Link to home
Create AccountLog in
Avatar of iunknown21
iunknown21Flag for United States of America

asked on

Turn off Inheritance on a registry hive

For the life of me, I can't seem to get a hive NOT to reflect inherited ACEs.

The DACL I set shows up correctly but all the permissions from the root hive does too.

it looked to me that it should be as simple as:

bResult = InitializeAcl(pNewACL, cbNewACL, ACL_REVISION2);
bResult = AddAccessAllowedAceEx(pNewACL, ACL_REVISION2, CONTAINER_INHERIT_ACE, GENERIC_ALL, pLocalSystemSid);
bResult = SetSecurityDescriptorControl(pNewACL, SE_DACL_PROTECTED, SE_DACL_PROTECTED );
DWORD dwResult = SetSecurityInfo(hive, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pNewACL, NULL);

All the APIs return successfully, but the permissions dialog in Regedit shows all the inherited permissions.
Can someone PLEASE tell me the magic flags that I have to set?

Thanks,

Gene
Avatar of Gurudenis
Gurudenis
Flag of Ukraine image

If i understand the problem correctly, I'd try using 0 instead of CONTAINER_INHERIT_ACE.
See: http://msdn.microsoft.com/en-us/library/aa374924(VS.85).aspx
Avatar of iunknown21

ASKER

Thanks Gurudenis but I got the same result.

The problems doesn't appear to be with the ACEs I create but ones that are already on the key.
Check out the attached picture.  the first 3 ACEs are the ones that I create the others are the ones that I'm trying to get rid of.
a.jpg
In this case I'd try using AddAccessDeniedAceEx to explicitly undo the permissions that are being inherited.
Yuck.  that would meant that I would have to enumerate all the all the ACEs and add a deny ace for each one.  

Hmmm...maybe it wouldn't be that bad, to implement but it certainly seems like a hack to have an allow ACE (the inherited one) and a matching Deny Ace.
ASKER CERTIFIED SOLUTION
Avatar of Gurudenis
Gurudenis
Flag of Ukraine image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer