SoaperGEM SoaperGEM - 2 months ago 45x
C# Question

How do I programmatically give ownership of a Registry Key to Administrators?

I ran into a bizarre issue when I upgraded some machines to Windows 10 where incorrect permissions on RuntimeBroker caused problems. I found a solution online that recommended changing permissions (first in the registry, then in DCOM configuration), and I'm trying to write a small .NET application to automate the process.

Presently the owner of the relevant registry keys is

NT SERVICE\TrustedInstaller
and I'm trying to change it to
. I have a simple WPF application with the requestedExecutionLevel set to "requireAdministrator," but I'm still running into problems. Here's a snippet of code to illustrate the problem:

using System.Security.AccessControl;
using System.Security.Principal;
using Microsoft.Win32;

namespace PermissionFixer
public class Fixer
public void Fix()
var subKey = Registry.ClassesRoot.OpenSubKey(@"AppID\{9CA88EE3-ACB7-47c8-AFC4-AB702511C276}", true);
if (subKey != null)
var admins = new NTAccount("Administrators");
var ac = subKey.GetAccessControl();
ac.AddAccessRule(new RegistryAccessRule(admins, RegistryRights.FullControl, AccessControlType.Allow));

The trouble is that it doesn't even get past the call to
before hitting a
that says "Requested registry access is not allowed." I think that's because Administrators doesn't yet have the access (remember it belongs to TrustedInstaller), but it becomes a bit of a chicken and egg problem. The strange thing is that when I use
by hand I am allowed to change the owner to Administrators, and I'm pretty sure my instance of regedit is running as Administrators.

How can I get this working in .NET?


I figured it out, and fortunately it is possible to achieve with the .NET classes. Here is how you have to call OpenSubKey:

var subKey = Registry.ClassesRoot.OpenSubKey(@"AppID\{9CA88EE3-ACB7-47c8-AFC4-AB702511C276}", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership);

Then you have to nix the call to AddAccessRule()... you can't modify that until you have ownership; and you have to do those two operations in serial. So take ownership first, then re-open the key with different access rights to add the access rule.