Run as administrator, but still "requested registry access is not allowed" - powershell

I have a Windows PowerShell script. I logged into Windows as an administrator and run the script with PowerShell running as an administrator, and it worked; I could see all the changes happen after running this script.
But I still get the red error message:
requested registry access is not allowed
which is driving me nuts.
Why am I getting this error and how can I make it go away?

If you run regedit and navigate to the key that you are trying to access with your script, you can right click on it and view the permissions. You can see on that key what permissions Administrator has (Full Control, Read, Special Permissions)

This PowerShell trick worked for me:
$Path = "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice"
$SubKey = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey($Path, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::ChangePermissions)
$Acl = $SubKey.GetAccessControl()
$RemoveAcl = $Acl.Access | Where-Object {$_.AccessControlType -eq "Deny"}
$Acl.RemoveAccessRule($RemoveAcl)
$SubKey.SetAccessControl($Acl)
$SubKey.Close()
**in $Path ==> change this to your path (path after Root folder)
**in $SubKey ==> [Microsoft.Win32.Registry]::CurrentUser : change this to your needed root Registry path

Try as Local System via psexec
This here worked for me:
get psexec.exe from here: https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
use psexec.exe -i -s powershell.exe to start a new interactive (-i parameter) powershell.exe window as user Local System (-s parameter).
Inside that new powershell window try your command again.

Related

Is there a way to map a local drive in powershell when the script is set to "Run As Admin"?

This is a portion of my powershell script where I have to map a local folder to the S: Drive. I can't map New-PSDrive when my script 'Run as Admin'. If I do, it is not visible on 'My PC'. I have ran Get-PSDrive and it shows it is visible just not on 'MY PC'.
I have tried Net-Use within PS.
I have tried New-SMBmapping
New-SMBmapping -localpath 'S:' -remotepath '\\$comName\pos' -persistent $true
My script needs to Run As Admin for the rest of my script.
Currently this is the my script.
#Get Computer name
$comName = $computerNameCSV.ComputerName
#This will map folder to S drive
New-SmbShare -Name "SOP" -Path "C:\FolderShare" -FullAccess Everyone
New-PSDrive -Name "S" -Root "\\$comName\c$\FolderShare" -Persist -PSProvider "FileSystem"
Short answer:
You can't.
Long answer:
The reason is all about the User Context. When you open a normal PowerShell console, you run that console under your current user context. That is why, when you run the command to map the share in PowerShell, it shows up in your currently logged in user context.
When you launch PowerShell via Run As Admin, you create a new user context. Running commands to map the share creates the mappings inside that context, which is different than your currently logged in user context. I.e. conceptually think about Running as Admin is as if you physically logged into the machine as a different user.
One workaround would be to separate the script into two parts, the first one runs under the current user context and maps the drive, and a second one that can be launched with Admin privileges to do what is needed. e.g. Inside your script you launch the second script as admin with:
Start-Process powershell -Verb runAs AdminScript.ps1
The visibility of mapped drives between admin and non-admin contexts is restricted by design. You can disable this behaviour using Group Policy or the registry, as described here:
Mapped drives are not available from an elevated prompt when UAC is configured to "Prompt for credentials" in Windows

PowerShell run as administrator

I am experiencing below issue when I run the batch script as administrator. When I
ran the same script normally, there were no issues.
Please share some thoughts on this issue.
snapshot of the error
When you run as administrator, the user session changes from your user session to one based in %SystemRoot%\System32. What you need to do is get the path of the current invocation of your Powershell script and make it the path of your build1.ps1 script:
$ScriptPath = Split-Path $MyInvocation.InvocationName
& "$ScriptPath\build1.ps1" -Target prepare-qa
This way, regardless of user, the script is executed in the proper location.
When you open powershell as a user, the default directory is C:\Users\MyName.
When you open powershell as an admin, the default directory is C:\WINDOWS\System32.
In your script, try using Set-Location C:\Users\myusername or where ever your script is located. Or, fully qualify the script's path.

