• Adjusting TOKEN PRIVILEGES in PowerShell

• How RPC Works

• RegistryRights Enum

  Specifies the access control rights that can be applied to registry objects.

• AccessControlType Enum

  Specifies whether an AccessRule object is used to allow or deny access.

• Adjusting TOKEN PRIVILEGES in PowerShell

• Privilege Constants (Authorization)

• How RPC Works

• RegistryRights Enum

  Specifies the access control rights that can be applied to registry objects.

• AccessControlType Enum

  Specifies whether an AccessRule object is used to allow or deny access.

Note: You will not appended HKLM to the value passed to the function here—omit it.

Take ownership of a registry key via PowerShell

Note: You will not append HKLM to the value passed to the function here—omit it.

This code consists of two functions, followed by a function call that takes the desired registry path value—excluding the initial HKLM—as an argument to take ownership of that registry key.

Function Enable-Privilege {
    param (
        [string[]]$Privileges
    )
 
    try {
        $typeExists = [AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object {
            $_.GetExportedTypes() | Where-Object { $_.Name -eq "AdjPriv" }
        }
 
        if ($typeExists -eq $null) {
            $Definition = @"
            using System;
            using System.Runtime.InteropServices;
            public class AdjPriv {
                [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
                internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
                    ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr rele);
                 [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
                internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
                 [DllImport("advapi32.dll", SetLastError = true)]
                internal static extern bool LookupPrivilegeValue(string host, string name,
                    ref long pluid);
                 [StructLayout(LayoutKind.Sequential, Pack = 1)]
                internal struct TokPriv1Luid {
                    public int Count;
                    public long Luid;
                    public int Attr;
                }
                internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
                internal const int TOKEN_QUERY = 0x00000008;
                internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
                 public static bool EnablePrivilege(long processHandle, string privilege) {
                    bool retVal;
                    TokPriv1Luid tp;
                    IntPtr hproc = new IntPtr(processHandle);
                    IntPtr htok = IntPtr.Zero;
                     retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
                        ref htok);
                    tp.Count = 1;
                    tp.Luid = 0;
                    tp.Attr = SE_PRIVILEGE_ENABLED;
                    retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
                    retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero,
                        IntPtr.Zero);
                     return retVal;
                }
            }
"@
 
             $ProcessHandle = (Get-Process -id $pid).Handle
            $type = Add-Type $definition -PassThru
        }
 
        $Privileges | ForEach-Object { If($_){Try{$type[0]::EnablePrivilege($processHandle, $_)}Catch{$False}}
        }
    } catch {
 
     }
};
 

Function TakeOwnership-RegistryKey {
    param (
        [string]$RegistryPath
    )
 
    Enable-Privilege @("SeTakeOwnershipPrivilege", "SeRestorePrivilege")
    $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($RegistryPath, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
    if ($key -eq $null) {
        Write-Host "Registry key not found: $RegistryPath"
        return
    }
 
    $acl = $key.GetAccessControl()
    $owner = [System.Security.Principal.NTAccount]"$env:USERDOMAIN\$env:USERNAME"
    $acl.SetOwner($owner)
    $key.SetAccessControl($acl)
 
    Write-Host "Ownership of registry key '$RegistryPath' has been taken by $env:USERNAME"
};

TakeOwnership-RegistryKey "SOFTWARE\Test"

This code consists of two functions, followed by a function call that takes the desired registry path value, excluding the initial HKLM hive notation, as an argument taking ownership of the key.

Function Enable-Privilege {
    param ([string[]]$Privileges)
    try {
        $typeExists = [AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object {$_.GetExportedTypes() | Where-Object { $_.Name -eq "AdjPriv" }};
        if ($typeExists -eq $null) {
        $Definition = @"
        using System;
        using System.Runtime.InteropServices;
        
        public class AdjPriv
        {
            [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
            internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall, ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr rele);      
            [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
            internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);           
            [DllImport("advapi32.dll", SetLastError = true)]
            internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);        
            [StructLayout(LayoutKind.Sequential, Pack = 1)]
            internal struct TokPriv1Luid
            {
                public int Count;
                public long Luid;
                public int Attr;
            }         
            internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
            internal const int TOKEN_QUERY = 0x00000008;
            internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;        
            public static bool EnablePrivilege(long processHandle, string privilege)
            {
                bool retVal;
                TokPriv1Luid tp;
                IntPtr hproc = new IntPtr(processHandle);
                IntPtr htok = IntPtr.Zero;        
                retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
                tp.Count = 1;
                tp.Luid = 0;
                tp.Attr = SE_PRIVILEGE_ENABLED;
                retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
                retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);        
                return retVal;
            }
        }
"@             
        $ProcessHandle = (Get-Process -id $pid).Handle;
        $type = Add-Type $definition -PassThru};
        $Privileges | ForEach-Object {If($_){Try{$type[0]::EnablePrivilege($processHandle, $_)}Catch{$False}}
        }
        }catch{}
        };

Function TakeOwnership-RegistryKey {
    param ([string]$RegistryPath)
    Enable-Privilege @("SeTakeOwnershipPrivilege", "SeRestorePrivilege")
    $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($RegistryPath, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
    if ($key -eq $null) {
        Write-Host "Registry key not found: $RegistryPath";
        return;
        }
    $acl = $key.GetAccessControl();
    $owner = [System.Security.Principal.NTAccount]"$env:USERDOMAIN\$env:USERNAME";
    $acl.SetOwner($owner);
    $key.SetAccessControl($acl);
    Write-Host "Ownership of registry key '$RegistryPath' has been taken by $env:USERNAME" -ForegroundColor Yellow;
};

TakeOwnership-RegistryKey "SOFTWARE\Test";