This code consists of two functions, followed by a function call that takes the desired registry path value—excludingvalue, excluding the initial HKLM
—as hive notation, as an argument to taketaking ownership of that registrythe key.
Function Enable-Privilege {
param (
[string[]]$Privileges
)
try {
$typeExists = [AppDomain]::CurrentDomain.GetAssemblies() | ForEach-Object {
$_.GetExportedTypes() | Where-Object { $_.Name -eq "AdjPriv" }
}
;
if ($typeExists -eq $null) {
$Definition = @"
using System;
using System.Runtime.InteropServices;
public class AdjPriv {
{
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr rele);
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name,
ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
internal struct TokPriv1Luid {
{
public int Count;
public long Luid;
public int Attr;
} }
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool EnablePrivilege(long processHandle, string privilege) {
{
bool retVal;
bool retVal;
TokPriv1Luid tp;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
ref htok);
tp.Count = 1;
tp.Luid = 0;
tp.Attr = SE_PRIVILEGE_ENABLED;
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero,
IntPtr.Zero);
return retVal;
}
}
}
"@ }
"@
$ProcessHandle = (Get-Process -id $pid).HandleHandle;
$type = Add-Type $definition -PassThru
}
;
$Privileges | ForEach-Object { If($_){Try{$type[0]::EnablePrivilege($processHandle, $_)}Catch{$False}}
}
} catch }catch{}
}
};
Function TakeOwnership-RegistryKey {
param (
[string]$RegistryPath
)
Enable-Privilege @("SeTakeOwnershipPrivilege", "SeRestorePrivilege")
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($RegistryPath, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership)
if ($key -eq $null) {
Write-Host "Registry key not found: $RegistryPath"$RegistryPath";
returnreturn;
}
}
$acl = $key.GetAccessControl();
$owner = [System.Security.Principal.NTAccount]"$env:USERDOMAIN\$env:USERNAME"USERNAME";
$acl.SetOwner($owner);
$key.SetAccessControl($acl)
;
Write-Host "Ownership of registry key '$RegistryPath' has been taken by $env:USERNAME" -ForegroundColor Yellow;
};
TakeOwnership-RegistryKey "SOFTWARE\Test""SOFTWARE\Test";