Deny permission to a Registry Key

Started by jtrask, November 04, 2015, 08:11:11 AM

Previous topic - Next topic

jtrask

Can I use the Win32 Network Extender to deny permissions to a registry key?  If now, what is the next "best" method?

td

Please see the documentation for the wntAccessAdd Network extender function in the Consolidated WIL Help file.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

jtrask

I'll look again, but I did a search and never found the word 'deny'.  Maybe this time, I'll just read the whole thing.

jtrask

Aha!  It looks like the Access Denied ACE Type is the solution to all of my woes.

jtrask

Nuts.  Apparently, denying Set Value, Delete, and Write Owner is enough to keep RegOpenKey from being able to open the key.

I'm starting to think that I'm being a little Draconian and maybe I should just set this key via Group Policy.

td

Please review the RegOpenKeyEx function in the Consolidated WIL Help file.  It allows you to open a key with only specified permissions.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

ChuckC

It would also be helpful to know some more details, such as...

What registry key?

What GPO setting is associated with it?

Are you trying to prevent the key from being modified, or from being accessed at all, even for read-only access?

What access mask did you use with an access-denied ACE, and what SID/account did you deny access to?