RegistryKey::SetAccessControl Method (RegistrySecurity^)
Applies Windows access control security to an existing registry key.
Assembly: mscorlib (in mscorlib.dll)
Parameters
- registrySecurity
-
Type:
System.Security.AccessControl::RegistrySecurity^
The access control security to apply to the current subkey.
| Exception | Condition |
|---|---|
| UnauthorizedAccessException | The current RegistryKey object represents a key with access control security, and the caller does not have RegistryRights::ChangePermissions rights. |
| ArgumentNullException | registrySecurity is null. |
| ObjectDisposedException | The RegistryKey being manipulated is closed (closed keys cannot be accessed). |
To modify permissions for a registry key, use the GetAccessControl method to obtain a RegistrySecurity object representing the existing Windows access control security, modify that RegistrySecurity object, and then use the SetAccessControl method to update security for the key.
Caution |
|---|
The RegistrySecurity object specified for registrySecurity replaces the existing security for the registry key. To add permissions for a new user, use the GetAccessControl method to obtain the existing access control security, and then modify it. |
The following code example creates a test key. The current user is allowed ReadKey and Delete rights but denied ChangePermissions and WriteKey rights. Subsequent attempts to manipulate the key succeed or fail depending on these permissions.
Before the key is deleted, the code pauses. You can switch to the registry editor and verify that the same access rights apply when the key is accessed using the registry editor. (This works best if you use RunAs from the command line to run the registry editor and the sample code as a local user without administrator rights. The registry editor always allows an administrator to change permissions, even if the particular administrator has been denied those rights. If you have defined a local user named TestUser, the command runas /user:TestUser cmd opens a command window from which you can run the registry editor and then the sample code.)
using namespace System; using namespace System::Reflection; using namespace Microsoft::Win32; using namespace System::Security::AccessControl; using namespace System::Security; int main() { // Delete the example key if it exists. try { Registry::CurrentUser->DeleteSubKey("RegistryRightsExample"); Console::WriteLine("Example key has been deleted."); } catch (ArgumentException^) { // ArgumentException is thrown if the key does not exist. In // this case, there is no reason to display a message. } catch (InvalidOperationException^ ex) { Console::WriteLine( "{0}Unable to delete key: it appears to have child subkeys:{0}{1}", Environment::NewLine, ex); return 0; } catch (SecurityException^ ex) { Console::WriteLine("{0}You do not have the permissions required " + "to delete this key:{0}{1}", Environment::NewLine, ex); return 0; } String^ user = Environment::UserDomainName + "\\" + Environment::UserName; RegistrySecurity^ regSecurity = gcnew RegistrySecurity(); // Allow the current user to read and delete the key. // regSecurity->AddAccessRule(gcnew RegistryAccessRule(user, RegistryRights::ReadKey | RegistryRights::Delete, InheritanceFlags::None, PropagationFlags::None, AccessControlType::Allow)); // Prevent the current user from writing or changing the // permission set of the key. Note that if Delete permission // were not allowed in the previous access rule, denying // WriteKey permission would prevent the user from deleting the // key. regSecurity->AddAccessRule(gcnew RegistryAccessRule(user, RegistryRights::WriteKey | RegistryRights::ChangePermissions, InheritanceFlags::None, PropagationFlags::None, AccessControlType::Deny)); // Create the example key with registry security. RegistryKey^ createdKey = nullptr; try { createdKey = Registry::CurrentUser->CreateSubKey( "RegistryRightsExample", RegistryKeyPermissionCheck::Default, regSecurity); Console::WriteLine("{0}Example key created.", Environment::NewLine); createdKey->SetValue("ValueName", "StringValue"); } catch (SecurityException^ ex) { Console::WriteLine("{0}You do not have the permissions required " + "to create the example key:{0}{1}", Environment::NewLine, ex); return 0; } if (createdKey != nullptr) { createdKey->Close(); } RegistryKey^ openedKey; // Open the key with read access. openedKey = Registry::CurrentUser->OpenSubKey("RegistryRightsExample", false); Console::WriteLine("{0}Retrieved value: {1}", Environment::NewLine, openedKey->GetValue("ValueName")); openedKey->Close(); // Attempt to open the key with write access. try { openedKey = Registry::CurrentUser->OpenSubKey("RegistryRightsExample", true); } catch (SecurityException^ ex) { Console::WriteLine("{0}You do not have the permissions required " + "to write to the example key:{0}{1}", Environment::NewLine, ex); } if (openedKey != nullptr) { openedKey->Close(); } // Attempt to change permissions for the key. try { regSecurity = gcnew RegistrySecurity(); regSecurity->AddAccessRule(gcnew RegistryAccessRule(user, RegistryRights::WriteKey, InheritanceFlags::None, PropagationFlags::None, AccessControlType::Allow)); openedKey = Registry::CurrentUser->OpenSubKey("RegistryRightsExample", false); openedKey->SetAccessControl(regSecurity); Console::WriteLine("{0}Example key permissions were changed.", Environment::NewLine); } catch (UnauthorizedAccessException^ ex) { Console::WriteLine("{0}You are not authorized to change " + "permissions for the example key:{0}{1}", Environment::NewLine, ex); } if (openedKey != nullptr) { openedKey->Close(); } Console::WriteLine("{0}Press Enter to delete the example key.", Environment::NewLine); Console::ReadLine(); try { Registry::CurrentUser->DeleteSubKey("RegistryRightsExample"); Console::WriteLine("Example key was deleted."); } catch(SecurityException^ ex) { Console::WriteLine("{0}You do not have the permissions required to " + "delete the example key:{0}{1}", Environment::NewLine, ex); } }
Available since 2.0
