Regperm for Win NT/2000/XP

Version 1.10
Copyright 2001 University of Wisconsin - Madison, CAE Center



Regperm is a console based utility for setting and modifying registry permissions in Win NT/2000/XP. It is able to work remotely.


System Requirements



Regperm will work from any directory and requires no special installation considerations.


Using Regperm

Windows uses the concept of Discretionary Access Control Lists (DACLs) along with Access Tokens to control who has access to various resources. When a user logs in to Windows, the Security Accounts Manager (SAM) is queried and returns an access token representing the user and any groups they may belong to. This token is then attached to the users shell (typically explorer.exe) and is used to access resources such as files, registry keys and other processes.

A DACL is a list of Access Control Entries (ACEs) that describe who may (or may not) use a particular resource along with what their rights are. Each key in the registry has its own DACL with ACEs for users/groups. When a call to access the registry is made, each ACE is checked to see if it matches the user or group. If it does then the appropriate permissions are checked to see whether to allow the action in question. Upon the first successful match whether it be an Allow or Deny, the appropriate action is taken. If no matches are found, the the request is denied.

Regperm is used to change the permissions on registry keys by modifying their DACLs. You may edit an existing DACL or replace it entirely. You may allow users certain rights or deny them the same. You may also propogate the modifications to the subkeys of a particular registry key.

REGPERM  [\\COMPNAME]  /K REGKEY  /A:<User>:<Permissions>  /D:<User>:<Permissions>  /R  /I  /F  /S  /E  /C  /Q  /?

 \\COMPNAME Name of the remote machine to set permissions on (Optional).
 /K REGKEY Name of the registry key to apply permissions to. Use the full path (ie: HKEY_LOCAL_MACHINE\Software\Microsoft). If connecting to a remote machine, then only HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER and their subkeys can be specified. If there is a space in the key path, then it must be enclosed in double quotes.
 /A:<X>:<Y> Allow access for user/group X with permissions Y.
 /D:<X>:<Y> Deny access for user/group X with permissions Y.
 /S Replaces entire DACL for registry key with that specified (Default).
 /E Edits DACL for registry key instead of replacing.
 /R Explicitly set DACLs on all child subkeys.
 /I Turn on Inheritance for this subkey.
 /F Force subkeys to Inherit.
 /C Continue through recoverable errors.
 /Q Quiet mode, don't display output messages.
 /INFO Display version information about Regperm.
 /? Display help screen/usage syntax.

 Q - Query value  Q - create Link
 W - Write value  D - Delete
 C - Create subkey  S - read Security info
 E - Enumerate subkeys  A - write DACL
 N - Notify changes  O - write Owner
 R - Read (same as QENS)  F - Full access (same as QWCENLDSAO)

When specifying a user or group for permissions, this program assumes a single-word user/group name. If there are spaces in the name, then you must enclose the name with double-quotes. Group names such as: Administrators, Everyone, Power Users, etc... are valid although it is possible in WinNT to create a local user account with the name matching that of an existing group. In this case, the user account masks the group account, leading to possibly undesired results.

Command line parameters specified later take precedence over those specified earlier.


Grant everyone full access to the key: HKEY_LOCAL_MACHINE\Software\My Company
REGPERM  /K "HKEY_LOCAL_MACHINE\Software\My Company"  /A:Everyone:F  /E

Give administrator full access and everyone read access to the key: HKEY_LOCAL_MACHINE\ Software\Widgets and all subkeys, replacing existing DACLs
REGPERM  /K HKEY_LOCAL_MACHINE\Software\Widgets  /A:Administrators:F  /A:Everyone:R  /R

Give user Joe Bob read/write access to key: HKEY_LOCAL_MACHINE\Software\Adobe on machine Minerva
REGPERM  /K HKEY_LOCAL_MACHINE\Software\Adobe  \\Minerva  /A:"Joe Bob":RWCD  /E  /R

Give everyone read/write access to key: HKEY_LOCAL_MACHINE\Software\Adobe and turn on inheritance, forcing subkeys to accept DACL
REGPERM  /K HKEY_LOCAL_MACHINE\Software\Adobe  /A:Everyone:RWCD  /E  /I  /F



On Windows 2000/XP, if you check the permissions for a key in regedt32, you may notice that they do not show up correctly. If you click on the Advanced tab, you will see the correct permissions appear there.


Version History

Version 1.1.0

Version 1.0.0

Regperm was written by Jeremy Parker for the Computer Aided Engineering Center at the University of Wisconsin-Madison. You may contact him at