RickC wrote:Now all I have to do is work out how I can change ownership on a Windows Defender registry key using just AHK. Time to hit "Search"!
To take your words at face-value, my answer is:
I wrote an installer script for myself to install the old, non-UWP Sticky Notes with Windows 10 AU and because I can't use dism for this, I at least settled on making sure the security descriptors matched what was in the manifest file for the SN package, so I have some small insight into this.
With pure AHK_L, it's, erm, a fun process. My only experience in Windows security thus far (reading a book on it and there's a really good set of articles on codeproject somewhere by a guy called oshah that I'm planning to take a look at soon) has been work I did on writing that installer, so while I wouldn't take my word as gospel and assume this is mistake-free, I do believe I have the basics down pat.
Assuming your script is elevated, it's something like first opening the process token, looking up the SeTakeOwnershipPrivilege and possibly (I'm not sure) the backup and restore privileges by name and adjusting the token. The user flipeador has some good stuff on that sort of thing. You may also find good stuff on the old forum. And then you get a handle to the Registry key in question (so you can't use the AHK Reg* functions - you need to
DllCall RegOpenKeyEx etc. with ACCESS_SYSTEM_SECURITY := 0x01000000 | WRITE_DAC := 0x00040000 | WRITE_OWNER := 0x00080000)) and then you can pass the handle to the standard security functions. Since I'd be too lazy to work with the DACL structures, I'd look into duplicating the current SD, and DllCalling ConvertStringSecurityDescriptorToSecurityDescriptor with an SDDL that's pretty lenient, and then writing the new SD with the right function (in my case, this was SetKernelObjectSecurity since the SDDL I was working with defined all the aspects of the SD). Then as soon as I'm done writing, I'd restore the old SD right away
(If this is actually simpler than I'm making it sound, and someone just posts what you're asking for, due to my inexperience, I apologise in advance)
What I'd do instead:
Since the only reason I can think of to take ownership over Defender's keys is to disable it, I'd like to point out that Defender can be disabled by setting group policies for it. This can be done from the Registry, and I don't think those keys need control wrested from them. With my installer, what I did was use
NSudo to start my AutoHotkey script with the TrustedInstaller token. I needed to write files with the owner set as TrustedInstaller, so I didn't have a choice. This way, I didn't need to take ownership of the keys beforehand and everything was nice and simple.