The Owner Manager for Registry keys

What licence terms apply to the use of RegOwner?
This software was developed with the greatest attention to detail. However, the author can not guarantee that it runs under every version of Windows NT or on each computer flawlessly. Use of this program is at your own discretion. The copyright holder provides the program "as is" without warranty of any kind. RegOwner is a very powerful tool, and with one wrong command you can cause much havoc to your machines! So make sure you know what you do when using this tool! Reading and understanding this document should help you to avoid mistakes!
RegOwner is available only as part of RegTools for Windows NT. You are not allowed to use or distribute it outside the company or organization where it is licensed for!

What are the requirements to use the program successfully?

• Windows NT version 4.0 or above
• You must accept the Licence terms.
• In order to query the owner of a Registry key, you need the permission called "Read Control" in RegEdt32. RegDACL names this permission as S.
• In order to change the owner of a Registry key, you need the additional permission "Write Owner". In RegDACL syntax these permissions are called SO.
• If you don't have these permissions, but you are the owner of a key, you can query and change its owner settings as well.
• If you don't have permissions to and are not the owner of a key, but you are a member of the Administrators group, you can query and change its owner settings as well. This is because members of the Administrators group are kind of god for the NT system ;-) With the registered version of RegTools nothing can stop a member of the administrators group from managing the security settings of any Registry key, at least we are not aware of such an obstacle. If you know one, please let us know!

This help screen will pop up when you type RegOwner /?:

The help screen of RegOwner

RegOwner 2.0 - Owner manager for Registry keys  Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)  Usage: RegOwner Key Commands    Key: [\\computer\]root[\subkey]      \\computer:  remote machine      root: HKLM, HKU, HKCU, HKCC or HKCR      subkey: path to the key you want to change or query    Query Commands:      /L        List (show the owner)      /Qxx      Query (Is xx the owner of the key?)      /Fxx      Find all subkeys with xx as owner      /Nxx      Find all subkeys where xx is NOT the owner    Change Commands:      /Sxx      Set owner to xx      /T        Take ownership    Other Commands:      -Subtree      Apply to entire subtree (needless with /F, /PI, /Propagate)      -ANSI         Use ANSI character set instead of OEM character set      -?            This help screen    Options for xx:      GE = really "Everyone"      GA = predefined group "Administrators"      GU = predefined group "Users"      GT = predefined group "Authenticated Users"      GI = predefined group "Interactive"      GN = predefined group "Network"      GS = predefined group "System"      GO = predefined group "Creator Owner"      GV = predefined group "Service"      GL = predefined group "Local"      GB = predefined group "Batch"      GY = predefined group "Anonymous Logon"      GP = predefined group "System operators"      DA = group "Domain-Administrators"      DU = group "Domain-Users"      DG = group "Domain-Guests"      ALzzz =        Local account zzz of the machine      ADzzz =        Domain account zzz      AQsource\zzz = any Qualified account source\zzz  Type "RegOwner /? | more" if your window is too small for this help screen.  Examples are available in the help file RegOwner_e.htm

These many parameters might seem a little confusing at first glance, but I will describe every option to you in turn, so finally no questions will be left unanswered.
First you need to provide the following information to RegOwner:

1. The full path to the Registry key whose owner you wish to modify.
2. Provide at least one command for the query to ask or the changes to make to the specified registry key. If no command is specified the program will do (surprise!) nothing.

Specifying a Registry key

[\\Computer\]Root[\Subkey]

Example:[\\PegasusNT1\]HKLM\System\CurrentControlSet\Enum

HKLM - HKEY_LOCAL_MACHINE
HKU  - HKEY_USERS
HKCU - HKEY_CURRENT_USER
HKCC - HKEY_CURRENT_CONFIG
HKCR - HKEY_CLASSES_ROOT

The switch -SUBTREE
With the -SUBTREE switch you tell RegOwner to employ all command(s) to the specified key and its subtree, instead of just working with the key itself. There are only the commands /L, /S or /T allowed together with the switch -SUBTREE.

Commands
The search commands /Q, /F and /N are not allowed together with other commands. Commands are processed in the following order:

1. If found, one of the commands /F or /N is executed for the entire subtree and the program will halt.
2. If found, the command /L is executed.
3. If found, the command /Q is executed and the program will halt.
4. If the program is not halted at this point, then any remaining commands are executed from left to right.

The command /Q (Query owner)
With this command you can Query a key - whether its owner is the specified account or not. RegOwner will return the result of the query in two different ways. At first it prints the answer as a line of text, at second it answers with different return values. If the specified account matches the owner, RegOwner will return 0. If it does not the return value will be 1. So what is this return value good for when you can read the answer to your query on the screen?
The answer is that with this kind of functionality you can easily write your own batch script, which starts different actions depending on the ownership of a registry key! A very simple example follows to illustrate this. The script test.cmd could be used as follows (note: with the "^" char you can span a command over multiple lines in batch scripts):
 
@echo off
RegOwner hklm\software /qga && echo All (?) is OK^
|| echo Somebody did manipulate the owner of hklm\software!

When you call test.cmd, either the command after && or the command after || will be executed. You could of course change out the echo command with something more useful, maybe a command which writes an entry into the eventlog or sends an email to you when an important key with too much permissions is found! Your imagination is the only limit!

Attention!
You alone are responsible for insuring that RegOwner is called with valid parameters when you want to start certain actions in dependence on the return value! For instance, when you specify a path to a nonexistant key, the program will always halt with an error! A good practice would be to call RegOwner first with the command /L. If this return value is 0, you can be sure that the path exists and that you can access it (You have the necessary permission and the network connection is up.) When you then in this case use the command /Q, you can be sure that the return value really will be an answer to your question instead of an error code. The same is true if you use /Q in conjunction with an invalid command or switch (like -SUBTREE).

The command /S (Set owner)
This command tries to set the specified account as owner of the key.
 
The command /T (Take ownership)
This command tries to set your own account as the owner of the key.
 
The command /F (Find keys)
This command returns a list of all keys in the entire subtree which belong to the specified account.

The command /N (Negation of /F)
This command returns a list of all keys in the entire subtree which do not belong to the specified account.
 
Is everything clear now?
When you have read this document carefully and you still have a question or are vague regarding a topic, you can email to fh@heysoft.de. But please check first the Security FAQ for the Windows NT Registry - your question might be already answered there. If you find errors or would like to contribute knowledge to this document, you are encouraged to email us, too.