -actn action

Now lets talk about the syntax in details:

The terms given in Bold will remain intact and the terms given in Italic will change as following:

-on: This parameter requires to provide the name and full path of a file or a folder or a Registry key which you want to take ownership of.

-ot: This parameter requires to provide object type. If you want to take ownership of a file or folder, then set object type as file. If you want to take ownership of Registry key, set object type as reg

-actn: This parameter requires to provide action details i.e. what action do you want to perform on the mentioned object. There are many possible values for -actn parameter. Since we are going to use SetACL command to take ownership and grant permission on Registry keys, we’ll use setowner and ace values only.

To better understand the command syntax, lets take an example:

Suppose we want to take ownership of HKEY_CLASSES_ROOT\CLSID\{679f85cb-0220-4080-b29b-5540cc05aab6}\ShellFolder key in Registry Editor, then we’ll need to run SetACL command in Command Prompt in 2 parts as given below:

SetACL.exe -on “HKEY_CLASSES_ROOT\CLSID\{679f85cb-0220-4080-b29b-5540cc05aab6}\ShellFolder” -ot reg -actn setowner -ownr “n:Administrators”

SetACL.exe -on “HKEY_CLASSES_ROOT\CLSID\{679f85cb-0220-4080-b29b-5540cc05aab6}\ShellFolder” -ot reg -actn ace -ace “n:Administrators;p:full”

SetACL_Command_Take_Ownership_Registry_Key_Windows.png

First command will make Administrator as the owner of the Registry key and the second command will grant full permission and control to Administrator on the key.

So you just need to replace the Registry key mentioned inside double-quotes (“”) with your desired Registry key in both commands and then open Command Prompt as Administrator and run both commands one by one. It’ll automatically take ownership and assign full permission and control on that Registry key.

PS: There are many parameter available to use with SetACL command, you can read about all of them from the official documentation page:

SetACL Syntax and Parameters Description

METHOD 2: Take Ownership of Registry Keys Using SubInACL Utility

This is an official command-line tool released by Microsoft which can be used to view and change security information, ownership, permissions, etc of files, folders, Registry keys, services, etc in Windows operating system.

Although the tool was released for Windows 2000, XP and Server 2003 but it can be used in newer Windows versions as well.

You can use this tool with the help of following steps:

STEP 1:

First of all download the SubInACL utility from following link:

Download SubInACL Tool from Microsoft

STEP 2:

Its an MSI installer file which copies the SubInACL.exe file to “C:\Program Files (x86)\Windows Resource Kits\Tools\” folder in 64-bit Windows editions and to “C:\Program Files\Windows Resource Kits\Tools\” folder in 32-bit Windows editions.

Alternatively, you can extract the MSI file using 7-Zip to direct use SubInACL.exe file without installing it.

STEP 3:

Similar to SetACL utility, you can either keep the SubInACL.exe file in “Program Files” folder then open Command Prompt window as Administrator and then use CD command to activate the “Program Files\Windows Resource Kits\Tools\” folder containing SubInACL.exe file to use the command. Or you can copy the SubInACL.exe file to C:\Windows\System32 folder which will allow you to use the SubInACL command from anywhere. We’ll advise you to copy the EXE file to C:\Windows\System32 folder so that you can open Command Prompt as Administrator from anywhere and can run SubInACL.exe command directly without any problem.

STEP 4:

Now its time to learn how to use the SubInACL.exe command. You can run the command using following syntax in Command Prompt window opened as Administrator:

SubInACL /type name /action

Now lets talk about the syntax in details:

/type: Replace type with the correct object type. If you want to take ownership of a file or folder, then replace type with file and if you want to take ownership of a Registry key, replace type with keyreg or subkeyreg. The difference between keyreg and subkeyreg is that keyreg only takes ownership of the defined Registry key but the subkeyreg will take ownership of the defined key as well as all sub-keys present under it.

name: Replace this parameter with the name and full path of the file, folder or Registry key.

/action: This parameter requires to define the action which will be taken on the object. Since we are going to take ownership of the Registry key and then grant full permission and control on the key, we’ll use /setowner=administrators /grant=administrators=f as the action.

Again lets take an example to better understand the command syntax:

SUBINACL /keyreg “HKEY_CLASSES_ROOT\CLSID\{679f85cb-0220-4080-b29b-5540cc05aab6}\ShellFolder” /setowner=administrators /grant=administrators=f

SubInACL_Command_Take_Ownership_Registry_Key_Windows.png

The above mentioned command will make Administrator as the owner of the Registry key and will grant full permission and control to Administrator on the key.

So you just need to replace the Registry key mentioned inside double-quotes (“”) with your desired Registry key in the command and then open Command Prompt as Administrator and run the command. It’ll automatically take ownership and assign full permission and control on that Registry key.

PS: To know about all parameters of SubInACL command, just run the SubInACL /help command in Command Prompt and it’ll provide full list of the complete syntax and parameters.

METHOD 3: Set Permissions on Registry Keys Using Built-in REGINI Command

This command comes bundled with Windows OS and can be used to set permissions on Registry keys. Using this command is very simple. You first need to create a script with required parameters in Notepad and save the script as .txt file and then run REGINI command with correct parameters to grant full permissions on the desired Registry key.

STEP 1:

First open Notepad and provide desired Registry key name and desired permission set aka ACL (Access Control List) using following format:

Key_name [ACL]

Replace Key_name with the desired key name but make sure you provide the Registry key name with correct syntax as following:

\Registry\machine\software\classes (for HKEY_CLASSES_ROOT key)
\Registry\machine ( for HKEY_LOCAL_MACHINE key)
\Registry\user\user_sid (for HKEY_CURRENT_USER key) (replace user_sid with the correct Security ID associated with user)
\Registry\user (for HKEY_USERS key)

So if we talk about our previous example, the Registry key “HKEY_CLASSES_ROOT\CLSID\{679f85cb-0220-4080-b29b-5540cc05aab6}\ShellFolder” will be given as following in the script file:

\Registry\machine\software\classes\CLSID\{679f85cb-0220-4080-b29b-5540cc05aab6}\ShellFolder

Replace ACL with the desired permission set which can be chosen from following list:

1 (to provide Administrators Full Access)
2 (to provide Administrators Read Access)
3 (to provide Administrators Read and Write Access )
4 (to provide Administrators Read, Write and Delete Access)
5 (to provide Creator/Owner Full Access)
6 (to provide Creator/Owner Read and Write Access)
7 (to provide Everyone Full Access)
8 (to provide Everyone Read Access)
9 (to provide Everyone Read and Write Access)
10 (to provide Everyone Read, Write and Delete Access)
17 (to provide System Full Access)
18 (to provide System Read and Write Access)
19 (to provide System Read Access)

Now [ACL] in the script file can be set as any desired set, for example:

[1 6 9 17]

Above mentioned ACL will grant full control to Administrators and System and read and write access to creator and everyone groups.

So the script file content will look like as following:

\Registry\machine\software\classes\CLSID\{679f85cb-0220-4080-b29b-5540cc05aab6}\ShellFolder [1 6 9 17]

REGINI_Command_Script_File.png

You can use any combination of ACL according to your requirements.

NOTE: Remember the existing permissions on the defined Registry key will be replaced by the new permissions set given by you in the script. So make sure to include permissions for all accounts. If you forget to include permissions for an account such as SYSTEM account, it’ll be deleted from the accounts list present in that Registry key permissions.

STEP 2:

Save the file with any desired name for example ACL.TXT and then open Command Prompt as Administrator and run following command:

REGINI full_path_of_script_file

If you saved the script file in E:\drive, then command will be as following:

REGINI E:\ACL.TXT

REGINI_Command_Set_Permissions_Registry_Key_Windows.png

That’s it. It’ll immediately change the permissions on the mentioned Registry key.

That’s it. Method 1 is the most efficient and 100% working method to take ownership and grant full permissions and control on any Registry key in any Windows version. If you have any doubts, feel free to ask it in your comment…

Also Check:

Published in: Windows 10, Windows 7, Windows 8, Windows Vista, Windows XP

About the author: Vishal Gupta (also known as VG) has been awarded with Microsoft MVP (Most Valuable Professional) award. He holds Masters degree in Computer Applications (MCA). He has written several tech articles for popular newspapers and magazines and has also appeared in tech shows on various TV channels.

Comments

NOTE: Older comments have been removed to reduce database overhead.

  1. You are a genius. It was too easy to take ownership using SetACL. Thank you so much!!!!!!!!!

  2. Sir, how to change permission for reg key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\machinfo.exe

    Please help…!

    s20.postimg.org/5i510p3t9/Reg_machinfo_exe_error.jpg

  3. ^^ I was able to take ownership of any desired sub-key present under your mentioned key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

    machinfo.exe key was not present in my system. Make sure you typed the correct key name.

