# === Copyright (C) 20XX "PS.FixRegAccess" by zetod1ce [github.com/ztd38f] === #

<#
[!] ДИСКЛЕЙМЕР [!]
Автор полностью отказывается от какой-либо ответственности за использование данного скрипта. Скрипт предоставляется "КАК ЕСТЬ", может быть изменён или дополнен в любое время без уведомления. Использование допускается только для личного обучения в строго контролируемой среде под надзором профессионалов. Всё использование осуществляется исключительно на ваш страх и риск.

[!] DISCLAIMER [!]
The author fully disclaims any responsibility for the use of this script. The script is provided "AS IS" and may be changed or updated at any time without notice. Use is permitted only for personal educational purposes in a strictly controlled environment under professional supervision. All use is entirely at your own risk.
#>

function FixRegAccess {
    param(
        [Parameter(Mandatory=$true)]
        [string]$KeyPath,
        [switch]$Everyone,
        [switch]$System,
        [switch]$Admins,
        [switch]$Users,
        [ValidateSet('On', 'Off')]
        [string]$Inheritance = 'On'
    )
    
# Enable All Privileges
function SetPrivileges {whoami /priv |? {$_ -match '^Se\w+'} |% {$matches[0]} |% {([diagnostics.process].GetMember('SetPrivilege',42)[0]).Invoke($null,("$_",2))}}; SetPrivileges
    
    # Define root key and path
    $hiveMap = @{
        'HKLM' = [Microsoft.Win32.Registry]::LocalMachine
        'HKCU' = [Microsoft.Win32.Registry]::CurrentUser
        'HKU'  = [Microsoft.Win32.Registry]::Users
        'HKCR' = [Microsoft.Win32.Registry]::ClassesRoot
        'HKCC' = [Microsoft.Win32.Registry]::CurrentConfig
    }
    
    $hive = [Microsoft.Win32.Registry]::LocalMachine
    $subKeyPath = $KeyPath
    
    foreach ($prefix in $hiveMap.Keys) {
        if ($KeyPath -match "^$prefix[:\\](.*)") {
            $hive = $hiveMap[$prefix]
            $subKeyPath = $matches[1]
            break
        }
    }
    
    # Define owner by priority
    $owners = @(
        @{Condition = $Everyone; SID = "S-1-1-0"; Name = "Everyone"}
        @{Condition = $Users; SID = "S-1-5-32-545"; Name = "Users"}
        @{Condition = $Admins; SID = "S-1-5-32-544"; Name = "Administrators"}
        @{Condition = $System; SID = "S-1-5-18"; Name = "System"}
    )
    
    $owner = $owners |? {$_.Condition} | Select -Last 1
    
    try {
        # Take ownership via Administrators first
        $adminSid = .Principal.SecurityIdentifier("S-1-5-32-544")
        
        $regKey = $hive.OpenSubKey($subKeyPath, 'ReadWriteSubTree', 'ChangePermissions')
        
        if ($null -eq $regKey) {
            Write-Host "Failed to open key: $KeyPath" -f Red
            return
        }
        
        $acl = $regKey.GetAccessControl()
        
        # Set Administrators as owner
        $acl.SetOwner($adminSid)
        $acl.SetAccessRuleProtection($true, $false)
        
        # Give Administrators full control
        $adminRule = New-Object Security.AccessControl.RegistryAccessRule($adminSid, 'FullControl', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
        $acl.SetAccessRule($adminRule)
        
        $regKey.SetAccessControl($acl)
        $regKey.Close()
        
        # Reopen key
        Start-Sleep -Milliseconds 50
        $regKey = $hive.OpenSubKey($subKeyPath, 'ReadWriteSubTree', 'ChangePermissions')
        
        if ($null -eq $regKey) {
            Write-Host "Failed to reopen key: $KeyPath" -f Red
            return
        }
        
        $acl = $regKey.GetAccessControl()
        
        # Set desired owner
        if ($owner) {
            $acl.SetOwner([Security.Principal.SecurityIdentifier]$owner.SID)
            Write-Host "Owner set: $($owner.Name)" -f Cyan
        }
        
        # Configure inheritance - enabled to propagate to all subkeys
        $acl.SetAccessRuleProtection($Inheritance -eq 'Off', $false)
        Write-Host "Inheritance $(if($Inheritance -eq 'Off'){'disabled'}else{'enabled'})" -f Yellow
        
        # Add rules for all specified groups with inheritance flags
        $groups = @(
            @{Switch = $Everyone; SID = "S-1-1-0"; Name = "Everyone"}
            @{Switch = $System; SID = "S-1-5-18"; Name = "System"}
            @{Switch = $Admins; SID = "S-1-5-32-544"; Name = "Administrators"}
            @{Switch = $Users; SID = "S-1-5-32-545"; Name = "Users"}
        )
        
        $groups |? {$_.Switch} |% {
            $sid = New-Object Security.Principal.SecurityIdentifier($_.SID)
            $acl.PurgeAccessRules($sid)
            $rule = New-Object Security.AccessControl.RegistryAccessRule($sid, 'FullControl', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
            $acl.AddAccessRule($rule)
            Write-Host "Access granted to $($_.Name)" -f Green
        }
        
        $regKey.SetAccessControl($acl)
        $regKey.Close()
        
        Write-Host
        Write-Host "Permissions applied successfully. Inheritance will propagate to all subkeys." -f Green
    }
    catch {
        Write-Host "Error setting permissions for $KeyPath : $_" -f Red
    }
}