Windows Registry access denied when administrator

regeditSecuritywindows

Windows 7 workstation,
Launch 'regedit.exe' as 'Administrator'

Find the following registry key:

HKEY_CLASSES_ROOT\CLSID{76A64158-CB41-11D1-8B02-00600806D9B6}

Right click and select 'Permissions'
Change owner to administrators group.
Change permissions for administrators group. Grant Full Control.
I get an error saying:

unable to save permission, access denied

Why do get access denied when I run as administrator?

Best Answer

  • Administrator does not mean "you get all rights to do anything." Administrator happens to be an account (or in your case, most likely the Local Administrators group) which by default is given some sensitive privileges like SeDebugPrivilege and similar. However, as far as the security subsystem is concerned, it is just an account. (Very much unlike root in Unix-like operating systems) If you aren't the owner of the key in question, and your account does not have WRITE_DAC access to the registry key in question, then you won't be able to change the access control list on the key in question.

    Try taking ownership first. By default, the local administrators group has SeTakeOwnershipPrivilege, which allows taking ownership of any object even without the WRITE_OWNER permission being granted by the object's discretionary access control list. Once you are the owner, you should be implicitly granted READ_CONTROL (which allows you to read the security descriptor on the object in question), and WRITE_DAC (which allows you to write to the DACL on the key in question). (Assuming the OWNER_RIGHTS SID isn't in use; that's extremely unlikely)