Export (0) Print
Expand All
Expand Minimize

RegistryRights Enumeration

Specifies the access control rights that can be applied to registry objects.

This enumeration has a FlagsAttribute attribute that allows a bitwise combination of its member values.

Namespace:  System.Security.AccessControl
Assembly:  mscorlib (in mscorlib.dll)

[FlagsAttribute]
public enum RegistryRights

Member nameDescription
QueryValuesThe right to query the name/value pairs in a registry key.
SetValueThe right to create, delete, or set name/value pairs in a registry key.
CreateSubKeyThe right to create subkeys of a registry key.
EnumerateSubKeysThe right to list the subkeys of a registry key.
NotifyThe right to request notification of changes on a registry key.
CreateLinkReserved for system use.
ExecuteKeySame as ReadKey.
ReadKeyThe right to query the name/value pairs in a registry key, to request notification of changes, to enumerate its subkeys, and to read its access rules and audit rules.
WriteKeyThe right to create, delete, and set the name/value pairs in a registry key, to create or delete subkeys, to request notification of changes, to enumerate its subkeys, and to read its access rules and audit rules.
DeleteThe right to delete a registry key.
ReadPermissionsThe right to open and copy the access rules and audit rules for a registry key.
ChangePermissionsThe right to change the access rules and audit rules associated with a registry key.
TakeOwnershipThe right to change the owner of a registry key.
FullControlThe right to exert full control over a registry key, and to modify its access rules and audit rules.

Use the RegistryRights enumeration to specify registry access rights when you create RegistrySecurity objects. To apply access rights to a registry key, first add RegistryAccessRule objects to a RegistrySecurity object, then attach the RegistrySecurity object to the key using the RegistryKey.SetAccessControl method, or an appropriate overload of the RegistryKey.CreateSubKey method.

The following code example demonstrates the use of the RegistryRights enumeration. The code creates a test key, allowing the current user ReadKey and Delete access rights but denying ChangePermissions and WriteKey rights. Subsequent attempts to manipulate the key succeed or fail depending on these permissions.

Before the key is deleted, the code pauses. You can switch to the Registry Editor (Regedit.exe or Regedt32.exe) and verify that the same access rights apply when the key is accessed using the Registry Editor.

This example works best if you use RunAs from the command line to run the Registry Editor and the sample code as a local user without administrator rights. For example, if you have defined a local user named TestUser, the command runas /user:TestUser cmd opens a command window from which you can run the Registry Editor and then the example code.


using System;
using System.Reflection;
using System.Security;
using System.Security.AccessControl;
using Microsoft.Win32;

public class Example
{
    public static void Main()
    {
        // Delete the example key if it exists.
        try
        {
            Registry.CurrentUser.DeleteSubKey("RegistryRightsExample");
            Console.WriteLine("Example key has been deleted.");
        }
        catch (ArgumentException)
        {
            // ArgumentException is thrown if the key does not exist. In
            // this case, there is no reason to display a message.
        }
        catch (Exception ex)
        {
            Console.WriteLine("Unable to delete the example key: {0}", ex);
            return;
        }

        string user = Environment.UserDomainName + "\\" + Environment.UserName;

        RegistrySecurity rs = new RegistrySecurity();

        // Allow the current user to read and delete the key.
        //
        rs.AddAccessRule(new RegistryAccessRule(user, 
            RegistryRights.ReadKey | RegistryRights.Delete, 
            InheritanceFlags.None, 
            PropagationFlags.None, 
            AccessControlType.Allow));

        // Prevent the current user from writing or changing the
        // permission set of the key. Note that if Delete permission
        // were not allowed in the previous access rule, denying
        // WriteKey permission would prevent the user from deleting the 
        // key.
        rs.AddAccessRule(new RegistryAccessRule(user, 
            RegistryRights.WriteKey | RegistryRights.ChangePermissions, 
            InheritanceFlags.None, 
            PropagationFlags.None, 
            AccessControlType.Deny));

        // Create the example key with registry security.
        RegistryKey rk = null;
        try
        {
            rk = Registry.CurrentUser.CreateSubKey("RegistryRightsExample", 
                RegistryKeyPermissionCheck.Default, rs);
            Console.WriteLine("\r\nExample key created.");
            rk.SetValue("ValueName", "StringValue");
        }
        catch (Exception ex)
        {
            Console.WriteLine("\r\nUnable to create the example key: {0}", ex);
        }
        if (rk != null) rk.Close();

        rk = Registry.CurrentUser;

        RegistryKey rk2;

        // Open the key with read access.
        rk2 = rk.OpenSubKey("RegistryRightsExample", false);
        Console.WriteLine("\r\nRetrieved value: {0}", rk2.GetValue("ValueName"));
        rk2.Close();

        // Attempt to open the key with write access.
        try
        {
            rk2 = rk.OpenSubKey("RegistryRightsExample", true);
        }
        catch (SecurityException ex)
        {
            Console.WriteLine("\nUnable to write to the example key." +
                " Caught SecurityException: {0}", ex.Message);
        }
        if (rk2 != null) rk2.Close();

        // Attempt to change permissions for the key.
        try
        {
            rs = new RegistrySecurity();
            rs.AddAccessRule(new RegistryAccessRule(user, 
                RegistryRights.WriteKey, 
                InheritanceFlags.None, 
                PropagationFlags.None, 
                AccessControlType.Allow));
            rk2 = rk.OpenSubKey("RegistryRightsExample", false);
            rk2.SetAccessControl(rs);
            Console.WriteLine("\r\nExample key permissions were changed.");
        }
        catch (UnauthorizedAccessException ex)
        {
            Console.WriteLine("\nUnable to change permissions for the example key." +
                " Caught UnauthorizedAccessException: {0}", ex.Message);
        }
        if (rk2 != null) rk2.Close();

        Console.WriteLine("\r\nPress Enter to delete the example key.");
        Console.ReadLine();

        try
        {
            rk.DeleteSubKey("RegistryRightsExample");
            Console.WriteLine("Example key was deleted.");
        }
        catch(Exception ex)
        {
            Console.WriteLine("Unable to delete the example key: {0}", ex);
        }

        rk.Close();
    }
}

/* This code example produces the following output:

Example key created.

Retrieved value: StringValue

Unable to write to the example key. Caught SecurityException: Requested registry access is not allowed.

Unable to change permissions for the example key. Caught UnauthorizedAccessException: Cannot write to the registry key.

Press Enter to delete the example key.

Example key was deleted.
 */


.NET Framework

Supported in: 4, 3.5, 3.0, 2.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Community Additions

ADD
Show:
© 2014 Microsoft