2
votes

Based on an example in the Windows PowerShell 2.0 Administrators Pocket Consultant I'm under the impression that it should be possible to copy an ACL from one registry key to another. Something like this

$acl = get-acl -path hkcu:\software\foo
set-acl -path hkcu:\software\bar -aclobject $acl

However I find this silent fails to work. The command appears to complete properly however when you check the ACL on hkcu:\software\bar you find that it's ACL hasn't changed.

This pattern does work if I'm dealing with files instead of registry entries.

If I do something like this

$acl = get-acl -path hkcu:\software\bar
$rule = new-object system.security.accesscontrol.registryaccessrule `"enigma\karmac","FullControl","allow" $acl.addaccessrule($rule) $acl | set-acl

That does work.

So basically I'm asking if it is possible to copy registry ACL entries from one key to another, or do you need to modify the ACL of each individual registry key.

I'm on Windows 7 Ultimate 64bit, running powershell 2.0 in 64bit mode. I've also tried running the powershell session as an administrator.

Any help would be appreciated. Thank you.

1
I've experimented a bit more on this issue. I've found that it is possible to copy an ACL object from one file to another. Is it simply not possible to copy an ACL object from one registry key to another?lowteq

1 Answers

4
votes

Registry ACLs appear to be optimized to persist only when a change is detected in the ACL. In short, if you want to copy ACLs from one key to another, you have to make a change (any change) to the ACL list before it will be applied to the new key:

$acl = get-acl -path hkcu:\software\foo
$r = $acl.GetAccessRules( $true, $true, [security.principal.ntaccount] )
$acl.RemoveAccessRuleAll( $r[0] )
$acl.AddAccessRule( $r[0] )
set-acl -path hkcu:\software\bar -aclobject $acl

This limitation has nothing to do with PowerShell, I've hit it in C# too. It's something inside of the .NET framework.