We’ve seen how to use the Registry Editor (regedit.exe) to change ownership of a registry key and subkeys. This article tells you how to change registry key ownership and grant permissions using the command-line.
Windows has the takeown.exe and icacls.exe console utilities to change file/folder ownership and permissions, but there are no such built-in tools for changing the registry key ownership using command-line. You’ll need a third-party tool named SetACL for the task.
SetACL: Command-line arguments
Before proceeding, let’s see the command-line syntax for changing file/registry ownership and permissions using SetACL.
SetACL -on objectname -ot objecttype -actn action
-on: Specify the path to the object SetACL should operate on (e.g., file, registry key, network share, service, or printer).-ot: Specify the object type. To change ownership or permissions for a file or folder, use the object typefile. For registry keys, use the object typereg-actn: Specify the action as to what should SetACL do against the object specified. For taking ownership, set the action assetowner. To change permissions, set the action asace.
(See SetACL documentation for the full list of objects, types, and supported actions.)
Take Ownership of Registry Key & Assign Permissions Using Command-line
To change registry key ownership and permissions using SetACL:
- Download SetACL, unzip the contents to a folder.
- Copy the appropriate version of
setacl.exe(32-bit vs 64-bit) of the tool to a folder — e.g.,d:\tools. - Let’s say you want to change ownership of the registry branch
HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}and to grant theAdministratorsgroup full control permissions. Run these two commands from an admin Command Prompt window:SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn setowner -ownr "n:Administrators" SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn ace -ace "n:Administrators;p:full"
SetACL: Change Ownership of a Registry key & assign Full Permissions - The 1st command sets
Administratorsgroup as the owner of the key - The 2nd command assigns the
Administratorsgroup Full Control permissions for the key.
- The 1st command sets
The Administrators group owns the key and its subkeys, and also has full control permissions, which you can check using the Registry Editor.
Important: For changing the ownership and permissions for this key and subkeys, add the -rec Yes argument at the end. See illustration below for more information.
Error when changing registry key permissions?
SetACL reports the following error when attempting to change the permissions for a file/folder or a registry key for which you don’t have access to. To prevent this error, make sure you first take ownership of the key before changing its permissions.
SetACL finished with error(s): SetACL error message: The call to SetNamedSecurityInfo () failed Operating system error message: Access is denied.
Take Ownership & Assign Permissions Recursively (this key & subkeys)
To change ownership and grant full control permission (to Administrators) for the specified key along with its subkeys, include the -rec Yes switch at the end, as given below:
SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn setowner -ownr "n:Administrators" -rec Yes
SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn ace -ace "n:Administrators;p:full" -rec Yes
Set TrustedInstaller as the owner
To set TrustedInstaller as the owner of the above registry key and assign it full control permissions recursively, use the same command-line syntax. You only need to change the account/group name. Here are the commands you need to run this time:
SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn setowner -ownr "n:nt service\trustedinstaller" -rec Yes
SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}" -ot reg -actn ace -ace "n:"nt service\trustedinstaller";p:full" -rec Yes
After running the above command sets TrustedInstaller (NT SERVICE\TrustedInstaller) as the owner of the key and subkeys.
Additional Information
- Microsoft’s SubInACL: There is also another console tool named SubInACL released by Microsoft during the Windows XP-era. It’s part of the Windows XP/2003 Resource Kit Tools. SubInACL can be used to set ownership and permissions for files/folders and registry. However, as SubInACL has been discontinued by Microsoft and it defaults to 32-bit file and registry paths (on Windows 64-bit systems) which makes it unusable in 64-bit versions of Windows in some situations.
- Microsoft’s Regini.exe: You have another built-in console tool named regini.exe which lets you change the registry permissions using a text-based file. However, regini.exe can’t change the ownership of a registry key. For more information on regini.exe, open a Command Prompt window and type
regini.exe /? - Helge Klein’s SetACL is widely recommended tool and it certainly has filled the void left by SubInACL and also addresses the shortcomings of
regini.exe. SetACL can do many more things than what’s discussed in this article.
See SetACL documentation for more details: SetACL Command Line-Version (SetACL.exe) – Syntax and Description.
One small request: If you liked this post, please share this?
One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!
Thank you very much for this. Would it be possible to write the commands to take over the entire registry and grant all rights to the current user or Administrator account?
Thanks in advance.