1

I am trying to run a (PoSh) script as SYSTEM (i.e. at startup, via SCCM or otherwise) that needs to read some protected registry keys, and it can't see them.

A normal user doesn't have permission to see the keys. (Using a Mozilla key as an example, but there can be dozens under the "Tree" node.)

PS C:\> whoami
contoso\testuser
PS C:\>    $KeyPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Mozilla"
PS C:\> $Key = Get-Item $KeyPath
Get-Item : Requested registry access is not allowed.

An admin user can see (but not change) the keys:

PS C:\> whoami
LocalComputer\administrator
PS C:\> $KeyPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Mozilla"
PS C:\> Get-Item $KeyPath

Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree




Name                           Property




Mozilla                        SD : {1, 0, 4, 140...}

But the SYSTEM account just doesn't see anything:

PS C:\> whoami
nt authority\system
PS C:\> $KeyPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Mozilla"
PS C:\> Get-Item $KeyPath
Get-Item : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Mozilla'
because it does not exist.

SYSTEM has full control over the registry key and the parent key. What Admin sees (with permissions).List of Keys and SYSTEM has full control. This is what SYSTEM sees in the Registry.One key only.

How can SYSTEM not see it? How can I read this key via startup script (or other SYSTEM activity)?

Thanks.

Edit: As far as I can tell, this is is the case on ALL Win10 1809+, and not just a single machine.

Teknowledgist
  • 378
  • Test Get-PSProvider Registry. If that exists, test (Get-PSProvider Registry).Drives... – Keith Miller Apr 20 '21 at 23:25
  • As SYSTEM, I can move through the registry keys to HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\tree. At that point, the only child item is the "Microsoft" key even though the Admin account sees about 15 child items (including "Mozilla"). – Teknowledgist Apr 21 '21 at 13:59
  • Then examine the permssions on the keys. Can Admin modify then ahead of time so System can read? – Keith Miller Apr 21 '21 at 19:46
  • SYSTEM has "Full Control" (see added images). What could Admin modify to allow SYSTEM to read them? – Teknowledgist Apr 22 '21 at 12:09
  • No clue, really. Except that there's a security mechanism that prevents scripted egistry modification of keys a user can manipulate interactively. Deleting UserChoice or an extension from HKCU\...\Explorer\FileExts is an example. And that's as the user with Admin credentials. – Keith Miller Apr 22 '21 at 13:00
  • Another example: scripts can't invoke Pin and UnPin verbs. – Keith Miller Apr 22 '21 at 13:04
  • How are you running as SYSTEM to get this access denied? Is this via a Scheduled Task, PSExec, or what? Wasn't sure if you tried it as an actual startup script running as system via Task Scheduler or just local GP startup script in Computer Config, and then add local to the PS script that is executing to log the output to a file if you get a different result. Some reg hives won't load to be read if a user account is not logged on but didn't think HKLM was on of those. Curious the way you are running as SYSTEM and if another method of doing that would get a better result. – Vomit IT - Chunky Mess Style Apr 23 '21 at 19:49

0 Answers0