Deny permission to a Registry Key

jtrask · November 04, 2015, 08:11:11 AM

Can I use the Win32 Network Extender to deny permissions to a registry key? If now, what is the next "best" method?

td · November 04, 2015, 08:32:20 AM

Please see the documentation for the wntAccessAdd Network extender function in the Consolidated WIL Help file.

jtrask · November 04, 2015, 08:43:14 AM

I'll look again, but I did a search and never found the word 'deny'. Maybe this time, I'll just read the whole thing.

jtrask · November 04, 2015, 08:51:59 AM

Aha! It looks like the Access Denied ACE Type is the solution to all of my woes.

jtrask · November 04, 2015, 09:03:47 AM

Nuts. Apparently, denying Set Value, Delete, and Write Owner is enough to keep RegOpenKey from being able to open the key.

I'm starting to think that I'm being a little Draconian and maybe I should just set this key via Group Policy.

td · November 04, 2015, 11:24:47 AM

Please review the RegOpenKeyEx function in the Consolidated WIL Help file. It allows you to open a key with only specified permissions.

ChuckC · November 06, 2015, 08:24:56 AM

It would also be helpful to know some more details, such as...

What registry key?

What GPO setting is associated with it?

Are you trying to prevent the key from being modified, or from being accessed at all, even for read-only access?

What access mask did you use with an access-denied ACE, and what SID/account did you deny access to?

News:

Deny permission to a Registry Key

jtrask

td

jtrask

jtrask

jtrask

td

ChuckC