Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

RegistrySecurity.RemoveAccessRule Method

Searches for an access control rule with the same user and AccessControlType (allow or deny) as the specified access rule, and with compatible inheritance and propagation flags; if such a rule is found, the rights contained in the specified access rule are removed from it.

Namespace: System.Security.AccessControl
Assembly: mscorlib (in mscorlib.dll)

public bool RemoveAccessRule (
	RegistryAccessRule rule
)
public boolean RemoveAccessRule (
	RegistryAccessRule rule
)
public function RemoveAccessRule (
	rule : RegistryAccessRule
) : boolean
Not applicable.

Parameters

rule

A RegistryAccessRule that specifies the user and AccessControlType to search for, and a set of inheritance and propagation flags that a matching rule, if found, must be compatible with. Specifies the rights to remove from the compatible rule, if found.

Return Value

true if a compatible rule is found; otherwise false.

Exception typeCondition

ArgumentNullException

rule is a null reference (Nothing in Visual Basic).

The current RegistrySecurity is searched for a rule that has the same user and the same AccessControlType value as rule. If no such rule is found, no action is taken, and the method returns false. If matching rules are found, their inheritance and compatibility flags are checked for compatibility with the flags specified in rule. If no compatible rule is found, no action is taken, and the method returns false. If a rule with compatible flags is found, the rights specified in rule are removed from the compatible rule, and the method returns true. If rule specifies rights not contained in the compatible rule, no action is taken with respect to those rights. If all rights are removed from the compatible rule, the entire rule is removed from the current RegistrySecurity object.

The following code example shows how the RemoveAccessRule method removes rights from a compatible rule, and how the AddAccessRule method merges rights with compatible rules.

The example creates a RegistrySecurity object and adds a rule that allows the current user RegistryRights.ReadKey rights. The example then creates a rule that grants the user RegistryRights.SetValue, with the same inheritance and propagation rights as the first rule, and uses the RemoveAccessRule method to remove this new rule from the RegistrySecurity object. SetValue is a constituent of ReadKey, so it is removed from the compatible rule. The rules in the RegistrySecurity object are displayed, showing the remaining constituents of ReadKey.

The example code then calls the RemoveAccessRule method to merge the SetValue right back into the rule in the RegistrySecurity object.

NoteNote:

This example does not attach the security object to a RegistryKey object. The second example in this section attaches a security object, and so do the examples in Microsoft.Win32.RegistryKey.GetAccessControlMicrosoft.Win32.RegistryKey.SetAccessControl(System.Security.AccessControl.RegistrySecurity).


using System;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Security;
using Microsoft.Win32;

public class Example
{

    public static void Main()
    {

        string user = Environment.UserDomainName + "\\"
            + Environment.UserName;

        // Create a security object that grants no access.
        RegistrySecurity mSec = new RegistrySecurity();

        // Add a rule that grants the current user ReadKey
        // rights. ReadKey is a combination of four other 
        // rights. The rule is inherited by all 
        // contained subkeys.
        RegistryAccessRule rule = new RegistryAccessRule(user, 
            RegistryRights.ReadKey, 
            InheritanceFlags.ContainerInherit, 
            PropagationFlags.None, 
            AccessControlType.Allow);
        mSec.AddAccessRule(rule);

        // Create a rule that allows the current user only the 
        // right to query the key/value pairs of a key, using  
        // the same inheritance and propagation flags as the
        // first rule. QueryValues is a constituent of 
        // ReadKey, so when this rule is removed, using the 
        // RemoveAccessRule method, ReadKey is broken into
        // its constituent parts.
        rule = new RegistryAccessRule(user, 
            RegistryRights.QueryValues, 
            InheritanceFlags.ContainerInherit, 
            PropagationFlags.None, 
            AccessControlType.Allow);
        mSec.RemoveAccessRule(rule);

        // Display the rules in the security object.
        ShowSecurity(mSec);

        // Add the second rule back. It merges with the 
        // existing rule, so that the rule is now displayed
        // as ReadKey.
        mSec.AddAccessRule(rule);

        // Display the rules in the security object.
        ShowSecurity(mSec);
    }

    private static void ShowSecurity(RegistrySecurity security)
    {
        Console.WriteLine("\r\nCurrent access rules:\r\n");

        foreach( RegistryAccessRule ar in security.GetAccessRules(true, true, typeof(NTAccount)) )
        {
            Console.WriteLine("        User: {0}", ar.IdentityReference);
            Console.WriteLine("        Type: {0}", ar.AccessControlType);
            Console.WriteLine("      Rights: {0}", ar.RegistryRights);
            Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags);
            Console.WriteLine(" Propagation: {0}", ar.PropagationFlags);
            Console.WriteLine("   Inherited? {0}", ar.IsInherited);
            Console.WriteLine();
        }
    }
}

/* This code example produces output similar to following:

Current access rules:

        User: TestDomain\TestUser
        Type: Allow
      Rights: EnumerateSubKeys, Notify, ReadPermissions
 Inheritance: ContainerInherit
 Propagation: None
   Inherited? False


Current access rules:

        User: TestDomain\TestUser
        Type: Allow
      Rights: ReadKey
 Inheritance: ContainerInherit
 Propagation: None
   Inherited? False
 */

Windows 98, Windows Server 2000 SP4, Windows Millennium Edition, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition

The Microsoft .NET Framework 3.0 is supported on Windows Vista, Microsoft Windows XP SP2, and Windows Server 2003 SP1.

.NET Framework

Supported in: 3.0, 2.0

Community Additions

ADD
Show:
© 2015 Microsoft