BSchwarz
Administrator
ACL problem on registry key: ACL – non-canonical form
Background:
I’m modifying a 3rd-party MSI-package with a custom action which sets permissions on a registry key installed by the 3rd-party MSI in the HKLM hive. The custom action is a Powershellscript that use the Set-Acl cmdlet. My target machines are running Windows
10 1607.
This is what the powershell-script looks like:
$ACLPath
= "HKLM:\SOFTWARE\RCO"
$NewACL
= Get-Acl
$ACLPath
$NewRule
= New-Object
System.Security.AccessControl.RegistryAccessRule("BUILTIN\Anv?ndare","FullControl","Allow")
$NewACL.SetAccessRule($NewRule)
Set-Acl
-Path $ACLPath
-AclObject $NewACL
My encountered issue:
When the script attempts to edit the ACL ($NewACL.SetAccessRule($NewRule))
the action fails explaining that ”This access control list is not in canonical form and thus cannot be modified”
copy paste of error message:
PS C:\WINDOWS\system32> Z:\Projects\890.RCO_R-CARD_M5_5.42.2\Scripts\ACL2.ps1
Exception calling "SetAccessRule" with "1" argument(s): "Denna ?tkomstkontrollista ?r inte i kanonisk form och kan d?rf?r inte modifieras."
At Z:\Projects\890.RCO_R-CARD_M5_5.42.2\Scripts\ACL2.ps1:8 char:1
+ $NewACL.SetAccessRule($NewRule)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When I open RegEdit and try to open the permissions on the registry key in question i get the following dialog:
”The permissions of RCO are incorrectly sorted and this may mean that certain items are not valid.”
”-Press Sort to sort the permissions correctly.”
”-Press Cancel if you do not want to make any changes (the view will be read-only)”
Pressing the ’Sort’ button will solve the problem - running the script will not fire any errors.
My question is if there is a way to perform this ’Sort’ or 'repair' function on a registry key ACL from powershell or vbscript, to include in the custom action script.
More...
Background:
I’m modifying a 3rd-party MSI-package with a custom action which sets permissions on a registry key installed by the 3rd-party MSI in the HKLM hive. The custom action is a Powershellscript that use the Set-Acl cmdlet. My target machines are running Windows
10 1607.
This is what the powershell-script looks like:
$ACLPath
= "HKLM:\SOFTWARE\RCO"
$NewACL
= Get-Acl
$ACLPath
$NewRule
= New-Object
System.Security.AccessControl.RegistryAccessRule("BUILTIN\Anv?ndare","FullControl","Allow")
$NewACL.SetAccessRule($NewRule)
Set-Acl
-Path $ACLPath
-AclObject $NewACL
My encountered issue:
When the script attempts to edit the ACL ($NewACL.SetAccessRule($NewRule))
the action fails explaining that ”This access control list is not in canonical form and thus cannot be modified”
copy paste of error message:
PS C:\WINDOWS\system32> Z:\Projects\890.RCO_R-CARD_M5_5.42.2\Scripts\ACL2.ps1
Exception calling "SetAccessRule" with "1" argument(s): "Denna ?tkomstkontrollista ?r inte i kanonisk form och kan d?rf?r inte modifieras."
At Z:\Projects\890.RCO_R-CARD_M5_5.42.2\Scripts\ACL2.ps1:8 char:1
+ $NewACL.SetAccessRule($NewRule)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When I open RegEdit and try to open the permissions on the registry key in question i get the following dialog:
”The permissions of RCO are incorrectly sorted and this may mean that certain items are not valid.”
”-Press Sort to sort the permissions correctly.”
”-Press Cancel if you do not want to make any changes (the view will be read-only)”
Pressing the ’Sort’ button will solve the problem - running the script will not fire any errors.
My question is if there is a way to perform this ’Sort’ or 'repair' function on a registry key ACL from powershell or vbscript, to include in the custom action script.
More...
