Take Ownership of Registry

Ask your PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 6 years and 3 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked
User avatar
elation
Posts: 27
Last visit: Mon Sep 18, 2023 3:39 am
Has voted: 1 time

Take Ownership of Registry

Post by elation »

I use PowerShell Studio on a daily basis for creating tools for our techs and helpdesk. We use non-elevated accounts to log into our workstations and admin accounts for admin-type tasks such as C-Sharing to a remote PC. Due to the way Windows Explorer works, it prompts for admin for each new connection even when run from within an elevated program. I've dug into this and tried many different routes and may have finally stumbled onto a solution. Renaming the RunAs value in either key seems to work. *Note I haven't found any repercussions to renaming it so far but it's still in testing.
HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}
HKLM\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}


https://social.technet.microsoft.com/Fo ... rosecurity

On to the issue at hand. To rename this value, you have to first take ownership of the key which is owned by TrustedInstaller. Going through the manual registry to take ownership with an admin account works fine. Using 3rd party tools seems to work as well. However, using PowerShell has proven to be a massive challenge. Ultimately, I'd like to set it by leveraging PowerShell when my tool is run.

Has anyone come up with a solution for this? I'd love to hear from you.

I've found a few posts with suggestions but haven't had much luck. Or I'm reluctant due to the complexity of the code.
Part of this code does not look like PowerShell: https://randomtechminutia.wordpress.com ... owershell/
https://social.technet.microsoft.com/Fo ... powershell
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Take Ownership of Registry

Post by jvierra »

There is no effective way to bypass UAC. There are hundreds of claims for doing this but they all have serious drawbacks and can be destructive.
Changing a key owned by the Trusted Installer can also create permanent damage. It is set up the way it is for specific security and functionality related reasons.

No trained Admin would accept your methods. By trained I mean formal training and certification. Also no corporate security manager would allow this.

That said can you explain what it is that you are trying to do that makes you think this is necessary. What "new connection" are you referring to? What is "C-Sharing"? All CmdLets that can do remoting can use full credentials and do not require "RunAs".

I am pretty well convinced that your issue is do to not having a design that is correct for your task.
User avatar
elation
Posts: 27
Last visit: Mon Sep 18, 2023 3:39 am
Has voted: 1 time

Re: Take Ownership of Registry

Post by elation »

Although I can appreciate your knowledge and concern for security, I feel the tone of your reply comes off as a bit condescending. This is very much in testing and will never go in production. That said, you are very much correct in that I may be attacking this problem from the wrong angle.

Maybe it's a Southern thing, C-Sharing is connecting to remote machine via UNC path. ex: \\computer\c$. Every new connection refers to a connection made to a different computer. If I am logged in as a local admin on a box, I can do this without issue. If I use a non-admin account, I have to type in the (admin account) creds each time. The kicker is I have to type in creds when connecting to a UNC path from an elevated program as well. All the other functions use the credentials that were initially supplied when the elevated program was launched and do not prompt to re-enter.

I don't fully understand your UAC statement. There is a program out there - I think it's called AppSense Application Manager - that can easily bypass UAC and grant individual admin to a program. Hmmm... this might actually be the answer to my question... forcing a split token elevation of explorer.exe when run from within my tool.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Take Ownership of Registry

Post by jvierra »

My concern was because you are asking for something that seems to indicate a lack of knowledge about remote secured connections.
Only someone with full Admin rights can connect to any Admin share. "C$" is an admin share. If this is a domain then all domain admins can connect remotely with no need for credentials. If a workgroup we use a different method of connecting with the need to use credentials.

UAC and elevation only apply to the local system. Elevating a local admin does not allow access to remote admin shares.

This can also be affected by altering the sharing settings on a system. The settings on the admin shares should not be changed. There is a GP setting that will disable or enable all default admin shares.

The following may provide some clarification: https://blogs.msdn.microsoft.com/aaron_ ... ac-prompt/
User avatar
elation
Posts: 27
Last visit: Mon Sep 18, 2023 3:39 am
Has voted: 1 time

Re: Take Ownership of Registry

Post by elation »

I found out where to properly set this.

Component Services > Elevated-Unelevated Explorer Factory Properties > Identity > (select) The launching user.

This actually deletes the RunAs registry value when set. If I can figure out how (if possible) to modify DCOM components via PowerShell, I won't need to grapple with the Take Ownership side of things for now.

Apologies, I didn't explain everything very well. As an administrator, I'm quite comfy with how creds work (at least in our environment). I am definitely not a programmer and can use a serious boost of knowledge to my limited scripting ability. With that, unless someone wants to take a stab at it, I think we can close this thread.
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Take Ownership of Registry

Post by jvierra »

It sounds like you are asking how to force Explorer to auto-elevate. Is that what you are trying to do?

The DCOM settings can be set through WMI.
https://msdn.microsoft.com/en-us/librar ... s.85).aspx
User avatar
elation
Posts: 27
Last visit: Mon Sep 18, 2023 3:39 am
Has voted: 1 time

Re: Take Ownership of Registry

Post by elation »

Very good find - Thank you kindly! I'll dig into it and see if it's what I need. From a glance, it looks like the right stuff.
This topic is 6 years and 3 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked