view windows registry 32 and 64 bit subkeys

gistfile1.txt

function Get-64BitRegistrySubKeys {
    param (
        [string]$RegistryPath
    )

    # Open the 64-bit registry key
    $key = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64).OpenSubKey($RegistryPath)

    if ($key -eq $null) {
        Write-Host "Registry key not found: $RegistryPath"
        return
    }

    # Get all subkey names and display them
    $subKeyNames = $key.GetSubKeyNames()
    foreach ($subKeyName in $subKeyNames) {
        Write-Host "Subkey: $subKeyName"
    }
}

function Get-32BitRegistrySubKeys {
    param (
        [string]$RegistryPath
    )

    # Open the 32-bit registry key
    $key = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry32).OpenSubKey($RegistryPath)

    if ($key -eq $null) {
        Write-Host "Registry key not found: $RegistryPath"
        return
    }

    # Get all subkey names and display them
    $subKeyNames = $key.GetSubKeyNames()
    foreach ($subKeyName in $subKeyNames) {
        Write-Host "Subkey: $subKeyName"
    }
}

# Example usage, replace with your key path
Get-32BitRegistrySubKeys "SOFTWARE\Microsoft\Windows Defender"


# Example usage, replace with your key path
Get-64BitRegistrySubKeys "SOFTWARE\Microsoft\Windows Defender"

gistfile2.txt

function Set-RegistryPermissionsWithInheritance {
    param (
        [string]$RegistryPath
    )

    # Try to open the registry key with FullControl access rights
    try {
        # Open the 64-bit registry key
        $key = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64).OpenSubKey(
            $RegistryPath, 
            [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, 
            [System.Security.AccessControl.RegistryRights]::FullControl
        )

        if ($key -eq $null) {
            Write-Host "Registry key not found: $RegistryPath"
            return
        }

        # Get the current access control
        $acl = $key.GetAccessControl()

        # Add a new rule granting your user account full control with inheritance
        $user = [System.Security.Principal.NTAccount]"$env:USERDOMAIN\$env:USERNAME"
        $rule = New-Object System.Security.AccessControl.RegistryAccessRule(
            $user, 
            "FullControl", 
            [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, 
            [System.Security.AccessControl.PropagationFlags]::None, 
            "Allow"
        )

        # Add the access rule to the ACL
        $acl.AddAccessRule($rule)

        # Apply the updated ACL to the registry key
        $key.SetAccessControl($acl)

        Write-Host "Permissions updated with inheritance for $RegistryPath"

    } catch {
        Write-Host "Error: $_" -ForegroundColor Red
    }
}

# Example usage, replace with your key path
Set-RegistryPermissionsWithInheritance "SOFTWARE\Microsoft\Windows Defender"

new-Set-RegistryPermissions.psh

function Set-RegistryPermissions {
    param(
        [string]$rootKey, 
        [string]$keyPath, 
        [System.Security.Principal.SecurityIdentifier]$sid = ([System.Security.Principal.WindowsIdentity]::GetCurrent().User),  # Default to current user
        [bool]$recurse = $true
    )

    switch ($rootKey) {
        'HKCU', 'HKEY_CURRENT_USER'    { $rootKey = 'CurrentUser' }
        'HKLM', 'HKEY_LOCAL_MACHINE'   { $rootKey = 'LocalMachine' }
        'HKCR', 'HKEY_CLASSES_ROOT'    { $rootKey = 'ClassesRoot' }
        'HKCC', 'HKEY_CURRENT_CONFIG'  { $rootKey = 'CurrentConfig' }
        'HKU', 'HKEY_USERS'            { $rootKey = 'Users' }
    }

    # Escalate privileges
    function Enable-Privileges {
        $import = '[DllImport("ntdll.dll")] public static extern int RtlAdjustPrivilege(ulong a, bool b, bool c, ref bool d);'
        $ntdll = Add-Type -Member $import -Name NtDll -PassThru
        $privileges = @{ SeTakeOwnership = 9; SeBackup = 17; SeRestore = 18 }
        foreach ($i in $privileges.Values) {
            $null = $ntdll::RtlAdjustPrivilege($i, $true, $false, [ref]$false)
        }
    }

    Enable-Privileges  # Elevate required privileges

    function Change-KeyOwnershipAndPermissions {
        param($regKeyPath, $sid, $recurse, $level = 0)

        try {
            # Open the registry key with permission to take ownership
            $regKey = [Microsoft.Win32.Registry]::$rootKey.OpenSubKey($regKeyPath, 'ReadWriteSubTree', 'TakeOwnership')
            if ($null -eq $regKey) {
                Write-Host "Key not found: $regKeyPath" -ForegroundColor Yellow
                return
            }

            # Step 1: Take Ownership
            $acl = $regKey.GetAccessControl()
            $acl.SetOwner($sid)
            $regKey.SetAccessControl($acl)

            # Step 2: Set permissions and inheritance
            if ($level -eq 0) {
                $rule = New-Object System.Security.AccessControl.RegistryAccessRule($sid, 'FullControl', 'ContainerInherit', 'None', 'Allow')
                $acl.AddAccessRule($rule)
                $regKey.SetAccessControl($acl)
                Write-Host "Ownership and permissions set for $regKeyPath" -ForegroundColor Green
            }

            # Step 3: Recursively apply permissions to subkeys
            if ($recurse) {
                $subKeys = $regKey.GetSubKeyNames()
                foreach ($subKey in $subKeys) {
                    Change-KeyOwnershipAndPermissions "$regKeyPath\$subKey" $sid $recurse ($level + 1)
                }
            }
        } catch {
            Write-Host "Failed to set ownership or permissions for $regKeyPath: $_" -ForegroundColor Red
        }
    }

    # Start processing the registry key
    Change-KeyOwnershipAndPermissions $keyPath $sid $recurse
}

# Usage example
Set-RegistryPermissions "HKLM" "SOFTWARE\Microsoft\Windows Defender"

SystemUser-TakeOwnership.psh

function TakeOwnership-RegistryKey {
    param (
        [string]$RegistryPath,
        [string]$UserAccount = "Phil"  # Explicitly specify the user account
    )

    # Open the 64-bit registry key
    try {
        $key = [Microsoft.Win32.RegistryKey]::OpenBaseKey(
            [Microsoft.Win32.RegistryHive]::LocalMachine, 
            [Microsoft.Win32.RegistryView]::Registry64
        ).OpenSubKey($RegistryPath, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)

        if ($key -eq $null) {
            Write-Host "Registry key not found: $RegistryPath"
            return
        }

        # Get access control and set ownership to the specified user account
        $acl = $key.GetAccessControl()
        $owner = [System.Security.Principal.NTAccount]$UserAccount
        $acl.SetOwner($owner)
        Write-Host "Current ACL for key '$RegistryPath':"
        Write-Host $acl | Format-List
        Write-Host "Current owner of key '$RegistryPath': $owner"

        # Apply the new ownership
        $key.SetAccessControl($acl)

        Write-Host "Ownership of registry key '$RegistryPath' has been taken by $UserAccount"
    } catch {
        Write-Host "Error: $_" -ForegroundColor Red
    }
}

# Example usage:
TakeOwnership-RegistryKey "SOFTWARE\Microsoft\Windows Defender" "Phil"

take-permissions.psh

function Take-Permissions {
    # Required Admin privileges
    param(
        $rootKey, 
        $key, 
        [System.Security.Principal.SecurityIdentifier]$sid = 'S-1-5-32-545', 
        $recurse = $true
    )
    
    switch -regex ($rootKey) {
        'HKCU|HKEY_CURRENT_USER'    { $rootKey = 'CurrentUser' }
        'HKLM|HKEY_LOCAL_MACHINE'   { $rootKey = 'LocalMachine' }
        'HKCR|HKEY_CLASSES_ROOT'    { $rootKey = 'ClassesRoot' }
        'HKCC|HKEY_CURRENT_CONFIG'  { $rootKey = 'CurrentConfig' }
        'HKU|HKEY_USERS'            { $rootKey = 'Users' }
    }

    ### Step 1 - escalate current process's privilege
    # Get SeTakeOwnership, SeBackup, and SeRestore privileges
    $import = '[DllImport("ntdll.dll")] public static extern int RtlAdjustPrivilege(ulong a, bool b, bool c, ref bool d);'
    $ntdll = Add-Type -Member $import -Name NtDll -PassThru
    $privileges = @{ SeTakeOwnership = 9; SeBackup =  17; SeRestore = 18 }
    foreach ($i in $privileges.Values) {
        $null = $ntdll::RtlAdjustPrivilege($i, 1, 0, [ref]0)
    }

    function Take-KeyPermissions {
        param($rootKey, $key, $sid, $recurse, $recurseLevel = 0)

        ### Step 2 - Take ownership of the key (only works for current key)
        $regKey = [Microsoft.Win32.Registry]::$rootKey.OpenSubKey($key, 'ReadWriteSubTree', 'TakeOwnership')
        $acl = New-Object System.Security.AccessControl.RegistrySecurity
        $acl.SetOwner($sid)
        $regKey.SetAccessControl($acl)

        ### Step 3 - Enable inheritance of permissions (not ownership) for the current key
        $acl.SetAccessRuleProtection($false, $false)
        $regKey.SetAccessControl($acl)

        ### Step 4 - For top-level key, change permissions and propagate to subkeys
        if ($recurseLevel -eq 0) {
            $regKey = $regKey.OpenSubKey('', 'ReadWriteSubTree', 'ChangePermissions')
            $rule = New-Object System.Security.AccessControl.RegistryAccessRule($sid, 'FullControl', 'ContainerInherit', 'None', 'Allow')
            $acl.ResetAccessRule($rule)
            $regKey.SetAccessControl($acl)
        }

        ### Step 5 - Recursively repeat for subkeys
        if ($recurse) {
            foreach($subKey in $regKey.OpenSubKey('').GetSubKeyNames()) {
                Take-KeyPermissions $rootKey ($key + '\' + $subKey) $sid $recurse ($recurseLevel + 1)
            }
        }
    }

    Take-KeyPermissions $rootKey $key $sid $recurse
}

# Example usage: granting full control to BUILTIN\Users for the Windows Defender key
Take-Permissions "HKLM" "SOFTWARE\Microsoft\Windows Defender"

# Taking ownership and giving BUILTIN\Users full control of the key and all its subkeys
Take-Permissions "HKLM" "SOFTWARE\Microsoft\Windows Defender"

# Giving the "Everyone" group full control over the key and all its subkeys
Take-Permissions "HKLM" "SOFTWARE\Microsoft\Windows Defender" "S-1-1-0"

# Giving the "Everyone" group full control of only the top-level key
Take-Permissions "HKLM" "SOFTWARE\Microsoft\Windows Defender" "S-1-1-0" $false

TakeOwnership.psh

function TakeOwnership-RegistryKey {
    param (
        [string]$RegistryPath
    )

    # Open the 64-bit registry key
    try {
        $key = [Microsoft.Win32.RegistryKey]::OpenBaseKey(
            [Microsoft.Win32.RegistryHive]::LocalMachine, 
            [Microsoft.Win32.RegistryView]::Registry64
        ).OpenSubKey($RegistryPath, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)

        if ($key -eq $null) {
            Write-Host "Registry key not found: $RegistryPath"
            return
        }

        # Get access control and set ownership to the current user
        $acl = $key.GetAccessControl()
        $owner = [System.Security.Principal.NTAccount]"$env:USERDOMAIN\$env:USERNAME"
        $acl.SetOwner($owner)
        Write-Host "Current ACL for key '$RegistryPath':"
        Write-Host $acl | Format-List
        Write-Host "Attempting to change ownership to: $owner"

        # Apply the new ownership
        $key.SetAccessControl($acl)
        Write-Host "Ownership of registry key '$RegistryPath' has been taken by $env:USERNAME"
    } catch {
        Write-Host "Error: $_" -ForegroundColor Red
    }
}

# Call the function to take ownership of the key in the 64-bit registry view
TakeOwnership-RegistryKey "SOFTWARE\Microsoft\Windows Defender"

to add logging

    <CommandLine>powershell.exe -ExecutionPolicy Bypass -NoProfile -File E:\setup.ps1 > C:\setup-script-log.txt 2>&1</CommandLine>