Access denied when adding key to HKEY_LOCAL_MACHINE using bat file, adding to HKEY_CURRENT_USER works fine

Question

I need to add a new registry key to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRunTime\AllowedCOMCLSIDs.

I tried running a following bat script:

@echo off 
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\AllowedCOMCLSIDs\NewKey" /f /ve
PAUSE

What I got in return was an access denied message, tried doing the same by launching a cmd.exe as an administrator but got the same information. I only have one account on this computer and it has the admin rights.

I also tried running this script to see if it can add that key to a different directory under HKEY_LOCAL_MACHINE and so I ran this script:

@echo off 
reg add HKEY_CURRENT_USER\Software\NewKey /f /ve
PAUSE

And that script was completed successfully.

Any idea how can I make the first one run properly as well? I've searched through multiple questions, threads and video tutorials showing modifications of users' groups properties but it doesn't really apply in this case, nothing changes since I already have all the rights assigned.

I'd be grateful for your help.

Edit: Ok, thanks everyone for your comments, I didn't have a clue that you can change the permissions for keys as well. Had to change the owner from SYSTEM to my account and then grant full permissions for those accounts and now the .bat script completes successfully.

Additional question - is it possible to change the owner of a given key file and grant the required permissions all in a single .bat file?

Answer 1

The key HKEY_CURRENT_USER contains user data that is mostly entirely accessible and modifiable by the current user.

The key HKEY_LOCAL_MACHINE contains system-wide data, some of it very sensible, so modifying it usually requires administrator permissions. However, some data is crucial for Windows to work correctly, so the permissions for those key are exclusively kept by the TrustedInstaller account. An administrator account does not have the permissions to modify data owned by the TrustedInstaller account.

This is exactly the situation with the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\AllowedCOMCLSIDs, whose permissions are as follows:

The key is owned by TrustedInstaller, which is the only account that has full control of the key.

In short - you cannot modify this key. Windows will not allow it.

You need to find a way of doing what you're trying to do using some built-in Windows application that has the right permissions. I suggest detailing your underlying problem in a new question, asking for a solution that doesn't require modifying registry keys that are reserved by Windows.