Accessing Registry Keys Safely

Customer problems have frequently been traced to external components, such as third-party device installation applications, that do the following:

  • Delete critical registry keys.

  • Modify the access permissions of critical registry keys.

Many of the problems seen with external components are caused by using the KEY_ALL_ACCESS access permission for registry keys. Starting with Windows Server 2003, SetupDiCreateDevRegKey grants only KEY_READ and KEY_WRITE access permissions and not KEY_ALL_ACCESS. Starting with Windows Vista, additional KEY_ALL_ACCESS restrictions are enforced.

Follow these guidelines to safely access registry keys:

  • Use the SetupAPI functions only to open registry keys, especially the hardware keys and software keys for a device.

    These functions address common problems that result from restrictions on access permissions.

  • The location and format of registry keys might change between different versions of Windows. Do not make assumptions about the location, format, or meaning of registry keys or values that are used for device and driver installation.

    For more information about registry keys and trees, see Registry Trees and Keys for Devices and Drivers.

  • Do not use the registry to directly access or modify the internal settings of the device.

  • Request only the minimal access permissions that are required for each task, such as the following:

    • KEY_SET_VALUE

    • KEY_CREATE_SUB_KEY

    • KEY_QUERY_VALUE

    • KEY_ENUMERATE_SUB_KEYS

  • Do not directly open the device setup class keys in the registry. As with any registry key, the location and name of device setup class keys might change between versions of Windows.

    To open device setup class keys safely, follow these guidelines:

  • Do not directly open device interface class keys in the registry. As with any registry key, the location and name of device interface class keys might change between versions of Windows.

    To open device interface class keys safely, use SetupDiOpenClassRegKeyEx and set DIOCR_INSTALLER in the Flags parameter.

  • Use only INF directives to modify registry keys that are reserved for use by the operating system. For more information, see Summary of INF Directives.

  • Class installers and co-installers cannot call registry functions to create, change, or delete registry values that are reserved for use by the operating system.

    For more information, see Accessing the Registry by Class Installers and Co-Installers.

For more information about the access permissions of registry keys, see Registry Key Security and Access Rights.

 

 

Send comments about this topic to Microsoft

Show:
© 2015 Microsoft