<< Back to Script Library

Set AuthRoot Registry Permission

This script will set the correct permissions on HKLMSOFTWAREMicrosoftSystemCertificatesAuthRoot to fix CAPI event id 4110 by allowing NT SERVICECryptSvc full control on the HKLMSOFTWAREMicrosoftSystemCertificatesAuthRoot registry key and it's children
Version: 2.5.9
Created: 2019-02-26
Modified: 2019-10-25
Creator: drew.robbins
Downloads: 16
The Script Copy Script Copied to clipboard
   This script will set the correct permissions on HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot to fix CAPI event id 4110.
   This script will solve CAPI event id 4110 by allowing NT SERVICE\CryptSvc full control on the HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot registry key and it's children 
   &'.\Set AuthRoot Registry Permission.ps1'
        Full name - When (date format DD/MM/YY) - What changed 
        Drew Robbins - 26/02/19 - Initial version
        Matthew Fritz - 26/02/19 - Initial version
        Dennis Geerlings - 18/10/19 - Added error handling, comments and Get-Help comment block 

$ErrorActionPreference = 'Stop'
$VerbosePreference = 'SilentlyContinue'
$DebugPreference = 'SilentlyContinue'

## Get's a reference to the Access Control List (ACL) set on the AuthRoot registry key.
$ACL  = Get-ACL HKLM:\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
## Defines the account to set permissions for. 
$LocalAccount = "NT SERVICE\CryptSvc"
## Creates a new access control rule to allow the account mentioned above full control on the registry key.
$Rule = New-Object System.Security.AccessControl.RegistryAccessRule ($LocalAccount,"FullControl","Allow")
## Apply the rule to the ACL reference.
## Commit the changes to the ACL to the registry key. 
$ACL |Set-ACL -Path HKLM:\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

# Set subkeys
$Dir = Get-Childitem "HKLM:\SOFTWARE\Microsoft\SystemCertificates\AuthRoot" -Recurse
foreach ($Folder in $Dir)
    $ACL | Set-Acl $Folder.PSPath 

write-host Done!