This topic has not yet been rated - Rate this topic

RegistrySecurity Class

.NET Framework 4

Represents the Windows access control security for a registry key. This class cannot be inherited.

System.Object
  System.Security.AccessControl.ObjectSecurity
    System.Security.AccessControl.CommonObjectSecurity
      System.Security.AccessControl.NativeObjectSecurity
        System.Security.AccessControl.RegistrySecurity

Namespace: System.Security.AccessControl
Assembly: mscorlib (in mscorlib.dll)

Syntax

C++

Copy

public sealed class RegistrySecurity : NativeObjectSecurity

The RegistrySecurity type exposes the following members.

Constructors

	Name	Description
	RegistrySecurity	Initializes a new instance of the RegistrySecurity class with default values.

Top

Properties

	Name	Description
	AccessRightType	Gets the enumeration type that the RegistrySecurity class uses to represent access rights. (Overrides ObjectSecurity.AccessRightType.)
	AccessRulesModified	Gets or sets a Boolean value that specifies whether the access rules associated with this ObjectSecurity object have been modified. (Inherited from ObjectSecurity.)
	AccessRuleType	Gets the type that the RegistrySecurity class uses to represent access rules. (Overrides ObjectSecurity.AccessRuleType.)
	AreAccessRulesCanonical	Gets a Boolean value that specifies whether the access rules associated with this ObjectSecurity object are in canonical order. (Inherited from ObjectSecurity.)
	AreAccessRulesProtected	Gets a Boolean value that specifies whether the Discretionary Access Control List (DACL) associated with this ObjectSecurity object is protected. (Inherited from ObjectSecurity.)
	AreAuditRulesCanonical	Gets a Boolean value that specifies whether the audit rules associated with this ObjectSecurity object are in canonical order. (Inherited from ObjectSecurity.)
	AreAuditRulesProtected	Gets a Boolean value that specifies whether the System Access Control List (SACL) associated with this ObjectSecurity object is protected. (Inherited from ObjectSecurity.)
	AuditRulesModified	Gets or sets a Boolean value that specifies whether the audit rules associated with this ObjectSecurity object have been modified. (Inherited from ObjectSecurity.)
	AuditRuleType	Gets the type that the RegistrySecurity class uses to represent audit rules. (Overrides ObjectSecurity.AuditRuleType.)
	GroupModified	Gets or sets a Boolean value that specifies whether the group associated with the securable object has been modified. (Inherited from ObjectSecurity.)
	IsContainer	Gets a Boolean value that specifies whether this ObjectSecurity object is a container object. (Inherited from ObjectSecurity.)
	IsDS	Gets a Boolean value that specifies whether this ObjectSecurity object is a directory object. (Inherited from ObjectSecurity.)
	OwnerModified	Gets or sets a Boolean value that specifies whether the owner of the securable object has been modified. (Inherited from ObjectSecurity.)

Top

Methods

	Name	Description
	AccessRuleFactory	Creates a new access control rule for the specified user, with the specified access rights, access control, and flags. (Overrides ObjectSecurity.AccessRuleFactory(IdentityReference, Int32, Boolean, InheritanceFlags, PropagationFlags, AccessControlType).)
	AddAccessRule(AccessRule)	Adds the specified access rule to the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity.)
	AddAccessRule(RegistryAccessRule)	Searches for a matching access control with which the new rule can be merged. If none are found, adds the new rule.
	AddAuditRule(AuditRule)	Adds the specified audit rule to the System Access Control List (SACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity.)
	AddAuditRule(RegistryAuditRule)	Searches for an audit rule with which the new rule can be merged. If none are found, adds the new rule.
	AuditRuleFactory	Creates a new audit rule, specifying the user the rule applies to, the access rights to audit, the inheritance and propagation of the rule, and the outcome that triggers the rule. (Overrides ObjectSecurity.AuditRuleFactory(IdentityReference, Int32, Boolean, InheritanceFlags, PropagationFlags, AuditFlags).)
	Equals(Object)	Determines whether the specified Object is equal to the current Object. (Inherited from Object.)
	Finalize	Allows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection. (Inherited from Object.)
	GetAccessRules	Gets a collection of the access rules associated with the specified security identifier. (Inherited from CommonObjectSecurity.)
	GetAuditRules	Gets a collection of the audit rules associated with the specified security identifier. (Inherited from CommonObjectSecurity.)
	GetGroup	Gets the primary group associated with the specified owner. (Inherited from ObjectSecurity.)
	GetHashCode	Serves as a hash function for a particular type. (Inherited from Object.)
	GetOwner	Gets the owner associated with the specified primary group. (Inherited from ObjectSecurity.)
	GetSecurityDescriptorBinaryForm	Returns an array of byte values that represents the security descriptor information for this ObjectSecurity object. (Inherited from ObjectSecurity.)
	GetSecurityDescriptorSddlForm	Returns the Security Descriptor Definition Language (SDDL) representation of the specified sections of the security descriptor associated with this ObjectSecurity object. (Inherited from ObjectSecurity.)
	GetType	Gets the Type of the current instance. (Inherited from Object.)
	MemberwiseClone	Creates a shallow copy of the current Object. (Inherited from Object.)
	ModifyAccess	Applies the specified modification to the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity.)
	ModifyAccessRule	Applies the specified modification to the Discretionary Access Control List (DACL) associated with this ObjectSecurity object. (Inherited from ObjectSecurity.)
	ModifyAudit	Applies the specified modification to the System Access Control List (SACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity.)
	ModifyAuditRule	Applies the specified modification to the System Access Control List (SACL) associated with this ObjectSecurity object. (Inherited from ObjectSecurity.)
	Persist(SafeHandle, AccessControlSections)	Saves the specified sections of the security descriptor associated with this NativeObjectSecurity object to permanent storage. We recommend that the values of the includeSections parameters passed to the constructor and persist methods be identical. For more information, see Remarks. (Inherited from NativeObjectSecurity.)
	Persist(String, AccessControlSections)	Saves the specified sections of the security descriptor associated with this NativeObjectSecurity object to permanent storage. We recommend that the values of the includeSections parameters passed to the constructor and persist methods be identical. For more information, see Remarks. (Inherited from NativeObjectSecurity.)
	Persist(Boolean, String, AccessControlSections)	Saves the specified sections of the security descriptor associated with this ObjectSecurity object to permanent storage. We recommend that the values of the includeSections parameters passed to the constructor and persist methods be identical. For more information, see Remarks. (Inherited from ObjectSecurity.)
	Persist(SafeHandle, AccessControlSections, Object)	Saves the specified sections of the security descriptor associated with this NativeObjectSecurity object to permanent storage. We recommend that the values of the includeSections parameters passed to the constructor and persist methods be identical. For more information, see Remarks. (Inherited from NativeObjectSecurity.)
	Persist(String, AccessControlSections, Object)	Saves the specified sections of the security descriptor associated with this NativeObjectSecurity object to permanent storage. We recommend that the values of the includeSections parameters passed to the constructor and persist methods be identical. For more information, see Remarks. (Inherited from NativeObjectSecurity.)
	PurgeAccessRules	Removes all access rules associated with the specified IdentityReference. (Inherited from ObjectSecurity.)
	PurgeAuditRules	Removes all audit rules associated with the specified IdentityReference. (Inherited from ObjectSecurity.)
	ReadLock	Locks this ObjectSecurity object for read access. (Inherited from ObjectSecurity.)
	ReadUnlock	Unlocks this ObjectSecurity object for read access. (Inherited from ObjectSecurity.)
