Powershell : Add Security ACL to Key

I had a requirement to add a security ACL key in the location of  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security which is the location for the "Security" event log permissions.

The reason for this is that if you are a member of "Event Log Readers" you cannot not read the Security log any server, especially domain controllers, this means you need an additional permission here as well to ensure that code or script can read this event log.

Without completing this action you will get the error "You are not authorized to perform this operation" and your script will fail to query this log, so these are the default permission for this key:

We need to add a user account that will audit these logs to this ACL, this is not the security key but this is ACL on the key, just so we are clear on that it is NOT the key with a red box around it, this is the folder called Security with the green box:

This requires Powershell I add the service account we are using, and this is how it is done as you can see below update the domain account with a valid account.

$keyPath = "SYSTEM\CurrentControlSet\Services\EventLog\Security"
$account = "<domain account>"

try {
    $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($keyPath, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::ChangePermissions)

    if ($key -ne $null) {
        $acl = $key.GetAccessControl()
        $rule = New-Object System.Security.AccessControl.RegistryAccessRule($account, "ReadKey", "Allow")
        Write-Host "Read access granted to $account successfully."
    } else {
        Write-Host "Failed to open registry key. Key may not exist or you may not have sufficient permissions."
} catch {
    Write-Host "An error occurred while updating registry permissions:`n$_"

When you run that that needs to be an administrator (yes, even if you are one) that should look like this:

Then if you check the ACL on the key you will notice your account is there with Read access, which is exactly what you required, it should have special permissions which should then be read for the current key only....

On closer inspection that is what we got, which is excellent and just enough for what we need the script to do.

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„