This documentation is archived and is not being maintained.

RegistryAccessRule Class

Represents a set of access rights allowed or denied for a user or group. This class cannot be inherited.

Namespace:  System.Security.AccessControl
Assembly:  mscorlib (in mscorlib.dll)

'Declaration
Public NotInheritable Class RegistryAccessRule _
	Inherits AccessRule
'Usage
Dim instance As RegistryAccessRule

The RegistryAccessRule class is one of a set of classes that the .NET Framework provides for managing Windows access control security on registry keys. For an overview of these classes, and their relationship to the underlying Windows access control structures, see RegistrySecurity.

NoteNote:

Windows access control security can only be applied to registry keys. It cannot be applied to individual key/value pairs stored in a key.

To get a list of the rules currently applied to a registry key, use the RegistryKey.GetAccessControl method to get a RegistrySecurity object, and then use its GetAccessRules method to obtain a collection of RegistryAccessRule objects.

RegistryAccessRule objects do not map one-to-one with access control entries in the underlying discretionary control access list (DACL). When you get the set of all access rules for a registry key, the set contains the minimum number of rules currently required to express all the access control entries.

NoteNote:

The underlying access control entries change as you apply and remove rules. The information in rules is merged if possible, to maintain the smallest number of access control entries. Thus, when you read the current list of rules, it might not look exactly like the list of all the rules you have added.

Use RegistryAccessRule objects to specify access rights to allow or deny to a user or group. A RegistryAccessRule object always represents either allowed access or denied access, never both.

To apply a rule to a registry key, use the RegistryKey.GetAccessControl method to get the RegistrySecurity object. Modify the RegistrySecurity object by using its methods to add the rule, and then use the RegistryKey.SetAccessControl method to reattach the security object.

Important noteImportant Note:

Changes you make to a RegistrySecurity object do not affect the access levels of the registry key until you call the RegistryKey.SetAccessControl method to assign the altered security object to the registry key.

RegistryAccessRule objects are immutable. Security for a registry key is modified using the methods of the RegistrySecurity class to add or remove rules; as you do this, the underlying access control entries are modified.

The following code example demonstrates access rules with inheritance and propagation. The example creates a RegistrySecurity object, then creates and adds two rules that have the ContainerInherit flag. The first rule has no propagation flags, while the second has NoPropagateInherit and InheritOnly.

The program displays the rules in the RegistrySecurity object, and then uses the object to create a subkey. The program creates a child subkey and a grandchild subkey, and then displays the security for each subkey. Finally, the program deletes the test keys.

Option Explicit
Imports System
Imports System.Security.AccessControl
Imports System.Security.Principal
Imports System.Security
Imports Microsoft.Win32

Public Class Example

    Public Shared Sub Main()

        Const TestKey As String = "TestKey3927" 
        Dim cu As RegistryKey = Registry.CurrentUser

        Dim user As String = Environment.UserDomainName _ 
            & "\" & Environment.UserName

        ' Create a security object that grants no access. 
        Dim mSec As New RegistrySecurity()

        ' Add a rule that grants the current user the right 
        ' to read and enumerate the name/value pairs in a key,  
        ' to read its access and audit rules, to enumerate 
        ' its subkeys, to create subkeys, and to delete the key.  
        ' The rule is inherited by all contained subkeys. 
        
        Dim rule As New RegistryAccessRule(user, _
            RegistryRights.ReadKey Or RegistryRights.WriteKey _
                Or RegistryRights.Delete, _
            InheritanceFlags.ContainerInherit, _
            PropagationFlags.None, _
            AccessControlType.Allow)
        mSec.AddAccessRule(rule)

        ' Add a rule that allows the current user the right 
        ' right to set the name/value pairs in a key.  
        ' This rule is inherited by contained subkeys, but 
        ' propagation flags limit it to immediate child  
        ' subkeys.
        rule = New RegistryAccessRule(user, _
            RegistryRights.ChangePermissions, _
            InheritanceFlags.ContainerInherit, _
            PropagationFlags.InheritOnly Or PropagationFlags.NoPropagateInherit, _
            AccessControlType.Allow)
        mSec.AddAccessRule(rule)

        ' Display the rules in the security object.
        ShowSecurity(mSec)

        ' Create the test key using the security object. 
        
