RegistrySecurity Class

Represents the Windows access control security for a registry key. This class cannot be inherited.

Namespace: System.Security.AccessControl
Assembly: mscorlib (in mscorlib.dll)

public ref class RegistrySecurity sealed : public NativeObjectSecurity
public final class RegistrySecurity extends NativeObjectSecurity
public final class RegistrySecurity extends NativeObjectSecurity
Not applicable.

A RegistrySecurity object specifies access rights for a registry key, and also specifies how access attempts are audited. Access rights to the registry key are expressed as rules, with each access rule represented by a RegistryAccessRule object. Each auditing rule is represented by a RegistryAuditRule object.

This mirrors the underlying Windows security system, in which each securable object has at most one discretionary access control list (DACL) that controls access to the secured object, and at most one system access control list (SACL) that specifies which access attempts are audited. The DACL and SACL are ordered lists of access control entries (ACE) that specify access and auditing for users and groups. A RegistryAccessRule or RegistryAuditRule object might represent more than one ACE.


Windows access control security can only be applied to registry keys. It cannot be applied to individual key/value pairs stored in a key.

The RegistrySecurity, RegistryAccessRule, and RegistryAuditRule classes hide the implementation details of ACLs and ACEs. They allow you to ignore the seventeen different ACE types and the complexity of correctly maintaining inheritance and propagation of access rights. These objects are also designed to prevent the following common access control errors:

  • Creating a security descriptor with a null DACL. A null reference to a DACL allows any user to add access rules to an object, potentially creating a denial-of-service attack. A new RegistrySecurity object always starts with an empty DACL, which denies all access for all users.

  • Violating the canonical ordering of ACEs. If the ACE list in the DACL is not kept in the canonical order, users might inadvertently be given access to the secured object. For example, denied access rights must always appear before allowed access rights. RegistrySecurity objects maintain the correct order internally.

  • Manipulating security descriptor flags, which should be under resource manager control only.

  • Creating invalid combinations of ACE flags.

  • Manipulating inherited ACEs. Inheritance and propagation are handled by the resource manager, in response to changes you make to access and audit rules.

  • Inserting meaningless ACEs into ACLs.

The only capabilities not supported by the .NET security objects are dangerous activities that should be avoided by the majority of application developers, such as the following:

  • Low-level tasks that are normally performed by the resource manager.

  • Adding or removing access control entries in ways that do not maintain the canonical ordering.

To modify Windows access control security for a registry key, use the Microsoft.Win32.RegistryKey.GetAccessControl method to get the RegistrySecurity object. Modify the security object by adding and removing rules, and then use the Microsoft.Win32.RegistryKey.SetAccessControl(System.Security.AccessControl.RegistrySecurity) method to reattach it.


Changes you make to a RegistrySecurity object do not affect the access levels of the registry key until you call the Microsoft.Win32.RegistryKey.SetAccessControl(System.Security.AccessControl.RegistrySecurity) method to assign the altered security object to the registry key.

To copy access control security from one registry key to another, use the Microsoft.Win32.RegistryKey.GetAccessControl method to get a RegistrySecurity object representing the access and audit rules for the first registry key, and then use the Microsoft.Win32.RegistryKey.SetAccessControl(System.Security.AccessControl.RegistrySecurity) method to assign those rules to the second registry key. You can also assign the rules to a second registry key with an Microsoft.Win32.RegistryKey.OpenSubKey or Microsoft.Win32.RegistryKey.CreateSubKey method that takes a RegistrySecurity object parameter.

Users with an investment in the security descriptor definition language (SDDL) can use the SetSecurityDescriptorSddlForm method to set access rules for a registry key, and the GetSecurityDescriptorSddlForm method to obtain a string that represents the access rules in SDDL format. This is not recommended for new development.

This section contains two code examples. The first example shows how compatible rules merge when added and removed, and the second shows how inheritance and propagation flags affect the addition and deletion of rules.

Example 1

The following code example shows how the RemoveAccessRule method removes rights from a compatible rule, and how the AddAccessRule method merges rights with compatible rules.

The example creates a RegistrySecurity object and adds a rule that allows the current user RegistryRights.ReadKey rights. The example then creates a rule that grants the user RegistryRights.SetValue, with the same inheritance and propagation rights as the first rule, and uses the RemoveAccessRule method to remove this new rule from the RegistrySecurity object. SetValue is a constituent of ReadKey, so it is removed from the compatible rule. The rules in the RegistrySecurity object are displayed, showing the remaining constituents of ReadKey.

The example code then calls the AddAccessRule method to merge the SetValue right back into the rule in the RegistrySecurity object.


This example does not attach the security object to a RegistryKey object. The second example in this section attaches a security object, and so do the examples in Microsoft.Win32.RegistryKey.GetAccessControl and Microsoft.Win32.RegistryKey.SetAccessControl(System.Security.AccessControl.RegistrySecurity).

No code example is currently available or this language may not be supported.

Example 2

The following code example demonstrates access rules with inheritance and propagation. The example creates a RegistrySecurity object, then creates and adds two rules that have the ContainerInherit flag. The first rule has no propagation flags, while the second has NoPropagateInherit and InheritOnly.

The program displays the rules in the RegistrySecurity object, and then uses the RegistrySecurity object to create a subkey. The program creates a child subkey and a grandchild subkey, then displays the security for each subkey. Finally, the program deletes the test keys.

No code example is currently available or this language may not be supported.

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Windows 98, Windows Server 2000 SP4, Windows Millennium Edition, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition

The Microsoft .NET Framework 3.0 is supported on Windows Vista, Microsoft Windows XP SP2, and Windows Server 2003 SP1.

.NET Framework

Supported in: 3.0, 2.0

Community Additions