Working around the "You don't currently have permission to access this folder" issue for PowerShell

When navigating to C:\Users\%SomeUsername% as an administrator on a Windows 2008 R2 server I get the error You don't currently have permission to access this folder, Click Continue to permanently get access to this folder. Clicking Continue resolves this problem.
If I try the same by PowerShell (e.g. get-childitem 'C:\Users\' -Directory | get-childitem -Force; or some variant), any profiles to which I've not already granted myself access explicitly give the error Access to the path 'C:\Users\%SomeUsername%' is denied.; even with the Force switch included.
Is there a way to "click continue" via PowerShell; i.e. have the system give me access to anything which I don't strictly have access to, though as an administrator on the server can grant myself access to. Ideally this would be done as I access the files (e.g. by a switch on the Get-Item command) rather than having to code something to explicitly go through all files checking and amending permissions.
Make sure about start Powershell Run As Admin if you want always run it as administrator make shortcut from powershell.exe and follow this image :
My mistake; I hadn't been running the PowerShell session as administrator (i.e. UAC).
right click on powershell.exe
run as administrator

Powershell does not create a folder when I run a script. What's wrong?

I'm trying to have powershell create a folder for me and it works fine when I type it into the console. However, when I run the same command as a script, no folder is created and no error messages are supplied.
This is the line of code I am using.
new-item - path c:\test\ -name testfolder -itemtype directory
edit: I am on Windows 7
This should be a comment, but I cannot comment. There is definitely nothing wrong with that line of code. It runs on my machine, either from the terminal window or as a script. Because the code works for you at the terminal window but not when executing as a script my first guess is that your system may be configured to disallow powershell scripts. This is the default setting, and it will prevent a script file from executing but will not prevent commands typed at the prompt from working. Open a powershell session and type get-executionpolicy. If it returns "restricted" then you have found the culprit. This setting can be changed by opening an elevated powershell session (run as admin) and typing set-executionpolicy -executionpolicy RemoteSigned. Of course you should read about what those settings mean before changing them to determine what is best for your situation. For example the remotesigned option means that scripts originating from your machine will execute without a trusted signature, but external scripts will require a signature.

IIS 7.5 powershell module usage issues

Has anyone managed to use this module with success, i'm running 32bit Windows 7, where i have opened an administrator shell using run as administrator, i have imported the WebAdministration module and then attempted to use the commands with some issues, have provided two examples here
Websites
I created a web site with the following command
new-website -name testsite -port 80 -hostheader testsite -physicalpath c:\temp
Then i attempted to get the sites details using the command
get-website -name testsite
but it always returns all sites, seems to ignore the -name parameter. Only way i can get the site is using a filter
get-website | ? { $_.name -eq 'testsite' } | get-member
When i use appcmd it works as expected using the following command
C:\> C:\Windows\System32\inetsrv\appcmd.exe list site testsite
AppPools
When i try to list the apppools using the following command
dir iis:\apppools
i get the following error
Get-ChildItem : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Yet when i use appcmd as follows i get all the apppools as expected without any error
C:\Windows\System32\inetsrv\appcmd.exe list apppool
Has anyone successfully managed to use the WebAdministration module ?
Thanks in advance
Pat
If you are already running PowerShell as an administrator and have Windows UAC disabled and you are still seeing this error, make sure WAS (Windows Process Activation Service) is running. You can stop W3SVC but PowerShell will definitely give the same head-scratching "access denied" error if WAS is stopped.
You need to make sure that the PowerShell window is running elevated, try right-clicking in the Start Menu and using the "Run as administrator" option to ensure it runs elevated.
Regarding Get-Website ignoring the -Name parameter, this appears to be a bug according to this forum post. The workaround is to use Get-Item
$website = "Default Web Site"
Get-Item "IIS:\sites\$website"
Be sure to use double quotes, variables are not expanded when single quotes are used.
Regarding browsing the application pools I suspect this is a permissions issue as CarlosAg mentioned. Make sure that you are running PowerShell with elevated privileges. I typically launch PowerShell by right-clicking on it and selecting "Run as administrator".