Administrator does not mean "you get all rights to do anything." Administrator happens to be an account (or in your case, most likely the Local Administrators group) which by default is given some sensitive privileges like SeDebugPrivilege
and similar. However, as far as the security subsystem is concerned, it is just an account. (Very much unlike root
in Unix-like operating systems) If you aren't the owner of the key in question, and your account does not have WRITE_DAC
access to the registry key in question, then you won't be able to change the access control list on the key in question.
Try taking ownership first. By default, the local administrators group has SeTakeOwnershipPrivilege
, which allows taking ownership of any object even without the WRITE_OWNER
permission being granted by the object's discretionary access control list. Once you are the owner, you should be implicitly granted READ_CONTROL
(which allows you to read the security descriptor on the object in question), and WRITE_DAC
(which allows you to write to the DACL on the key in question). (Assuming the OWNER_RIGHTS
SID isn't in use; that's extremely unlikely)