Setting registry permissions error "Set-Acl : Requested registry access is not allowed."

Question

I'm trying to set a registry permission to FullControl but keep getting this error. Everything works fine until the Set-Acl. What am I doing wrong?

New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT

$acl = Get-Acl HKCR:\CLSID\"{000C1090-0000-0000-C000-000000000046}"\InprocServer32

$newOwner = [System.Security.Principal.NTAccount]"$env:userdomain\$env:username"
$acl.SetOwner($newOwner)

$person = [System.Security.Principal.NTAccount]"Administrators"
$access = [System.Security.AccessControl.RegistryRights]"FullControl"
$inheritance = [System.Security.AccessControl.InheritanceFlags]"None"
$propagation = [System.Security.AccessControl.PropagationFlags]"None"
$type = [System.Security.AccessControl.AccessControlType]"Allow"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule("$person","$access","$inheritance","$propagation","$type")
$acl.SetAccessRule($rule)

$acl | Set-Acl

Answer 1

You cannot assign a new owner to a file or folder unless you have certain rights, and have those rights enabled in the current process. Normally, ownership is given by allowing someone else to take ownership themselves. This ensures the integrity of the auditing process. The right in particular is SeBackupPrivilege.

That said, I'm not saying it's impossible. Download the powershell community extensions and follow the instructions I posted here:

http://pscx.codeplex.com/Thread/View.aspx?ThreadId=214175

-Oisin