… is simple. But before jumping into code sample make sure to familiarize yourself with ObjectSecurity.SetAccessRuleProtection.

And here’s the PowerShell script code:

$acl = Get-Acl HKLM:\Software\Foobar\Product

# Disable inheritance for this key (true), remove inherited access rules (false):

$acl.SetAccessRuleProtection($true, $false)

# Remove all permissions for "NT AUTHORITY\SYSTEM":

$acl.Access | where {$_.IdentityReference.Value -eq "NT AUTHORITY\SYSTEM"} | %{$acl.RemoveAccessRule($_)}
Set-Acl HKLM:\Software\Foobar\Product $acl

# Set Read-only permissions for "NT AUTHORITY\SYSTEM":

$acl = Get-Acl HKLM:\Software\Foobar\Product
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT AUTHORITY\SYSTEM","ReadPermissions","Allow")
$acl.AddAccessRule($rule)
Set-Acl HKLM:\Software\Foobar\Product $acl

# Now if you create subkey it will not inherit permissions from parent key:

$rootRegPath = Join-Path -path $rootRegPath -childPath SomeProduct
new-item -path $rootRegPath