Public/Add-MSIXPSFDefaultRegLegacy.ps1

function Add-MSIXPSFDefaultRegLegacy {
<#
.SYNOPSIS
    Adds a standard RegLegacyFixups configuration to an MSIX package.

.DESCRIPTION
    Applies a comprehensive default RegLegacyFixups rule set by calling
    Add-MSIXPSFRegLegacyFixup with the following configuration:

    ModifyKeyAccess HKCU Full2MaxAllowed — full access -> MAXIMUM_ALLOWED
    ModifyKeyAccess HKCU RW2MaxAllowed — read/write -> MAXIMUM_ALLOWED
    ModifyKeyAccess HKLM Full2R — full access -> read-only (omitted with -AllowRedirectHKLMWrites)
    ModifyKeyAccess HKLM RW2R — read/write -> read-only (omitted with -AllowRedirectHKLMWrites)
    FakeDelete HKCU — suppress ACCESS_DENIED on key deletions

    The HKCU rules and FakeDelete are compatible with both Microsoft PSF and Tim Mangan PSF.

.PARAMETER MSIXFolder
    Path to the expanded MSIX package folder (must contain config.json.xml).

.PARAMETER Executable
    Regex pattern for the process entry. Default: ".*" (all processes).

.PARAMETER AllowRedirectHKLMWrites
    When set, adds an HKLM2HKCU rule that redirects HKLM writes to virtual HKCU AND
    omits the two HKLM read-only ModifyKeyAccess rules (Full2R/RW2R). Those would
    downgrade HKLM key opens to read-only, and that downgraded access mask is reused
    for the redirected HKCU open — leaving the redirect target read-only and defeating
    the redirect. The two approaches are mutually exclusive: force HKLM read-only, OR
    redirect HKLM writes to HKCU. Requires Tim Mangan PSF — errors if Microsoft PSF is active.

.EXAMPLE
    Add-MSIXPSFDefaultRegLegacy -MSIXFolder "C:\MSIXTemp\MyApp"

.EXAMPLE
    Add-MSIXPSFDefaultRegLegacy -MSIXFolder "C:\MSIXTemp\MyApp" -AllowRedirectHKLMWrites

.NOTES
    Microsoft PSF: https://github.com/microsoft/MSIX-PackageSupportFramework/tree/main/fixups/RegLegacyFixups
    Tim Mangan PSF: https://github.com/TimMangan/MSIX-PackageSupportFramework/wiki/Fixup:-RegLegacyFixup
    https://www.nick-it.de
    Andreas Nick, 2026
#>

    [CmdletBinding()]
    param(
        [Parameter(Mandatory = $true, ValueFromPipeline = $true, Position = 0)]
        [System.IO.DirectoryInfo] $MSIXFolder,

        [String] $Executable = '.*',

        [Switch] $AllowRedirectHKLMWrites
    )

    process {
        Add-MSIXPSFRegLegacyFixup -MSIXFolder $MSIXFolder -Executable $Executable `
            -ModifyKeyAccess -Hive HKCU -Patterns @('.*') -Access Full2MaxAllowed

        Add-MSIXPSFRegLegacyFixup -MSIXFolder $MSIXFolder -Executable $Executable `
            -ModifyKeyAccess -Hive HKCU -Patterns @('.*') -Access RW2MaxAllowed

        # The HKLM read-only downgrade (Full2R/RW2R) is MUTUALLY EXCLUSIVE with HKLM2HKCU
        # redirection, so it is only emitted when we are NOT redirecting HKLM writes.
        # Verified against the Tim Mangan RegLegacyFixups source: on a HKLM key OPEN,
        # RegFixupSam matches the HKLM rule against the ORIGINAL HKLM path and strips the
        # write bits (KEY_SET_VALUE/KEY_CREATE_SUB_KEY/KEY_WRITE). The resulting read-only
        # access mask is then reused for the redirected HKCU open (RegOpenKeyEx.cpp), so the
        # redirect target ends up opened read-only and writes still fail - which defeats the
        # whole point of HKLM2HKCU. (RegCreateKeyEx recomputes the mask on the HKCU path and is
        # unaffected, but apps usually OPEN existing keys to write values.)
        if (-not $AllowRedirectHKLMWrites) {
            Add-MSIXPSFRegLegacyFixup -MSIXFolder $MSIXFolder -Executable $Executable `
                -ModifyKeyAccess -Hive HKLM -Patterns @('.*') -Access Full2R

            Add-MSIXPSFRegLegacyFixup -MSIXFolder $MSIXFolder -Executable $Executable `
                -ModifyKeyAccess -Hive HKLM -Patterns @('.*') -Access RW2R
        }

        Add-MSIXPSFRegLegacyFixup -MSIXFolder $MSIXFolder -Executable $Executable `
            -FakeDelete -Hive HKCU -Patterns @('.*')

        if ($AllowRedirectHKLMWrites) {
            Add-MSIXPSFRegLegacyFixup -MSIXFolder $MSIXFolder -Executable $Executable `
                -HKLM2HKCU -Hive HKLM
        }
    }
}