GetSecurityDescriptor method of the StdRegProv class

The GetSecurityDescriptor method returns the security descriptor that controls access to the specified registry key. The security descriptor is returned as an instance of __SecurityDescriptor. For more information, see Changing Access Security on Securable Objects.


uint32 GetSecurityDescriptor(
  [in]  uint32               hDefKey = HKEY_LOCAL_MACHINE,
  [in]  string               sSubKeyName,
  [out] __SecurityDescriptor Descriptor


hDefKey [in]

A registry tree, also known as a hive, that contains the sSubKeyName path. The default value is HKEY_LOCAL_MACHINE.

The following trees are defined in WinReg.h.

HKEY_CLASSES_ROOT (2147483648)

HKEY_CURRENT_USER (2147483649)


HKEY_USERS (2147483651)


sSubKeyName [in]

The name of the registry key that has the security descriptor.

Descriptor [out]

The security descriptor from the key.

Return value

In C++, the method returns a uint32 value that is 0 (zero) if successful. If the function fails, the return value is a nonzero error code that is defined in WinError.h. In C++, use the FormatMessage function with the FORMAT_MESSAGE_FROM_SYSTEM flag to get a generic description of the error. You can also look up return values under the WMI Error Constants.

In scripting or Visual Basic, the method returns an integer value that is 0 (zero) if successful. If the function fails, the return value is a nonzero error code that you can look up in WbemErrorEnum.


The Win32_SecurityDescriptor instance represents a SECURITY_DESCRIPTOR_CONTROL data type and contains a discretionary access control list (DACL) and a system access control list (SACL). For more information, see Access Control Lists.

If the SeSecurityPrivilege is not granted or enabled when getting a security descriptor, then only the DACL is returned in the returned security descriptor. For more information, see Privilege Constants and Executing Privileged Operations.


Minimum supported client
Windows Vista
Minimum supported server
Windows Server 2008

See also


Modifying the System Registry

WMI Tasks: Registry