	RemoveAccessRule(AccessRule)	Removes access rules that contain the same security identifier and access mask as the specified access rule from the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity.)
	RemoveAccessRule(RegistryAccessRule)	Searches for an access control rule with the same user and AccessControlType (allow or deny) as the specified access rule, and with compatible inheritance and propagation flags; if such a rule is found, the rights contained in the specified access rule are removed from it.
	RemoveAccessRuleAll(AccessRule)	Removes all access rules that have the same security identifier as the specified access rule from the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity.)
	RemoveAccessRuleAll(RegistryAccessRule)	Searches for all access control rules with the same user and AccessControlType (allow or deny) as the specified rule and, if found, removes them.
	RemoveAccessRuleSpecific(AccessRule)	Removes all access rules that exactly match the specified access rule from the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity.)
	RemoveAccessRuleSpecific(RegistryAccessRule)	Searches for an access control rule that exactly matches the specified rule and, if found, removes it.
	RemoveAuditRule(AuditRule)	Removes audit rules that contain the same security identifier and access mask as the specified audit rule from the System Access Control List (SACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity.)
	RemoveAuditRule(RegistryAuditRule)	Searches for an audit control rule with the same user as the specified rule, and with compatible inheritance and propagation flags; if a compatible rule is found, the rights contained in the specified rule are removed from it.
	RemoveAuditRuleAll(AuditRule)	Removes all audit rules that have the same security identifier as the specified audit rule from the System Access Control List (SACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity.)
	RemoveAuditRuleAll(RegistryAuditRule)	Searches for all audit rules with the same user as the specified rule and, if found, removes them.
	RemoveAuditRuleSpecific(AuditRule)	Removes all audit rules that exactly match the specified audit rule from the System Access Control List (SACL) associated with this CommonObjectSecurity object. (Inherited from CommonObjectSecurity.)
	RemoveAuditRuleSpecific(RegistryAuditRule)	Searches for an audit rule that exactly matches the specified rule and, if found, removes it.
	ResetAccessRule(AccessRule)	Removes all access rules in the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object and then adds the specified access rule. (Inherited from CommonObjectSecurity.)
	ResetAccessRule(RegistryAccessRule)	Removes all access control rules with the same user as the specified rule, regardless of AccessControlType, and then adds the specified rule.
	SetAccessRule(AccessRule)	Removes all access rules that contain the same security identifier and qualifier as the specified access rule in the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object and then adds the specified access rule. (Inherited from CommonObjectSecurity.)
	SetAccessRule(RegistryAccessRule)	Removes all access control rules with the same user and AccessControlType (allow or deny) as the specified rule, and then adds the specified rule.
	SetAccessRuleProtection	Sets or removes protection of the access rules associated with this ObjectSecurity object. Protected access rules cannot be modified by parent objects through inheritance. (Inherited from ObjectSecurity.)
	SetAuditRule(AuditRule)	Removes all audit rules that contain the same security identifier and qualifier as the specified audit rule in the System Access Control List (SACL) associated with this CommonObjectSecurity object and then adds the specified audit rule. (Inherited from CommonObjectSecurity.)
	SetAuditRule(RegistryAuditRule)	Removes all audit rules with the same user as the specified rule, regardless of the AuditFlags value, and then adds the specified rule.
	SetAuditRuleProtection	Sets or removes protection of the audit rules associated with this ObjectSecurity object. Protected audit rules cannot be modified by parent objects through inheritance. (Inherited from ObjectSecurity.)
	SetGroup	Sets the primary group for the security descriptor associated with this ObjectSecurity object. (Inherited from ObjectSecurity.)
	SetOwner	Sets the owner for the security descriptor associated with this ObjectSecurity object. (Inherited from ObjectSecurity.)
	SetSecurityDescriptorBinaryForm(Byte[])	Sets the security descriptor for this ObjectSecurity object from the specified array of byte values. (Inherited from ObjectSecurity.)
	SetSecurityDescriptorBinaryForm(Byte[], AccessControlSections)	Sets the specified sections of the security descriptor for this ObjectSecurity object from the specified array of byte values. (Inherited from ObjectSecurity.)
	SetSecurityDescriptorSddlForm(String)	Sets the security descriptor for this ObjectSecurity object from the specified Security Descriptor Definition Language (SDDL) string. (Inherited from ObjectSecurity.)
	SetSecurityDescriptorSddlForm(String, AccessControlSections)	Sets the specified sections of the security descriptor for this ObjectSecurity object from the specified Security Descriptor Definition Language (SDDL) string. (Inherited from ObjectSecurity.)
	ToString	Returns a string that represents the current object. (Inherited from Object.)
	WriteLock	Locks this ObjectSecurity object for write access. (Inherited from ObjectSecurity.)
	WriteUnlock	Unlocks this ObjectSecurity object for write access. (Inherited from ObjectSecurity.)

Top

Remarks

A RegistrySecurity object specifies access rights for a registry key, and also specifies how access attempts are audited. Access rights to the registry key are expressed as rules, with each access rule represented by a RegistryAccessRule object. Each auditing rule is represented by a RegistryAuditRule object.

This mirrors the underlying Windows security system, in which each securable object has at most one discretionary access control list (DACL) that controls access to the secured object, and at most one system access control list (SACL) that specifies which access attempts are audited. The DACL and SACL are ordered lists of access control entries (ACE) that specify access and auditing for users and groups. A RegistryAccessRule or RegistryAuditRule object might represent more than one ACE.

Note
Windows access control security can only be applied to registry keys. It cannot be applied to individual key/value pairs stored in a key.

The RegistrySecurity, RegistryAccessRule, and RegistryAuditRule classes hide the implementation details of ACLs and ACEs. They allow you to ignore the seventeen different ACE types and the complexity of correctly maintaining inheritance and propagation of access rights. These objects are also designed to prevent the following common access control errors:

Creating a security descriptor with a null DACL. A null reference to a DACL allows any user to add access rules to an object, potentially creating a denial-of-service attack. A new RegistrySecurity object always starts with an empty DACL, which denies all access for all users.
Violating the canonical ordering of ACEs. If the ACE list in the DACL is not kept in the canonical order, users might inadvertently be given access to the secured object. For example, denied access rights must always appear before allowed access rights. RegistrySecurity objects maintain the correct order internally.
Manipulating security descriptor flags, which should be under resource manager control only.
Creating invalid combinations of ACE flags.
Manipulating inherited ACEs. Inheritance and propagation are handled by the resource manager, in response to changes you make to access and audit rules.
Inserting meaningless ACEs into ACLs.

The only capabilities not supported by the .NET security objects are dangerous activities that should be avoided by the majority of application developers, such as the following:

Low-level tasks that are normally performed by the resource manager.
Adding or removing access control entries in ways that do not maintain the canonical ordering.

To modify Windows access control security for a registry key, use the RegistryKey.GetAccessControl method to get the RegistrySecurity object. Modify the security object by adding and removing rules, and then use the RegistryKey.SetAccessControl method to reattach it.

Important
Changes you make to a RegistrySecurity object do not affect the access levels of the registry key until you call the RegistryKey.SetAccessControl method to assign the altered security object to the registry key.

To copy access control security from one registry key to another, use the RegistryKey.GetAccessControl method to get a RegistrySecurity object representing the access and audit rules for the first registry key, and then use the RegistryKey.SetAccessControl method to assign those rules to the second registry key. You can also assign the rules to a second registry key with an RegistryKey.OpenSubKey or RegistryKey.CreateSubKey method that takes a RegistrySecurity object parameter.

Users with an investment in the security descriptor definition language (SDDL) can use the SetSecurityDescriptorSddlForm method to set access rules for a registry key, and the GetSecurityDescriptorSddlForm method to obtain a string that represents the access rules in SDDL format. This is not recommended for new development.

Examples

This section contains two code examples. The first example shows how compatible rules merge when added and removed, and the second shows how inheritance and propagation flags affect the addition and deletion of rules.

Example 1

The following code example shows how the RemoveAccessRule method removes rights from a compatible rule, and how the AddAccessRule method merges rights with compatible rules.

The example creates a RegistrySecurity object and adds a rule that allows the current user RegistryRights.ReadKey rights. The example then creates a rule that grants the user RegistryRights.SetValue, with the same inheritance and propagation rights as the first rule, and uses the RemoveAccessRule method to remove this new rule from the RegistrySecurity object. SetValue is a constituent of ReadKey, so it is removed from the compatible rule. The rules in the RegistrySecurity object are displayed, showing the remaining constituents of ReadKey.

The example code then calls the AddAccessRule method to merge the SetValue right back into the rule in the RegistrySecurity object.

Note
This example does not attach the security object to a RegistryKey object. The second example in this section attaches a security object, and so do the examples in RegistryKey.GetAccessControl and RegistryKey.SetAccessControl.

Copy



using System;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Security;
using Microsoft.Win32;

public class Example
{

    public static void Main()
    {

        string user = Environment.UserDomainName + "\\"
            + Environment.UserName;

        // Create a security object that grants no access.
        RegistrySecurity mSec = new RegistrySecurity();

        // Add a rule that grants the current user ReadKey
        // rights. ReadKey is a combination of four other 
        // rights. The rule is inherited by all 
        // contained subkeys.
        RegistryAccessRule rule = new RegistryAccessRule(user, 
            RegistryRights.ReadKey, 
            InheritanceFlags.ContainerInherit, 
            PropagationFlags.None, 
            AccessControlType.Allow);
        mSec.AddAccessRule(rule);

