Security Attributes for Registry Keys

You may want to restrict access to specific data in the registry—for example, to sensitive performance data that, by default, is accessible to anyone, including remote users. There are also times when an application must access certain registry keys that its user does not have access to. For these reasons, Windows NT/Windows 2000 assigns a level of security to each registry key.

Note  Taking ownership of a registry key is not a common operation. It is typically performed by an administrator as a last resort to gain access to a registry key.

To change this security level for a key under Windows NT/Windows 2000, do the following.

1. Open the key by calling the RegOpenKeyEx function. If the user does not have the correct access to the registry key, the open operation will fail. The solution to this problem is to first enable the TakeOwnership privilege and then open the registry key with WRITE_OWNER access by calling the RegOpenKeyEx function in the following way. In this example, the name of the target key is "Testkey".

   RegOpenKeyEx (HKEY_CLASSES_ROOT, "Testkey", 0, WRITE_OWNER, &hKey);

   This function call will return a handle to the registry.

2. Pass the handle returned by RegOpenKeyEx into the following call to RegSetKeySecurity to take ownership of the key.

   RegSetKeySecurity (hKey, OWNER_SECURITY_INFORMATION, &SecurityDescriptor);

Keep in mind that you need to initialize the SECURITY_DESCRIPTOR structure passed to RegSetKeySecurity as the SecurityDescriptor parameter, and set its owner field to your own owner SID. To obtain your owner SID, call LookupAccountName .