When working with Windows Registry keys like HKEY_CLASSES_ROOT\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder, administrators often encounter a frustrating limitation: by default, local administrators only have Read permissions. This prevents critical modifications through automation scripts.
The most reliable method combines PowerShell with the legacy regini.exe utility. First, create a permission definition file:
$aclConfig = @"
HKEY_CLASSES_ROOT\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder [1 5 7 17]
"@
$aclConfig | Out-File -FilePath "C:\temp\regperms.txt" -Encoding ASCII
Then apply the changes:
Start-Process -FilePath "regini.exe" -ArgumentList "C:\temp\regperms.txt" -Verb RunAs
For systems with PowerShell 5.1+, use the Registry provider:
$regPath = "HKCR:\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder"
$acl = Get-Acl $regPath
$rule = New-Object System.Security.AccessControl.RegistryAccessRule (
"BUILTIN\Administrators",
"FullControl",
"ContainerInherit,ObjectInherit",
"None",
"Allow"
)
$acl.SetAccessRule($rule)
Set-Acl -Path $regPath -AclObject $acl
For pure CMD environments, use subinacl.exe (requires download from Microsoft):
subinacl /keyreg HKEY_CLASSES_ROOT\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder /grant=administrators=F
Confirm the changes took effect:
Get-Acl HKCR:\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder |
Format-List -Property AccessToString
- Always create a registry backup first:
reg export HKCR\CLSID\{323CA680...} backup.reg - Consider restricting permissions to specific SIDs rather than whole administrator group
- For production systems, document permission changes in change control systems
If you encounter "Access Denied" errors:
- Run commands as Administrator
- Check for inheritable permissions blocking changes
- Verify no other processes have the key locked (use Process Monitor)
When working with the Windows Registry, you might encounter situations where even local administrators only have read permissions on certain keys. A common example is:
HKEY_CLASSES_ROOT\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolderWhile you can easily modify these permissions through regedit's GUI, automating this process via command line tools is less straightforward.
The most robust way to handle this is through PowerShell. Here's a complete script that grants Full Control to Administrators:
$registryPath = "HKCR:\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder"
$acl = Get-Acl $registryPath
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("BUILTIN\Administrators","FullControl","Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $registryPath -AclObject $aclFor pure CMD solutions, Microsoft provides REGINI.exe in the Windows Resource Kit. First create a text file (perms.txt):
HKEY_CLASSES_ROOT\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder [1 5 7 17]Then run:
REGINI perms.txtThe numbers represent:
1 - Administrators Full Control
5 - Interactive Users Read
7 - System Full Control
17 - Creator Owner Full Control
Before modifying registry permissions:
- Always back up the registry key first
- Understand why the restrictive permissions exist
- Consider whether you really need Full Control or if Modify would suffice
- Document your changes for future administrators
If you get "Access Denied" errors:
# First take ownership if needed
takeown /f "C:\Windows\System32\config\*" /r /d yFor 64-bit systems, remember HKCR is a merged view of HKLM\Software\Classes and HKCU\Software\Classes. You may need to modify both.