3.2.5.9 Registry Keys

Behavior for writing to registry keys and values is specified in [MS-RRP] section 4.2.

If a RegistryKeyName, ACLString, or PermPropagationMode value is not valid as specified in section 2.2.7, the client SHOULD stop processing Registry Keys settings and log an error.

Settings in Registry Keys (section 2.2.7) MUST be set by applying security descriptors on registry keys for each Setting.

Security descriptors are read from registry keys by performing the external behavior consistent with locally invoking BaseRegGetKeySecurity (section 3.1.5.13) ([MS-RRP] section 3.1.5.13).

  • The hKey MUST be set to a registry key handle opened by performing external behavior consistent with locally invoking BaseRegOpenKey (section 3.1.5.15) ([MS-RRP] section 3.1.5.15) using the RegistryKeyName of the registry object.

  • The SecurityInformation MUST be set to OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION ([MS-RRP] section 2.2.9).

Security descriptors are applied to registry keys by performing the external behavior consistent with locally invoking BaseRegSetKeySecurity (section 3.1.5.21) ([MS-RRP] section 3.1.5.21).

  • The hKey MUST be set to a registry key handle opened by performing external behavior consistent with locally invoking BaseRegOpenKey (section 3.1.5.15) ([MS-RRP] section 3.1.5.15) using the RegistryKeyName of the registry object.

  • The SecurityInformation MUST be set to OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION ([MS-RRP] section 2.2.9).

  • The pRpcSecurityDescriptor MUST be set to the security descriptor provided in the "ACLString" setting in the form of a RPC_SECURITY_DESCRIPTOR (section 2.2.8) ([MS-RRP] section 2.2.8).

Security descriptors are applied to registry keys for each registry object corresponding to each Setting.

If PermPropagationMode is "0", the security descriptor of every child registry object is recursively updated to allow propagation of inheritable permissions by calling CreateSecurityDescriptor (section 2.5.3.4.1) ([MS-DTYP] section 2.5.3.4.1) and applying the resultant security descriptor to the registry object. The following arguments are used when calling CreateSecurityDescriptor:

  • ParentDescriptor is set to the security descriptor of the registry object's parent.

  • CreatorDescriptor is set to the current security descriptor of the registry object.

  • IsContainerObject is set to TRUE.

  • ObjectTypes is set to NULL.

  • AutoInheritFlags is set to DACL_AUTO_INHERIT | SACL_AUTO_INHERIT | DEFAULT_OWNER_FROM_PARENT | DEFAULT_GROUP_FROMPARENT.

  • Token is a token containing S-1-5-18 (Local System well known SID).

  • GenericMapping is the generic mapping for registry objects.

If PermPropagationMode is "1", the security descriptor of every child registry object is recursively updated to allow propagation of inheritable permissions by calling CreateSecurityDescriptor (section 2.5.3.4.1) ([MS-DTYP] section 2.5.3.4.1) and applying the resultant security descriptor to the registry object. The following arguments are used when calling CreateSecurityDescriptor:

  • ParentDescriptor is set to the security descriptor of the registry object's parent.

  • CreatorDescriptor is set to NULL.

  • IsContainerObject is set to TRUE.

  • ObjectTypes is set to NULL.

  • AutoInheritFlags is set to DACL_AUTO_INHERIT | SACL_AUTO_INHERIT | DEFAULT_OWNER_FROM_PARENT | DEFAULT_GROUP_FROMPARENT.

  • Token is a token containing S-1-5-18 (Local System well known SID).

  • GenericMapping is the generic mapping for registry objects.

If PermPropagationMode is "2", the security descriptor Control field bit PD ([MS-DTYP] section 2.4.6) on the registry object for the Setting is set to 0.