Feature Request: GrantAccess Registry ACLs

[WildByDesign]

It would be great if GrantAccess could also set ACL permissions on registry keys with the same options (all AppContainers or per-AC) as you have for filesystem already.

Please feel free to close this issue/request if you have no intentions to add it. I really don't want to put pressure on this.

Thank you for your time.

[forderud]

The GrantAccess tool is mostly intended as a support aid I developed to better understand the Windows APIs for programmatic file system permissions in conjunction to security sandboxing. I recommend instead using icacls for serious usage, since this is an official Microsoft tool bundled with Windows. I just updated https://github.com/forderud/RunInSandbox?tab=readme-ov-file#grantaccess to clearly state that icacls is a recommended alternative.

This didn't answer your registry permission question though.. I haven't looked into this myself though, so it will probably be quite low on the priority list.

[WildByDesign]

That is understandable. I do still quite often use icacls in some scripting. Particularly, I use icacls D:\Example /grant *S-1-15-2-2:(X,RD,RA) for enabling access to ALL RESTRICTED APPLICATION PACKAGES (LPAC) for particular directories. Although most of the time I use the specific AC SID to be a bit more secure depending on the scenario.

I have a GUI program (SetAppContainerACL) that can set AppContainer ACLs for directories, individual files and also registry keys. But having a command line tool would be so much more handy when automating things.

There is only one command line tool that I know of that is capable of setting ACLs for AppContainers by specific SID and that is SetACL (https://helgeklein.com/setacl/). The only problem is that it is not open source and cannot be included in other projects without specific permission.

[forderud]

Have you tried to follow the instructions in https://learn.microsoft.com/nb-no/troubleshoot/windows-client/application-management/change-registry-values-permissions for changing registry permissions?

[WildByDesign]

Interesting. No, I don't believe that I have ever looked into regini before. I will do some research on it today and see what possibilities there are. Thank you.

[forderud]

I have a feeling that what you really need is a tool for determining the SID for a given AppContainer. I've therefore just added a AppContainerSid command-line tool in https://github.com/forderud/RunInSandbox/pull/16

You can pass the AppContainer SID from this tool to icacls and other standard tools to tweak file (and possibly registry) permissions for a given AppContainer.

[WildByDesign]

This AppContainerSid tool is quite nice. Thank you. I can definitely put it to good use. This actually reminded me that PowerShell does registry ACL permissions as well. I hadn't used PowerShell registry ACL permissions in a few years so I had forgotten about it.

AppContainerSid combined with PowerShell should work well together. I am certainly happy with this. I appreciate it.

It is totally up to you, but you can close this issue if you want. Or if you want to keep it open as a lower priority thing for later, it is up to you. Cheers!