Batch Script – Ribbon UI Customization: Take Ownership and Change Permissions of the CommandStore Subkeys in the Registry

This is just a follow up to my experiences customizing the Ribbon UI icons in Server 2012 and where the path has taken me thus far. After many hours of research and development and a lot of head scratching, I’ve written several posts on how to disable the different icons in the Ribbon UI which requires the adding or editing of keys in the CommandStore section of the registry for Windows Explorer. For more information on how to disable the icons, see this post.

My whole goal as of late was to be able to add these registry items to the RDS server’s GPO to be able to deploy these settings to all 7 of my RDS servers but then I found out you can’t take ownership of the CommandStore subkeys with the local “SYSTEM” account. Yet another deliberate Microsoft setback meant to discourage people from editing the Ribbon UI, oh well, fuck ’em. I’ve encountered so many problems with this RDS server project it is unreal and this was just icing on the proverbial cake.

Anyways, after much irritation and trying software from several different 3rd party vendors (apps like RegOwner.exe and RegDACL.exe), I finally came across one application called SetACL.exe from that was completely free and could do the full job without forcing me to pay the troll toll. Much appreciation for this software and it has many more uses than just on the registry, it also works on file permissions and more, THANK YOU!

This batch script will backup the registry permissions if you want it to, take ownership of the CommandStore subkeys in the registry, give the Administrators group and local “SYSTEM” accounts write access, and then give ownership back to the local “NT SERVICE\TrustedInstaller” account so that you can deploy Ribbon UI customizations via Group Policy Preferences.

You can download the “Set_CommandStore_Registry_Permissions.bat” script here.

:: Server 2012 Ribbon UI Registry Permissions Tweak
:: In order to enable the use of Group Policy Preferences to be able to modify registry
:: keys so we can disable items in the Ribbon UI toolbar, we must first use a third party
:: application "SetACL.exe" to do a few things. First, we need to take ownership from the
:: "NT SERVICE\TrustedInstaller" local account. After that, we can then grant the local 
:: "SYSTEM" account write access to the subkeys so that our GPP will work. The last step
:: of this script will then set the owner back to the TrustedInstaller account. This 
:: script will obviously need to be ran as administrator.
:: SetACL.exe can be found here -
:: Place SetACL.exe in the same directory as this script
:: Author: Nathan Thomas
:: Date: 04/22/2015

:: Recommended - Backup the registry permissions first? yes|no
SET BackupReg=yes

IF %BackupReg%==yes (
	REM "%~dp0" Is an environment variable that gets the full path to the current batch file's directory.
	"%~dp0"SetACL.exe -on "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell" -ot reg -actn list -lst "f:sddl" -bckp "DefaultCSPermissions.txt" -rec yes

:: FYI - To restore the backup, you will have to take ownership and have write permissions
:: SetACL.exe -on "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell" -ot reg -actn restore -bckp "DefaultCSPermissions.txt"

:: This will change ownership to the Administrators group recursively
"%~dp0"SetACL.exe -on "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell" -ot reg -actn setowner -ownr "n:Administrators" -rec yes

:: This will give full control to administrators and the "SYSTEM" account
"%~dp0"SetACL.exe -on "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell" -ot reg -actn ace -ace "n:Administrators;p:full" -ace "n:SYSTEM;p:full" -rec yes

:: This will change ownership back to the local "NT SERVICE\TrustedInstaller" account
"%~dp0"SetACL.exe -on "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell" -ot reg -actn setowner -ownr "n:NT SERVICE\TrustedInstaller" -rec yes

:: This will set the owner of the shell key itself back to the "SYSTEM" account
"%~dp0"SetACL.exe -on "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\CommandStore\shell" -ot reg -actn setowner -ownr "n:SYSTEM"


Leave a Reply