Programmatically allow write access for a Registry key

Question

I need to programmatically modify the Access Descriptors on a known Registry key during product installation. The way I want it to work is:

1. The installer is run in Administrative mode.
2. A Registry key is created.
3. A function (the one I need) queries the ACL from the key.
4. If this function finds that the group 'Users' already has write access, nothing should be done.
5. If not, it should add a new permission allowing write access to the 'Users' group.
6. The permissions are saved for the Registry key.

This question is similar to Setting Registry key write permissions using .NET, however, I need a C++/Win32 implementation.

Thanks in advance

Answer 1

For getting and setting the ACL of the key you need to use RegGetKeySecurity and RegSetKeySecurity. Then you need to iterate through the ACEs, examining any that apply to the "Users" group SID. Then you'll either modify/remove the existing one and/or add a new one. Be advised that working with ACLs in plain old Win32 C is a pain.

Answer 2

The smallest code to grant access consists of 3 API calls. It gives full access to the given hkey for all authenticated users and administrators.

This snippet does not contain proper error handling and reporting. Do not copy/paste it into the production code.

    PSECURITY_DESCRIPTOR sd = nullptr;
    ULONG sd_size = 0;
    TCHAR* rights = TEXT( "D:" )                // Discretionary ACL
                  TEXT( "(A;OICI;GA;;;AU)" )    // Allow full control to all authenticated users
                  TEXT( "(A;OICI;GA;;;BA)" );   // Allow full control to administrators

    ConvertStringSecurityDescriptorToSecurityDescriptor( rights, SDDL_REVISION_1, &sd, &sd_size );
    RegSetKeySecurity( hkey, DACL_SECURITY_INFORMATION, sd );
    LocalFree( sd );

Detecting if "Users" have write access to the key might be more difficult than expected. I ended up with writing a test value to the registry and checking the result of that write.