Security Functions and Structures
The Windows Registry stores configuration data and uses security descriptors to control access. This article describes the primary security‑related functions, structures, and best practices for managing registry permissions.
Key Security Functions
LONG RegGetKeySecurity(
HKEY hKey,
SECURITY_INFORMATION SecurityInformation,
PSECURITY_DESCRIPTOR pSecurityDescriptor,
LPDWORD lpcbSecurityDescriptor
);
LONG RegSetKeySecurity(
HKEY hKey,
SECURITY_INFORMATION SecurityInformation,
PSECURITY_DESCRIPTOR pSecurityDescriptor
);
LONG RegGetValueW(
HKEY hkey,
LPCWSTR lpSubKey,
LPCWSTR lpValue,
RRF_RT_REG_NONE | RRF_RT_ANY,
LPDWORD pdwType,
PVOID pvData,
LPDWORD pcbData
);
Security Descriptor Structure
typedef struct _SECURITY_DESCRIPTOR {
BYTE Revision;
BYTE Sbz1;
SECURITY_DESCRIPTOR_CONTROL Control;
PSID Owner;
PSID Group;
PACL Sacl;
PACL Dacl;
} SECURITY_DESCRIPTOR, *PSECURITY_DESCRIPTOR;
Common Access Rights
| Right | Value | Description |
|---|---|---|
| KEY_QUERY_VALUE | 0x0001 | Read a registry value. |
| KEY_SET_VALUE | 0x0002 | Write a registry value. |
| KEY_CREATE_SUB_KEY | 0x0004 | Create subkeys. |
| KEY_ENUMERATE_SUB_KEYS | 0x0008 | Enumerate subkeys. |
| KEY_NOTIFY | 0x0010 | Receive change notifications. |
| KEY_CREATE_LINK | 0x0020 | Create symbolic links. |
| KEY_WOW64_32KEY | 0x0200 | Access 32‑bit registry view. |
| KEY_WOW64_64KEY | 0x0100 | Access 64‑bit registry view. |
Best Practices
- Always request the minimum required access rights.
- Validate and sanitize subkey and value names before using them.
- Use
RegSetKeySecuritywithPROTECTED_DACL_SECURITY_INFORMATIONto prevent inheritance. - When possible, use the
KEY_READandKEY_WRITEpredefined sets instead of individual flags. - Prefer
RegOpenKeyExwithREG_OPTION_NON_VOLATILEfor persistent keys.