        // Create a rule that allows the current user only the 
        // right to query the key/value pairs of a key, using  
        // the same inheritance and propagation flags as the
        // first rule. QueryValues is a constituent of 
        // ReadKey, so when this rule is removed, using the 
        // RemoveAccessRule method, ReadKey is broken into
        // its constituent parts.
        rule = new RegistryAccessRule(user, 
            RegistryRights.QueryValues, 
            InheritanceFlags.ContainerInherit, 
            PropagationFlags.None, 
            AccessControlType.Allow);
        mSec.RemoveAccessRule(rule);

        // Display the rules in the security object.
        ShowSecurity(mSec);

        // Add the second rule back. It merges with the 
        // existing rule, so that the rule is now displayed
        // as ReadKey.
        mSec.AddAccessRule(rule);

        // Display the rules in the security object.
        ShowSecurity(mSec);
    }

    private static void ShowSecurity(RegistrySecurity security)
    {
        Console.WriteLine("\r\nCurrent access rules:\r\n");

        foreach( RegistryAccessRule ar in security.GetAccessRules(true, true, typeof(NTAccount)) )
        {
            Console.WriteLine("        User: {0}", ar.IdentityReference);
            Console.WriteLine("        Type: {0}", ar.AccessControlType);
            Console.WriteLine("      Rights: {0}", ar.RegistryRights);
            Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags);
            Console.WriteLine(" Propagation: {0}", ar.PropagationFlags);
            Console.WriteLine("   Inherited? {0}", ar.IsInherited);
            Console.WriteLine();
        }
    }
}

/* This code example produces output similar to following:

Current access rules:

        User: TestDomain\TestUser
        Type: Allow
      Rights: EnumerateSubKeys, Notify, ReadPermissions
 Inheritance: ContainerInherit
 Propagation: None
   Inherited? False


Current access rules:

        User: TestDomain\TestUser
        Type: Allow
      Rights: ReadKey
 Inheritance: ContainerInherit
 Propagation: None
   Inherited? False
 */

Example 2

The following code example demonstrates access rules with inheritance and propagation. The example creates a RegistrySecurity object, then creates and adds two rules that have the ContainerInherit flag. The first rule has no propagation flags, while the second has NoPropagateInherit and InheritOnly.

The program displays the rules in the RegistrySecurity object, and then uses the RegistrySecurity object to create a subkey. The program creates a child subkey and a grandchild subkey, then displays the security for each subkey. Finally, the program deletes the test keys.

Copy



using System;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Security;
using Microsoft.Win32;

public class Example
{
    public static void Main()
    {
        const string TestKey = "TestKey3927";
        RegistryKey cu = Registry.CurrentUser;

        string user = Environment.UserDomainName + 
            "\\" + Environment.UserName;

        // Create a security object that grants no access.
        RegistrySecurity mSec = new RegistrySecurity();

        // Add a rule that grants the current user the right
        // to read and enumerate the name/value pairs in a key, 
        // to read its access and audit rules, to enumerate
        // its subkeys, to create subkeys, and to delete the key. 
        // The rule is inherited by all contained subkeys.
        //
        RegistryAccessRule rule = new RegistryAccessRule(user, 
           RegistryRights.ReadKey | RegistryRights.WriteKey 
               | RegistryRights.Delete, 
           InheritanceFlags.ContainerInherit, 
           PropagationFlags.None, 
           AccessControlType.Allow
        );
        mSec.AddAccessRule(rule);

        // Add a rule that allows the current user the right
        // right to set the name/value pairs in a key. 
        // This rule is inherited by contained subkeys, but
        // propagation flags limit it to immediate child 
        // subkeys.
        rule = new RegistryAccessRule(user, 
            RegistryRights.ChangePermissions, 
            InheritanceFlags.ContainerInherit, 
            PropagationFlags.InheritOnly | 
                PropagationFlags.NoPropagateInherit, 
            AccessControlType.Allow);
        mSec.AddAccessRule(rule);

        // Display the rules in the security object.
        ShowSecurity(mSec);

        // Create the test key using the security object.
        //
        RegistryKey rk = cu.CreateSubKey(TestKey, 
            RegistryKeyPermissionCheck.ReadWriteSubTree, mSec);

