Managing Windows registry permissions with PowerShell
… is simple. But before jumping into code sample make sure to familiarize yourself with ObjectSecurity.SetAccessRuleProtection.
And here’s the PowerShell script code:
$acl = Get-Acl HKLM:\Software\Foobar\Product
# Disable inheritance for this key (true), remove inherited access rules (false):
$acl.SetAccessRuleProtection($true, $false)
# Remove all permissions for "NT AUTHORITY\SYSTEM":
$acl.Access | where {$_.IdentityReference.Value -eq "NT AUTHORITY\SYSTEM"} | %{$acl.RemoveAccessRule($_)}
Set-Acl HKLM:\Software\Foobar\Product $acl
# Set Read-only permissions for "NT AUTHORITY\SYSTEM":
$acl = Get-Acl HKLM:\Software\Foobar\Product
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("NT AUTHORITY\SYSTEM","ReadPermissions","Allow")
$acl.AddAccessRule($rule)
Set-Acl HKLM:\Software\Foobar\Product $acl
# Now if you create subkey it will not inherit permissions from parent key:
$rootRegPath = Join-Path -path $rootRegPath -childPath SomeProduct
new-item -path $rootRegPath