Platform SDK: Registry

Registry Key Security and Access Rights

Windows NT/Windows 2000 security enables you to control access to registry keys. For more information about security, see Access-Control Model.

You can specify a security descriptor for a registry key when you call the RegCreateKeyEx function. To get or set the security descriptor of a registry key, call the GetNamedSecurityInfo, SetNamedSecurityInfo, GetSecurityInfo, or SetSecurityInfo function.

When you call the RegOpenKeyEx function, the system checks the requested access rights against the key's security descriptor.

The valid access rights for registry keys include the DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. Registry keys do not support the SYNCHRONIZE standard access right. The following table lists the specific access rights for registry key objects.

Value Meaning
KEY_ALL_ACCESS Combines the STANDARD_RIGHTS_REQUIRED, KEY_QUERY_VALUE, KEY_SET_VALUE, KEY_CREATE_SUB_KEY, KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY, and KEY_CREATE_LINK values.
KEY_CREATE_LINK Required to create a link to a registry-key.
KEY_CREATE_SUB_KEY Required to create a subkey of a registry-key.
KEY_ENUMERATE_SUB_KEYS Required to enumerate the subkeys of a registry-key.
KEY_EXECUTE Equivalent to KEY_READ.
KEY_NOTIFY Required to request change notifications for a registry key or for subkeys of a registry key.
KEY_QUERY_VALUE Required to query a value of a registry-key.
KEY_READ Combines the STANDARD_RIGHTS_READ, KEY_QUERY_VALUE, KEY_ENUMERATE_SUB_KEYS, and KEY_NOTIFY values.
KEY_SET_VALUE Required to create or set a value of a registry-key.
KEY_WRITE Combines the STANDARD_RIGHTS_WRITE, KEY_SET_VALUE, and KEY_CREATE_SUB_KEY values.

You can request the ACCESS_SYSTEM_SECURITY access right to a registry key if you want to read or write the key's SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.