@echo off
rem -- This assumes that the three files
rem -- RegPublic{Read,RW,Null}.txt are all present in
rem -- I:\PreInstall\PostInst\Secure
rem -- and that regperm.exe is in the path
rem -- (usually at C:\admin\tools)
rem -- The permissions for Each registry key named in
rem -- PublicRead are set to
rem -- "Admininistrators:F System:F Everyone:R"

rem -- Same for keys named in RegPublic{RW,Null} except
rem -- Everyone:R is replaced by Everyone:RW and nothing
rem -- respectively.

set LOGFILE=C:\logs\secure_reg.log
rem -- Set LOGFILE=NUL to turn off logging.

pushd "I:\PreInstall\PostInst\Secure"
echo " *** Setting registry permissions *** " >> %LOGFILE%
echo " All errors are displayed below. Hope there is nothing" >> %LOGFILE%

rem -- Options to regperm explained
rem -- /S = set permissions (replace existing ones with this)
rem -- /F = force all subkeys to inherit the same permissions
rem -- /C = continue on recoverable errors
rem -- /Q = quite mode. no output
rem -- /I = turn inheritence on for this key
rem -- Does /F cause problems if key and child key have different
rem -- permissions set on them?

rem -- Handle all keys where  Everyone cant touch the key
for /f "eol=; tokens=*" %%i in (RegPublicNull.txt) do (
    regperm /K "%%i" /A:"Administrators":F /A:"System":F /S /I /C >> %LOGFILE%
)

rem -- Handle all keys where  Everyone can read but nothing else
for /f "eol=; tokens=*" %%i in (RegPublicRead.txt) do (
    regperm /K "%%i" /A:"Administrators":F /A:"System":F /A:"Everyone":R /S /I /C >> %LOGFILE%
)

rem -- Handle all keys where  Everyone can read and write but not delete, create subkeys...
for /f "eol=; tokens=*" %%i in (RegPublicRW.txt) do (
    regperm /K "%%i" /A:"Administrators":F /A:"System":F /A:"Everyone":RW /S /I /C >> %LOGFILE%
)

popd