![]() ![]() ![]() But the main reason is that this command will work even if users are not defined on current Windows instance (when registry branch is imported from other machines or instances). First, is saves time, because there is no need to convert each user from SDDL format to a User Name. This option allows to save security user name in S-1-x-x format. This command takes from 14 to 22 seconds to run. You can use similar command to save registry security of other registry branches including loaded hives. This is all the information you need to restore your Registry security for SOFTWARE registry branch. 01- Save Registry Security subInACL /noverbose /output=C:\T\Software.txt /subkeyreg HKEY_LOCAL_MACHINE\Software /display=sddl And yes, this utility works with 64-bit registry. Moreover, all examples here are done over Windows 7 security. This utility is dated 2004, but it understands security settings of current operating systems including Windows 7. Place file subInACL.exe in a directory close to root, where you are planning to do all the magic. Installation places 3-4 files in a directory of your choice. 00- Download a small utility SubInACL from Microsoft: 05- Restore registry security to its original state using file created in step 01. 04- Perform your updates and replacements with your favorite registry tool 03- Grant Administrators full control of all the keys and sub-keys 02- Set Administrators as an owner of all the keys and sub-keys 01- Save registry security of a branch that you about to update into a file The plan of action includes 5 steps in this order: Windows will run but many features like Windows Update will become broken. If you simply use REGEDIT to take ownership and add full rights to Administrator to all registry at once, you will definitely achieve the goal, but you will ruin the intricate security permissions for dozens of system service accounts that populate registry security. Thousands of registry keys are owned by NT Service\TrustedInstaller and protected even for Administrators. You have a third-party utility to do the job, but this utility can only update values writable by administrator. You need to search and replace large registry databases with a set of new values.
0 Comments
Leave a Reply. |