Octopus Registry Error - Cannot find path because it does not exist

Hi Support/Octo Users:

We currently install Octopus tentacles via a custom script that adds our tentacle service accounts as a local admin. We are adjusting that per the article below.

However, I am having issues scripting the below permission requirement.

Permission: Read
Object: The HKLM\Software\Octopus\Tentacle registry key
Reason: Tentacle determines the location of its configuration files from this key.
Applied with: Regedit

Script (we’ve tried variations of this including setting the location to HKLM):

$RegKey = "HKLM:\SOFTWARE\Octopus\Tentacle" -Force | Select-Object *
$acl = Get-Acl -LiteralPath $RegKey
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("<SvcAccount>","ReadKey","ContainerInherit","None","Allow")
$acl.SetAccessRule($rule)
$acl |Set-Acl -Path $RegKey

Our script primarily fails with the below error:

Cannot find path ‘HKEY_LOCAL_MACHINE\SOFTWARE\Octopus\Tentacle’ because it does not exist.

When I navigate to the HKLM directory, it does not show the Octopus directory.
Node_NoOctopusDirectory

YET, I do see it when navigating directly to the registry:

We are on Octopus v2020.4.2

Hi Alex,

Thanks for getting in touch! I’m sorry to hear you’re hitting this unexpected roadblock. I’d like to run through a test of this locally, though at the moment I’m wondering if one small detail of a missing slash at the end of the path in the $RegKey variable could be impacting this. Does the following modification to the script get this working for you by chance?

$RegKey = "HKLM:\SOFTWARE\Octopus\Tentacle\" -Force | Select-Object *
$acl = Get-Acl -LiteralPath $RegKey
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("<SvcAccount>","ReadKey","ContainerInherit","None","Allow")
$acl.SetAccessRule($rule)
$acl |Set-Acl -Path $RegKey

Let me know how you go, and I look forward to getting to the bottom of this.

Best regards,

Kenny

I tried it as below (with backslash) and with/without Select-Object.

$RegKey = "HKLM:\SOFTWARE\Octopus\Tentacle\" | Select-Object *
$acl = Get-Acl -LiteralPath $RegKey
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("XXXX\SVCaccount","ReadKey","ContainerInherit","None","Allow")
$acl.SetAccessRule($rule)
$acl |Set-Acl -Path $RegKey

I keep getting the below error:

Get-Acl : Cannot find path 'HKEY_LOCAL_MACHINE\SOFTWARE\Octopus\Tentacle\' because it does not exist.
At line:42 char:8
+ $acl = Get-Acl -LiteralPath $RegKey
+        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-Acl], ItemNotFoundException
    + FullyQualifiedErrorId : GetAcl_PathNotFound,Microsoft.PowerShell.Commands.GetAclCommand
 
You cannot call a method on a null-valued expression.
At line:44 char:1
+ $acl.SetAccessRule($rule)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Hi DocOck,

We are still looking into this issue and hope to have a solution for you, very soon.

It does seem like our documentation needs to be corrected or at least clarified.

Regards,

Dane.

Thank you Dane. And to clarify: following the non-admin permissions works manually (including adding the registry svc account read permissions), but it doesn’t work via PowerShell scripting.

Hi @DocOck,

That was an interesting deep dive. When running the Script locally, literalpath was appending the registry key to the end of the current path. Then there was the whole concept that “HKLM” isn’t the same as “HKEY_LOCAL_MACHINE”.

So at the end of all of that, I’ve managed to cobble together a script that worked (for me anyway) when running as a script step from Octopus Server and also when running locally as a script.

Please let me know how you get on with the following:

$RegKey = "HKLM\SOFTWARE\Octopus\Tentacle"
$acl = Get-Acl -Path Registry::$RegKey
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Administrator","ReadKey","ContainerInherit","None","Allow")
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path Registry::$RegKey

If you could confirm that this works for you, I will go ahead and add a link to the script within our documentation.

Regards,

Dane

Thank you Dane. I am running into the same error, but I am going to troubleshoot this given that it is working on your end. Hopefully if I get it working, I will reach back out to confirm.

Hey Alex,

I will leave you to troubleshoot.
Just for some clarity, this is my environment:

PSVersion: 5.1.14393.2248
Windows Server 2016 (This shouldn’t really make a difference)
Octopus Deploy Tentacle service runs as “Local System Account”

Local Administrator rights for the user that runs powershell as well.

Please let me know how you go.

Regards,

Dane

Hi Dane,

I had to put this on hold for a bit. I wanted to confirm one thing with you regarding the issue as I am still getting the below error (using same settings and script suggested):

Cannot find path ‘HKEY_LOCAL_MACHINE\SOFTWARE\Octopus\Tentacle’ because it does not exist.

When I navigate to the HKLM directory on the local server (not Octopus server to be clear as this is a deployment server), it does not show the Octopus directory. Are you able to navigate to the Octopus HKLM directory on a local server?

Node_NoOctopusDirectory

Hi Alex,

Just so I wasn’t leading you down a stray path, I went and spun up a brand new VM to be confident that everything worked. Immediately I tried the script that I provided to you above and it wasn’t working. I’m terribly sorry about that.

However, after the tentacle install, the following command was working fine:

gci -Path HKLM:\Software\Octopus -Recurse

This returned:

Name
----
Tentacle

Property
----
InstallLocation : C:\Program Files\Octopus\Deploy\Tentacle\

I ran the command on both a local powershell instance and also from my Octopus Cloud instance.

Based on that working command, I modified the original script slightly and I believe the below script should work in your environment.

$regKey = gci -Path HKLM:\SOFTWARE\Octopus -Recurse
$acl = Get-Acl -Path Registry::$regKey
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ("Administrator","ReadKey","ContainerInherit","None","Allow")
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path Registry::$regKey

Please try this slightly different script and let me know how that goes.

Regards,

Dane