  4. Method 1 and 3 doesn’t work for me on Windows Server 2012 R2 Std
    Method 2 – work fine.

  5. When running:

    SetACL.exe -on “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs” -ot reg -actn ace -ace “n:Administrators;p:full”

    I get an error:
    SetACL finished with error(s):
    SetACL error message: The call to SetNamedSecurityInfo () failed
    Operating system error message: Access is denied.

    How can I change the ownership of the key in question such that I can add two missing subkeys:
    DLLDirectory with value \system32
    DLLDirectory32 with value \syswow64

  6. Using the SUBInAcl method also fails with the following access denied error:

    C:\WINDOWS\system32>SUBINACL /keyreg “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs” /setowner=administrators /grant=administrators=f
    SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs : builtin\administrators is the new owner
    SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs : delete Perm. ACE 5 builtin\administrators
    SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs : delete Perm. ACE 4 builtin\administrators
    SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs : new ace for builtin\administrators
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs – RegSetKeySecurity Error : 5 Access is denied.

    Elapsed Time: 00 00:00:00
    Done: 1, Modified 0, Failed 1, Syntax errors 0
    Last Done : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
    Last Failed: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs – RegSetKeySecurity Error : 5 Access is denied.

  7. Running the setowner command yields the same error:

    C:\WINDOWS\system32>SetACL.exe -on “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs” -ot reg -actn setowner -ownr “n:Administrators”
    Processing ACL of:

    SetACL finished with error(s):
    SetACL error message: The call to SetNamedSecurityInfo () failed
    Operating system error message: Access is denied.

  8. Yes, all examples shown were run with Admin privileges.

    I also tried the following in an admin level command prompt:

    SC CREATE AcDebugSvc binPath= “regedit.exe” type= own type= interact

    SC START AcDebugSvc

    Received the same access denied message so I deleted the service I created with:

    SC DELETE AcDebugSvc

    Patrick

  9. Solved this using psexec from the SysInternals toolset.

    Copy psexec to System32 folder
    Enter psexec –i –s in an elevated command prompt
    In the new command window that opens enter regedit.exe
    Change ownership of Registry key to Administrators and click the box to include all subkeys
    Give Administrators full editing rights for any future needs just in case
    Enter the new String value subkeys described in my post above
    Change ownership back to TrustedInstaller, by entering NT SERVICE\TrustedInstaller in the appropriate owner dialog
    Exit and reboot to take effect.

  10. I am running Windows 10 Professional on an ASUS-E502S laptop.

    Method 1 worked fine for me, using the ‘Remove Quick Access Icon.reg’ script from https://www.askvg.com/windows-10-tip-remove-onedrive-quick-access-homegroup-and-network-icons-from-navigation-pane-of-this-pc/. The only quirk was that I had to restart my computer for the Quick Access Icon to vanish from the file explorer’s navigation pane. Just exiting and restarting explorer as suggested in https://www.askvg.com/hidden-secret-exit-explorer-option-in-windows-8-taskbar/ (or https://www.askvg.com/hidden-secret-exit-explorer-option-in-windows-10-start-menu-and-taskbar/) was not enough.

    Method 2 did not work for me. I got the same “RegSetKeySecurity Error : 5 Access is denied” as Patrick.

    I have not tried method 3 (yet).

    Cheers! /Henke

  11. SubInAcl failed with error “1537 The security ID structure is Invalid” when /setowner and /grant are in one command line.
    Separate /setowner and /grant commands succeeded.

  12. On Windows 10 (at least), Method #3 does not change the owner of a key/value, only its ACLs, which you cannot do unless you are the owner or have write permission on the key/value. This is true even if you’re an Administrator.

    You also cannot delete a key and recreate it with #3 unless you own or have write permission on the original key.

    The title of this article is “Take Ownership”. Changing the ACL is not the same as taking ownership.

    So you could not use #3, for example, to change the owner from TrustedInstaller to Administrators, so that you could then change a key’s ACLs to give Administrators write permission. You have to find some other way first to make yourself or a group you’re in the owner, before you can change the ACLs.

    Whereas in regedit, you can change the owner if you are an Administrator, and then change the ACLs with either Regedit or with #3.

    We shouldn’t need third-party tools to be able to change ownership of registry entries on the command line.

  13. Would you please explain how to set perms using Regini.exe with out a text file? Need to use it as a command line utility with not additional files needed.

    Thanks,

    Ralph

Leave a Comment

Your email address will not be published. Required fields are marked *

NOTE: Your comment may not appear immediately. It'll become visible once we approve it.