Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
JSI Tip 0723. A better way to set registry permissions on a key and its' sub-keys, in batch.
Jerold Schulman
September 18, 1998
2 Min Read
Supplement Two of the NT 4.0 Server Resource Kit contains Regini which will allow you to set registry permissions in the HKEY_LOCAL_MACHINE and HKEY_USERS hives.
Regini reads a script file, which for our purposes, contains a single record in the RegistryKey [ACL] syntax:
Registry - A constant.
Key:
Machine = HKEY_LOCAL_MACHINE
User = HKEY_USERS
[ACL] - The ACL is a list of numbers, separated by spaces, within square brackets. The numbers represent the following permissions:
1.Administrator Full 2.Administrator R 3.Administrator RW 4.Administrator RWD 5.Creator Full 6.Creator RW 7.World Full 8.World R 9.World RW 10.World RWD 11.Power Users Full 12.Power Users RW 13.Power Users RWD 14.System OpFull 15.System OpRW 16.System OpRWD 17.System Full 18.System RW 19.System R 20.Administrator RWXExamples:
RegistryMachineSystemCurrentControlSetENUM [1 8 17] - will grant Administrator - Full Control, Everyone - Read, and System - Full Control.
RegistryUserS-1-5-21-2053067395-480382929-641664369-1001SoftwareStrange Software Thingy [1 8 17] - Same as above.
RegistryMachineSystemCurrentControlSetENUM [8 17] - Will remove the Administrator group from the first example.
REG (from the Resource Kit Supplement, not the freeware at tip 170) has a Query option that will allow you to display keys and sub-keys. The JSIRegS.bat file will apply the specified ACL to the Key and its' sub-keys. The usage is:
JSIRegS ScriptFile1 [ScriptFile2 ScriptFile3 . . . ScriptFileN]
JSIRegS.bat contains:
@echo off
:check
PushD
if exist %TEMP%JSIRegS.log del /q %TEMP%JSIRegS.log
if exist %TEMP%JSIRegS.ini del /q %TEMP%JSIRegS.ini
if /i "%1"<h1><a name="_goto_syntax_br_if_exist_1_goto_parse_br_syntax_br_echo_INI_file_1_not_found_or_contains_an_invalid_entry_br_goto_end_br_hku_br_set_reg_reg_Registry_User_HKU_br_set_reg_reg_registry_user_HKU_br_if_i_reg_" id="_goto_syntax_br_if_exist_1_goto_parse_br_syntax_br_echo_INI_file_1_not_found_or_contains_an_invalid_entry_br_goto_end_br_hku_br_set_reg_reg_Registry_User_HKU_br_set_reg_reg_registry_user_HKU_br_if_i_reg_">"" goto syntax<br>if exist %1 goto parse<br>:syntax<br>@echo INI file %1 not found or contains an invalid entry.<br>goto end<br>:hku<br>set reg=%reg:RegistryUser=HKU%<br>set reg=%reg:registryuser=HKU%<br>if /i "%reg%"</a></h1>"%savekey%" goto Ssyntax
goto key
:parse
for /f "Tokens=1-2* Delims=[]" %%i in (%1) do set reg=%%i!&set sec=%%j
set reg=%reg: !=%
set savekey=%reg%
set reg=%reg:RegistryMachine=HKLM%
set reg=%reg:registrymachine=HKLM%
if /i "%reg%"<h1><a name="_savekey_goto_hku_br_key_br_regini_1_br_set_reg_reg_br_reg_query_reg_s_gt_gt_TEMP_JSIRegS_log_br_for_f_Tokens_i_in_findstr_b_TEMP_JSIRegS_log_do_call_mkini_i_br_POPD_br_set_reg_br_set_savekey_br_set_sec_br_set_sub_br_if_exist_TEMP_JSIRegS_log_del_q_TEMP_JSIRegS_log_br_SHIFT_br_if_1_" id="_savekey_goto_hku_br_key_br_regini_1_br_set_reg_reg_br_reg_query_reg_s_gt_gt_TEMP_JSIRegS_log_br_for_f_Tokens_i_in_findstr_b_TEMP_JSIRegS_log_do_call_mkini_i_br_POPD_br_set_reg_br_set_savekey_br_set_sec_br_set_sub_br_if_exist_TEMP_JSIRegS_log_del_q_TEMP_JSIRegS_log_br_SHIFT_br_if_1_">"%savekey%" goto hku<br>:key<br>regini %1<br>set reg="%reg%"<br>reg query %reg% /s >> %TEMP%JSIRegS.log<br>for /f "Tokens=*" %%i in ('findstr /b "[" %TEMP%JSIRegS.log') do call :mkini "%%i"<br>POPD<br>set reg=<br>set savekey=<br>set sec=<br>set sub=<br>if exist %TEMP%JSIRegS.log del /q %TEMP%JSIRegS.log<br>SHIFT<br>if "%1"</a></h1>"" goto end
goto check
:mkini
set sub=%1
set sub=%sub:[=%
set sub=%sub:]=%
set sub=%sub:"=%
@echo %savekey%%sub% [%sec%] > %TEMP%JSIRegS.ini
regini %TEMP%JSIRegS.ini
del %TEMP%JSIRegS.ini
:end
About the Author(s)
You May Also Like
.jpg?width=700&auto=webp&quality=80&disable=upscale)
_(1).png?width=700&auto=webp&quality=80&disable=upscale)
.png?width=700&auto=webp&quality=80&disable=upscale)