iunknown21
asked on
Turn off Inheritance on a registry hive
For the life of me, I can't seem to get a hive NOT to reflect inherited ACEs.
The DACL I set shows up correctly but all the permissions from the root hive does too.
it looked to me that it should be as simple as:
bResult = InitializeAcl(pNewACL, cbNewACL, ACL_REVISION2);
bResult = AddAccessAllowedAceEx(pNew ACL, ACL_REVISION2, CONTAINER_INHERIT_ACE, GENERIC_ALL, pLocalSystemSid);
bResult = SetSecurityDescriptorContr ol(pNewACL , SE_DACL_PROTECTED, SE_DACL_PROTECTED );
DWORD dwResult = SetSecurityInfo(hive, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pNewACL, NULL);
All the APIs return successfully, but the permissions dialog in Regedit shows all the inherited permissions.
Can someone PLEASE tell me the magic flags that I have to set?
Thanks,
Gene
The DACL I set shows up correctly but all the permissions from the root hive does too.
it looked to me that it should be as simple as:
bResult = InitializeAcl(pNewACL, cbNewACL, ACL_REVISION2);
bResult = AddAccessAllowedAceEx(pNew
bResult = SetSecurityDescriptorContr
DWORD dwResult = SetSecurityInfo(hive, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
All the APIs return successfully, but the permissions dialog in Regedit shows all the inherited permissions.
Can someone PLEASE tell me the magic flags that I have to set?
Thanks,
Gene
ASKER
Thanks Gurudenis but I got the same result.
The problems doesn't appear to be with the ACEs I create but ones that are already on the key.
Check out the attached picture. the first 3 ACEs are the ones that I create the others are the ones that I'm trying to get rid of.
a.jpg
The problems doesn't appear to be with the ACEs I create but ones that are already on the key.
Check out the attached picture. the first 3 ACEs are the ones that I create the others are the ones that I'm trying to get rid of.
a.jpg
In this case I'd try using AddAccessDeniedAceEx to explicitly undo the permissions that are being inherited.
ASKER
Yuck. that would meant that I would have to enumerate all the all the ACEs and add a deny ace for each one.
Hmmm...maybe it wouldn't be that bad, to implement but it certainly seems like a hack to have an allow ACE (the inherited one) and a matching Deny Ace.
Hmmm...maybe it wouldn't be that bad, to implement but it certainly seems like a hack to have an allow ACE (the inherited one) and a matching Deny Ace.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See: http://msdn.microsoft.com/en-us/library/aa374924(VS.85).aspx