windows api, registry setting permissions

Posted on 2010-08-26
Last Modified: 2012-05-10
I've been hounding google for ways to set permissions in the registry (xp based systems and above), and I have come across many solutions, many that are similar to the article here at EE (

However, this method does not seem to work for registry keys that have had all permissions removed, and set to a random owner (an owner other than administrators).
I have created a test key + subkey in my local registry and have tried the methods (and a combination of what I figured might work) but it really only works when my user has access explicitly granted in the permissions of that key.

Of course, my account on XP is administrator, so I dont see why there is a problem, but there is.

With my current setting (removed all users from the permissions list, made Guest the owner), GrantAccess fails, and so does TakeOwnership.

And yes, I've tried the microsoft article (which I've found so many references to, which the only one i have saved) -

which also seems to fail in the manner mentioned above.

Would love to have some code snipit (no error checking if you write it yourself - lots of them have std::cout << bla bla or printf's, and if fails bail from further attempting the function)

Oh, one last part of the challenge; I'm trying to code this using good ol C and WinAPI calls (just like both of the urls displayed) and am compiling with MINGW (and will compile it with MINGWx64 after I get the 32bit code working).

My ultimate goal is to take ownership of the key, give it permissions for the current (administrative) user to access all, and to give it permissions from it's containing key.
From what I have discovered, there is no easy way to inherit permissions nor a quick dirty way to pass permissions to all child objects.
Question by:vanillasprinkles
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
LVL 40

Expert Comment

by:Richard Quadling
ID: 33543241 says ...

"You can take ownership of a registry key if you are logged on as an administrator or if you have been specifically assigned the permission to take ownership of the registry key by the current owner.".

Can you try manually?

Who is the current owner?

Can you log in as them?

1 - Picking a key (HKLM) at random.
2 - Right click and choose Permissions.
3 - See the Security tab with all the users.
4 - Do you see Administrators as a group?
5 - If not, can you add the local administrator's group and grant full control?
6 - Press the Advanced button.
7 - Select the Owner tab.
8 - Who is the current owner?
9 - What owners can you change the owner to?

I'm not sure if changing the owner on all subcontainers and objects is a good idea. Apps MAY check the owner to see if they have been buggered around with.
LVL 40

Accepted Solution

Richard Quadling earned 500 total points
ID: 33543268;en-us;111546 says ...

To take ownership of a registry key it is necessary to have a handle to the key. A handle to the key can be obtained by opening the key with a registry API (application programming interface) such as RegOpenKeyEx(). If the user does not have access to the registry key, the open operation will fail and this will in turn prevent ownership being taken (because a handle to the key is required to change the key's security).

The solution to this problem is to first enable the TakeOwnership privilege and then to open the registry key with WRITE_OWNER access as shown below:


This function call will provide a handle to the registry, which can be used in the following call to take ownership:

RegSetKeySecurity(hKey,OWNER_SECURITY_INFORMATION, &SecurityDescriptor);

Please note that you will need to initialize the security descriptor being passed to RegSetKeySecurity() and set the owner field to the new owner SID.

Taking ownership of a registry key is not a common operation. It is typically an operation that an administrator would use as a last resort to gain access to a registry key.

Author Comment

ID: 33547827
Thanks for the reply and help - this has been very challenging;

Yes, I can set the owner and permissions manually; i'm using my Administrator (included with the unaltered user class in Administrators)
I've literally setup a test key:  HKEY_CURRENT_USER\Test\agaon
where "agaon", a nice smashage of fingers to my keyboard, is my key that i removed all permissions, and changed the owner to Guest, giving me no read access to any part of it.
Via regedit, i'm able to gain ownership to any user/group i want, and then add in permissions.. just don't have the concept down via C yet.

I have referenced the EE link above, and copied that and made it a header file, making the functions take parameters, but was unable to make it work; and i've referenced the EE link and made the MS code work for the registry, but it still fails via removing all permissions and setting the owner to guest as I have done.

I'm currently starting a test app/project to try to make this work, trying to integrate both page's codes the best i can..
so far i have coded:
allocated an SID for 'everyone' 'administrators' and 'current user' (current user using the code from the EE page)
Set read access for Everyone, and full control for both Administrators and CurUser
"set the owner in the object's security descriptor" (from the MS page)

then just now realized both pages reference a 'TakeOwnership' function, which I am fine with, but am wondering which model i should truly follow before i call RegOpenKeyEx( .... WRITE_OWNER .. )

I will continue with what i have before I post it, in case i have anything way out of order (which is what i think is going on but not quite too sure)

i'm also quite uncertain what this SetPrivilege command does, seeing as it's not an api call - i've found somebody's code that is supposed to get the job done, but not quite certain on it as i still dont have mine working as i want.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 33547998
ok, i'm stumped once again, is where i was last night even

current code tries to set "Everyone" as owner, [ and when setting Everyone as owner in the reg key, and removing all users from permissions list, it doesnt error on clicking the restricted key  - via regedit ]

here's my lousy attempt at this code, dunno where i'm going wrong at this

Author Comment

ID: 33550679
just attempted another re-write from the MS page's Takeownership function.
(and found the non-cached page in one of my browser tabs:

something must have went wrong as i see the difference between what i thought i copied in last night and what works this morning is enormous; lots of the same code in a different order...


Author Closing Comment

ID: 33555017
code went well after finding the current MS example page on the subject and starting my code over from scratch.
LVL 40

Expert Comment

by:Richard Quadling
ID: 33556922
Glad you got it sorted.

Could you post your code so others can learn from you?

Author Comment

ID: 33562694
added in some header comments; the code works on both x86_32 and x86_64, although compiling in x64 i get many warnings (string operations are obsolete or some BS cuz i declare them as non-constants); windows - ruining the dynamics of programming


Author Comment

ID: 33562706
damni, i hit enter and it submitted it, take two:


Author Comment

ID: 33562824
found 1 typeo:
replace: ea[2].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
with: ea[2].Trustee.TrusteeType = TRUSTEE_IS_USER;

funny it worked as group.. posted corrected file

can an admin clean up these posts?
=> merge and remove unnecessary threads of the last 2 and this i just created?
[an edit button would be nice too as i practice my typo's on a regular basis]
LVL 40

Expert Comment

by:Richard Quadling
ID: 33565705
Thanks for that. I am sure others will find it useful.

Well done on getting the solution.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
extend monitor issues 6 62
Selenium and Interactive Data Language 3 53
Reactjs with .NET 3 70
Starting to use Git with Visual  Studio Online 1 19
This is about my first experience with programming Arduino.
If you’re thinking to yourself “That description sounds a lot like two people doing the work that one could accomplish,” you’re not alone.
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question