        Dim rk As RegistryKey = cu.CreateSubKey(TestKey, _
            RegistryKeyPermissionCheck.ReadWriteSubTree, _
            mSec)

        ' Create a child subkey and a grandchild subkey,  
        ' without security. 
        Dim rkChild As RegistryKey= rk.CreateSubKey("ChildKey", _
            RegistryKeyPermissionCheck.ReadWriteSubTree)
        Dim rkGrandChild As RegistryKey = _
            rkChild.CreateSubKey("GrandChildKey", _
                RegistryKeyPermissionCheck.ReadWriteSubTree)

        Show(rk)
        Show(rkChild)
        Show(rkGrandChild)

        rkGrandChild.Close()
        rkChild.Close()
        rk.Close()

        cu.DeleteSubKeyTree(TestKey)
    End Sub  

    Private Shared Sub Show(ByVal rk As RegistryKey)
        Console.WriteLine(rk.Name)            
        ShowSecurity(rk.GetAccessControl())
    End Sub 

    Private Shared Sub ShowSecurity(ByVal security As RegistrySecurity)
        Console.WriteLine(vbCrLf & "Current access rules:" & vbCrLf)

        For Each ar As RegistryAccessRule In _
            security.GetAccessRules(True, True, GetType(NTAccount))

            Console.WriteLine("        User: {0}", ar.IdentityReference)
            Console.WriteLine("        Type: {0}", ar.AccessControlType)
            Console.WriteLine("      Rights: {0}", ar.RegistryRights)
            Console.WriteLine(" Inheritance: {0}", ar.InheritanceFlags)
            Console.WriteLine(" Propagation: {0}", ar.PropagationFlags)
            Console.WriteLine("   Inherited? {0}", ar.IsInherited)
            Console.WriteLine()
        Next 

    End Sub 
End Class  

'This code example produces output similar to following: 

'Current access rules: 

'        User: TestDomain\TestUser 
'        Type: Allow 
'      Rights: SetValue, CreateSubKey, Delete, ReadKey 
' Inheritance: ContainerInherit 
' Propagation: None 
'   Inherited? False 

'        User: TestDomain\TestUser 
'        Type: Allow 
'      Rights: ChangePermissions 
' Inheritance: ContainerInherit 
' Propagation: NoPropagateInherit, InheritOnly 
'   Inherited? False 

'HKEY_CURRENT_USER\TestKey3927 

'Current access rules: 

'        User: TestDomain\TestUser 
'        Type: Allow 
'      Rights: SetValue, CreateSubKey, Delete, ReadKey 
' Inheritance: ContainerInherit 
' Propagation: None 
'   Inherited? False 

'        User: TestDomain\TestUser 
'        Type: Allow 
'      Rights: ChangePermissions 
' Inheritance: ContainerInherit 
' Propagation: NoPropagateInherit, InheritOnly 
'   Inherited? False 

'HKEY_CURRENT_USER\TestKey3927\ChildKey 

'Current access rules: 

'        User: TestDomain\TestUser 
'        Type: Allow 
'      Rights: SetValue, CreateSubKey, Delete, ReadKey 
' Inheritance: ContainerInherit 
' Propagation: None 
'   Inherited? True 

'        User: TestDomain\TestUser 
'        Type: Allow 
'      Rights: ChangePermissions 
' Inheritance: None 
' Propagation: None 
'   Inherited? True 

'HKEY_CURRENT_USER\TestKey3927\ChildKey\GrandChildKey 

'Current access rules: 

'        User: TestDomain\TestUser 
'        Type: Allow 
'      Rights: SetValue, CreateSubKey, Delete, ReadKey 
' Inheritance: ContainerInherit 
' Propagation: None 
'   Inherited? True

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

.NET Framework

Supported in: 3.5, 3.0, 2.0
Show: