x9/xetup
1
0
Fork 0
Code Issues 17 Pull requests Projects Releases 2 Packages Wiki Activity Actions

Fix registry ACL errors in steps 3 and 4

Browse source 
- 03-system-registry.ps1: add Grant-RegWriteAccess helper; Set-Reg now
  retries with ACL fix when Set-ItemProperty throws SecurityException
  (e.g. HKLM\...\Communications owned by TrustedInstaller)
- 04-default-profile.ps1: add Grant-HiveWriteAccess helper; Set-ProfileReg
  retries with ACL fix on Default hive keys with restricted permissions
- Both scripts: add -ErrorAction Stop to Set-ItemProperty so errors are
  properly caught by try/catch instead of bypassing it

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
X9 2026-03-14 19:37:47 +01:00
parent 97bd9dfc76
commit 31646112bf
2 changed files with 92 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
scripts/03-system-registry.ps1
View file

@ -11,6 +11,48 @@ function Write-Log {
Add-Content -Path $LogFile -Value $line -Encoding UTF8 Add-Content -Path $LogFile -Value $line -Encoding UTF8
} }
function Grant-RegWriteAccess {
param([string]$Path)
# Grants Administrators FullControl on a registry key that has restricted ACL.
# Required for keys owned by TrustedInstaller or with locked-down ACL.
try {
$hive = $Path -replace '^(HKLM|HKCU|HKU|HKCR|HKCC):\\.*', '$1'
$subkey = $Path -replace '^(HKLM|HKCU|HKU|HKCR|HKCC):\\', ''
$rootKey = switch ($hive) {
"HKLM" { [Microsoft.Win32.Registry]::LocalMachine }
"HKCU" { [Microsoft.Win32.Registry]::CurrentUser }
"HKCR" { [Microsoft.Win32.Registry]::ClassesRoot }
}
$rights = [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree
$regRights = [System.Security.AccessControl.RegistryRights]::TakeOwnership
$key = $rootKey.OpenSubKey($subkey, $rights, $regRights)
if ($key) {
$acl = $key.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
$acl.SetOwner([System.Security.Principal.NTAccount]"BUILTIN\Administrators")
$key.SetAccessControl($acl)
$key.Close()
}
# Re-open with ChangePermissions to grant full control
$key = $rootKey.OpenSubKey($subkey, $rights, [System.Security.AccessControl.RegistryRights]::ChangePermissions)
if ($key) {
$acl = $key.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(
"BUILTIN\Administrators",
[System.Security.AccessControl.RegistryRights]::FullControl,
[System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit",
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow
)
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
$key.Close()
}
}
catch {
Write-Log " Grant-RegWriteAccess failed for $Path - $_" -Level WARN
}
}
function Set-Reg { function Set-Reg {
param( param(
[string]$Path, [string]$Path,
@ -20,14 +62,25 @@ function Set-Reg {
) )
try { try {
if (-not (Test-Path $Path)) { if (-not (Test-Path $Path)) {
New-Item -Path $Path -Force | Out-Null New-Item -Path $Path -Force -ErrorAction Stop | Out-Null
} }
Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type -Force Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type -Force -ErrorAction Stop
Write-Log " SET $Path\$Name = $Value" -Level OK Write-Log " SET $Path\$Name = $Value" -Level OK
} }
catch {
# Retry after granting write access
try {
Grant-RegWriteAccess -Path $Path
if (-not (Test-Path $Path)) {
New-Item -Path $Path -Force -ErrorAction Stop | Out-Null
}
Set-ItemProperty -Path $Path -Name $Name -Value $Value -Type $Type -Force -ErrorAction Stop
Write-Log " SET $Path\$Name = $Value (after ACL fix)" -Level OK
}
catch { catch {
Write-Log " FAILED $Path\$Name - $_" -Level ERROR Write-Log " FAILED $Path\$Name - $_" -Level ERROR
} }
}
} }
function Remove-Reg { function Remove-Reg {

39
scripts/04-default-profile.ps1
View file

@ -14,6 +14,26 @@ function Write-Log {
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------
# Helper - apply a registry setting to both Default hive and current HKCU # Helper - apply a registry setting to both Default hive and current HKCU
# ----------------------------------------------------------------------- # -----------------------------------------------------------------------
function Grant-HiveWriteAccess {
param([string]$HivePath) # full path e.g. "Registry::HKU\DefaultProfile\Software\..."
# Grants Administrators FullControl on a loaded hive key with restricted ACL.
try {
$acl = Get-Acl -Path $HivePath -ErrorAction Stop
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(
"BUILTIN\Administrators",
[System.Security.AccessControl.RegistryRights]::FullControl,
[System.Security.AccessControl.InheritanceFlags]"ContainerInherit,ObjectInherit",
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow
)
$acl.SetAccessRule($rule)
Set-Acl -Path $HivePath -AclObject $acl -ErrorAction Stop
}
catch {
Write-Log " Grant-HiveWriteAccess failed for $HivePath - $_" -Level WARN
}
}
function Set-ProfileReg { function Set-ProfileReg {
param( param(
[string]$SubKey, # relative to HKCU (e.g. "Software\Microsoft\...") [string]$SubKey, # relative to HKCU (e.g. "Software\Microsoft\...")
@ -26,21 +46,32 @@ function Set-ProfileReg {
$defPath = "Registry::HKU\DefaultProfile\$SubKey" $defPath = "Registry::HKU\DefaultProfile\$SubKey"
try { try {
if (-not (Test-Path $defPath)) { if (-not (Test-Path $defPath)) {
New-Item -Path $defPath -Force | Out-Null New-Item -Path $defPath -Force -ErrorAction Stop | Out-Null
} }
Set-ItemProperty -Path $defPath -Name $Name -Value $Value -Type $Type -Force Set-ItemProperty -Path $defPath -Name $Name -Value $Value -Type $Type -Force -ErrorAction Stop
}
catch {
# Retry after granting write access to parent key
try {
$parentPath = $defPath -replace '\\[^\\]+$', ''
if (Test-Path $parentPath) { Grant-HiveWriteAccess -HivePath $parentPath }
if (-not (Test-Path $defPath)) {
New-Item -Path $defPath -Force -ErrorAction Stop | Out-Null
}
Set-ItemProperty -Path $defPath -Name $Name -Value $Value -Type $Type -Force -ErrorAction Stop
} }
catch { catch {
Write-Log " DEFAULT HIVE failed $SubKey\$Name - $_" -Level ERROR Write-Log " DEFAULT HIVE failed $SubKey\$Name - $_" -Level ERROR
} }
}
# Apply to current user as well # Apply to current user as well
$hkcuPath = "HKCU:\$SubKey" $hkcuPath = "HKCU:\$SubKey"
try { try {
if (-not (Test-Path $hkcuPath)) { if (-not (Test-Path $hkcuPath)) {
New-Item -Path $hkcuPath -Force | Out-Null New-Item -Path $hkcuPath -Force -ErrorAction Stop | Out-Null
} }
Set-ItemProperty -Path $hkcuPath -Name $Name -Value $Value -Type $Type -Force Set-ItemProperty -Path $hkcuPath -Name $Name -Value $Value -Type $Type -Force -ErrorAction Stop
Write-Log " SET $SubKey\$Name = $Value" -Level OK Write-Log " SET $SubKey\$Name = $Value" -Level OK
} }
catch { catch {