The RegGetKeySecurity function retrieves a copy of the security descriptor protecting the specified open registry key.
LONG RegGetKeySecurity(
HKEY hKey, |
// open handle of key to set |
SECURITY_INFORMATION SecurityInformation, |
// descriptor contents |
PSECURITY_DESCRIPTOR pSecurityDescriptor, |
// address of descriptor for key |
LPDWORD lpcbSecurityDescriptor |
// address of size of buffer and descriptor |
); |
If the function succeeds, the return value is ERROR_SUCCESS.
If the function fails, the return value is a nonzero error code defined in WINERROR.H. You can use the FormatMessage function with the FORMAT_MESSAGE_FROM_SYSTEM flag to get a generic description of the error.
If the buffer specified by the pSecurityDescriptor parameter is too small, the function returns ERROR_INSUFFICIENT_BUFFER and the lpcbSecurityDescriptor parameter contains the number of bytes required for the requested security descriptor.
To read the owner, group, or DACL from the key’s security descriptor, the calling process must have been granted READ_CONTROL access when the handle was opened. To get READ_CONTROL access, the caller must be the owner of the key or the key's DACL must grant the access.
To read the SACL from the security descriptor, the calling process must have been granted ACCESS_SYSTEM_SECURITY access when the key was opened. The proper way to get this access is to enable the SE_SECURITY_NAME privilege in the caller's current token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege.
RegDeleteKey, RegOpenKeyEx, RegSetKeySecurity, SECURITY_INFORMATION