Take Ownership of Registry Key KnownDLLs

[IsoQuantic]

I am missing two entries in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs

The two subkey entries are:
DLLDirectory with a needed value of: system32
DLLDirectory32 with a needed value of: syswow6

When running the following two commands in an elevated command prompt:

SetACL.exe -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs" -ot reg -actn setowner -ownr "n:Administrators"

SetACL.exe -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs" -ot reg -actn ace -ace "n:Administrators;p:full"

I receive the following errors:

C:\WINDOWS\system32>SetACL.exe -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs" -ot reg -actn setowner -ownr "n:Administrators"
Processing ACL of: <machine\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs>

SetACL finished with error(s):
SetACL error message: The call to SetNamedSecurityInfo () failed

Operating system error message: Access is denied.


C:\WINDOWS\system32>SetACL.exe -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs" -ot reg -actn ace -ace "n:Administrators;p:full"
Processing ACL of: <machine\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs>

SetACL finished with error(s):
SetACL error message: The call to SetNamedSecurityInfo () failed
Operating system error message: Access is denied.


I get a similar error when using the following at an elevated command prompt:

SUBINACL /keyreg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs" /setowner=administrators /grant=administrators=f

Is there another method of taking ownership of this registry key such that I can enter the two missing keys? I have tried the usual taking ownership method of accessing the Permissions of the registry key and trying to change the Trusted Installer ownership with the same "access denied" results.

Essentially I would like to import the following registry key and attempts do so by just double-clicking the file fail to enter the two highlighted entries:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs]
"_Wow64"="Wow64.dll"
"_Wow64cpu"="Wow64cpu.dll"
"_Wow64win"="Wow64win.dll"
"advapi32"="advapi32.dll"
"clbcatq"="clbcatq.dll"
"combase"="combase.dll"
"COMDLG32"="COMDLG32.dll"
"coml2"="coml2.dll"
"DifxApi"="difxapi.dll"
"DllDirectory"="\\system32"
"DllDirectory32"="\\syswow64"
"gdi32"="gdi32.dll"
"gdiplus"="gdiplus.dll"
"IMAGEHLP"="IMAGEHLP.dll"
"IMM32"="IMM32.dll"
"kernel32"="kernel32.dll"
"LPK"="LPK.dll"
"MSCTF"="MSCTF.dll"
"MSVCRT"="MSVCRT.dll"
"NORMALIZ"="NORMALIZ.dll"
"NSI"="NSI.dll"
"ole32"="ole32.dll"
"OLEAUT32"="OLEAUT32.dll"
"PSAPI"="PSAPI.DLL"
"rpcrt4"="rpcrt4.dll"
"sechost"="sechost.dll"
"Setupapi"="Setupapi.dll"
"SHELL32"="SHELL32.dll"
"SHLWAPI"="SHLWAPI.dll"
"user32"="user32.dll"
"WLDAP32"="WLDAP32.dll"
"WS2_32"="WS2_32.dll"

 

[NoChance]

I know that there is a way to run the registry editor (regedit) as the "system" user. I've used that at times in the past to take ownership of prohibited registry entries.
I couldn't tell you how to do it, though I'm guessing a google of that could.

 

[IsoQuantic]

Tried the run a SYSTEM approach. Unfortunately the interactive service detection service puts up a dialog that overtakes my entire screen and there is no way to interact with the dialog so I had to exit out of things harshly. May have something to do with my 4K screen resolution as the dialog that came up was poorly formatted and I could not use the mouse to deal with the dialog.

 

[NoChance]

do you have things "magnified" under display settings (>100%)?

 

[IsoQuantic]

Yes. 235%

 

[NoChance]

My bet is that trying again with that value at 100% might let you see the info unbugged in order to set it.

 

[IsoQuantic]

Adjusting the screen magnification and using the method of running regedit as system failed with the same permission errors.

 

[NoChance]

When I did it as system, I had to give myself ownership (cause it to inherit downstream). Then explicitly add my username as a user. Then explicitly give myself full access. I think on a few folders I even had to do it key by key, as it wouldn't allow inheritance. Did you add yourself as a principal?

 

[IsoQuantic]

Yes, I did.

 

[NoChance]

Ok. Here is what I did.

1. I downloaded psexec 2.11 from PsExec

2. I run psexec –i –s CMD to open a CMD prompt as the system user.

3. I open regedit.exe from windows/system32

4. I now have dangerous power to mess things up. So I write down everything I change and export it so that I can carefully re-instate permissions when I'm done.

 

[IsoQuantic]

NoChance,

That worked for me.

Would only modify your steps above to include (1) copying that particular psexec tool to the System32 folder so it is easier to use in the command prompt window, (2) restoring owndership of the key from Administrators to TrustedInstaller afterwards. That last bit requires one to enter:
NT SERVICE\TrustedInstaller in the change owner dialog to get the TrustedInstaller back as owner when all is finished.

Thanks!