Category Archives: PowerShell

Managing Windows registry permissions with PowerShell

… is simple. But before jumping into code sample make sure to familiarize yourself with ObjectSecurity.SetAccessRuleProtection.

And here’s the PowerShell script code:

$acl = Get-Acl HKLM:\Software\Foobar\Product

# Disable inheritance for this key (true), remove inherited access rules (false):
$acl.SetAccessRuleProtection($true, $false)

# Remove all permissions for "NT AUTHORITY\SYSTEM":
$acl.Access | where {$_.IdentityReference.Value -eq "NT AUTHORITY\SYSTEM"} | %{$acl.RemoveAccessRule($_)}
Set-Acl HKLM:\Software\Foobar\Product $acl

# Set Read-only permissions for "NT AUTHORITY\SYSTEM":
$acl = Get-Acl HKLM:\Software\Foobar\Product
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT AUTHORITY\SYSTEM","ReadPermissions","Allow")
$acl.AddAccessRule($rule)
Set-Acl HKLM:\Software\Foobar\Product $acl

# Now if you create subkey it will not inherit permissions from parent key:
$rootRegPath = Join-Path -path $rootRegPath -childPath SomeProduct
new-item -path $rootRegPath

PowerShell: capturing output to log file and console

Recently I had to redirect full PowerShell session to both console and log file. Full means both stdout and stderr needs to be redirected. Working code is worth thousand words:

 

$ErrorActionPreference="SilentlyContinue"
Stop-Transcript | out-null
$ErrorActionPreference = "Continue"

$OutputFileLocation = "C:\output.log"
Start-Transcript -path $OutputFileLocation -append

Write-Host "This will go into output.log"

# redirecting both STDOUT and STDERR (2>&1) to transcript:
robocopy.exe C:\ D:\ readme.txt 2>&1 | out-host

Stop-Transcript

 

Line 11 deserves additional explanation. Due to a PowerShell bug 315875 output from native applications will not be captured. That being said, the workaround is to combine stdout and stderr and redirect it to a out-host.

The only remaining limitation is that stderr will be interpreted by PowerShell as error (and rightly so!) and thus printed out in red. While it is a little annoying, your output log doesn’t have colors 🙂