| Platform SDK: Registry |
Windows NT/Windows 2000 security enables you to control access to registry keys. For more information about security, see Access-Control Model.
You can specify a security descriptor for a registry key when you call the RegCreateKeyEx function. To get or set the security descriptor of a registry key, call the GetNamedSecurityInfo, SetNamedSecurityInfo, GetSecurityInfo, or SetSecurityInfo function.
When you call the RegOpenKeyEx function, the system checks the requested access rights against the key's security descriptor.
The valid access rights for registry keys include the DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. Registry keys do not support the SYNCHRONIZE standard access right. The following table lists the specific access rights for registry key objects.
| Value | Meaning |
|---|---|
| KEY_ALL_ACCESS | Combines the STANDARD_RIGHTS_REQUIRED, KEY_QUERY_VALUE, KEY_SET_VALUE, KEY_CREATE_SUB_KEY, KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY, and KEY_CREATE_LINK values. |
| KEY_CREATE_LINK | Required to create a link to a registry-key. |
| KEY_CREATE_SUB_KEY | Required to create a subkey of a registry-key. |
| KEY_ENUMERATE_SUB_KEYS | Required to enumerate the subkeys of a registry-key. |
| KEY_EXECUTE | Equivalent to KEY_READ. |
| KEY_NOTIFY | Required to request change notifications for a registry key or for subkeys of a registry key. |
| KEY_QUERY_VALUE | Required to query a value of a registry-key. |
| KEY_READ | Combines the STANDARD_RIGHTS_READ, KEY_QUERY_VALUE, KEY_ENUMERATE_SUB_KEYS, and KEY_NOTIFY values. |
| KEY_SET_VALUE | Required to create or set a value of a registry-key. |
| KEY_WRITE | Combines the STANDARD_RIGHTS_WRITE, KEY_SET_VALUE, and KEY_CREATE_SUB_KEY values. |
You can request the ACCESS_SYSTEM_SECURITY access right to a registry key if you want to read or write the key's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.