        // Create a child subkey and a grandchild subkey, 
        // without security.
        RegistryKey rkChild = rk.CreateSubKey("ChildKey", 
            RegistryKeyPermissionCheck.ReadWriteSubTree);
        RegistryKey rkGrandChild = 
            rkChild.CreateSubKey("GrandChildKey", 
                RegistryKeyPermissionCheck.ReadWriteSubTree);

        Show(rk);
        Show(rkChild);
        Show(rkGrandChild);

        rkGrandChild.Close();
        rkChild.Close();
        rk.Close();

        cu.DeleteSubKeyTree(TestKey);
    }

    private static void Show(RegistryKey rk)
    {
        Console.WriteLine(rk.Name);
        ShowSecurity(rk.GetAccessControl());
    }

    private static void ShowSecurity(RegistrySecurity security)
    {
        Console.WriteLine("\r\nCurrent access rules:\r\n");

        foreach( RegistryAccessRule ar in security.GetAccessRules(true, true, typeof(NTAccount)) )
        {

            Console.WriteLine("        User: {0}", ar.IdentityReference);
            Console.WriteLine("        Type: {0}", ar.AccessControlType);
            Console.WriteLine("      Rights: {0}", ar.RegistryRights);
            Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags);
            Console.WriteLine(" Propagation: {0}", ar.PropagationFlags);
            Console.WriteLine("   Inherited? {0}", ar.IsInherited);
            Console.WriteLine();
        }

    }
}

/* This code example produces output similar to following:

Current access rules:

        User: TestDomain\TestUser
        Type: Allow
      Rights: SetValue, CreateSubKey, Delete, ReadKey
 Inheritance: ContainerInherit
 Propagation: None
   Inherited? False

        User: TestDomain\TestUser
        Type: Allow
      Rights: ChangePermissions
 Inheritance: ContainerInherit
 Propagation: NoPropagateInherit, InheritOnly
   Inherited? False

HKEY_CURRENT_USER\TestKey3927

Current access rules:

        User: TestDomain\TestUser
        Type: Allow
      Rights: SetValue, CreateSubKey, Delete, ReadKey
 Inheritance: ContainerInherit
 Propagation: None
   Inherited? False

        User: TestDomain\TestUser
        Type: Allow
      Rights: ChangePermissions
 Inheritance: ContainerInherit
 Propagation: NoPropagateInherit, InheritOnly
   Inherited? False

HKEY_CURRENT_USER\TestKey3927\ChildKey

Current access rules:

        User: TestDomain\TestUser
        Type: Allow
      Rights: SetValue, CreateSubKey, Delete, ReadKey
 Inheritance: ContainerInherit
 Propagation: None
   Inherited? True

        User: TestDomain\TestUser
        Type: Allow
      Rights: ChangePermissions
 Inheritance: None
 Propagation: None
   Inherited? True

HKEY_CURRENT_USER\TestKey3927\ChildKey\GrandChildKey

Current access rules:

        User: TestDomain\TestUser
        Type: Allow
      Rights: SetValue, CreateSubKey, Delete, ReadKey
 Inheritance: ContainerInherit
 Propagation: None
   Inherited? True
 */

Version Information

.NET Framework

Supported in: 4, 3.5, 3.0, 2.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1

Platforms

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Thread Safety

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Reference

System.Security.AccessControl Namespace

Did you find this helpful? Yes No

Not accurate

Not enough depth

Need more code examples

(1500 characters remaining)

Community Content Add

FAQ

TakeOwnership bug

If you do the following:

Dim person = New System.Security.Principal.NTAccount("Administrators")
Dim subkey = key.OpenSubKey("somesubkey", Microsoft.Win32.RegistryKeyPermissionCheck.Default, Security.AccessControl.RegistryRights.TakeOwnership)
rs = subkey.GetAccessControl()
rs.SetOwner(person)
subkey.SetAccessControl(rs)

It throws an exception on the OpenSubKey( ) line stating no permissions to take ownership. If you change OpenSubKey( ) to open as readonly, it then opens, but when you get to the call to SetAccessControl( ), a registry permission exception is thrown.

This looks like a chicken or egg problem. Can't set the owner unless you open the registry with setownership permission. Can't open the registry with setownership permissions because you don't own it.

It should allow OpenSubKey( ) with TakeOwnership because the account I am using is a member of the Administrators group running elevated.

This bug may stem as far back as Windows NT 3.1 as referenced in bug Q111546.

History

6/28/2010
Brain2000

6/28/2010
Brain2000