ProblemYou want to restrict access to a certain Registry key or value. This may be necessary if you need to store sensitive data in the Registry and want to prevent normal users from seeing it. SolutionUsing a graphical user interface
Using a command-line interfaceUse the subinacl command to grant access to a Registry key. This grants full control for the specified user over a key: > subinacl /verbose=1 /keyreg \\<ComputerName>\<KeyPath> /grant=<UserOrGroup> For example: > subinacl /verbose=1 /keyreg \\fs01\HKEY_LOCAL_MACHINE\Software\Rallencorp /grant=AMER\rallen You can also revoke access to a key using the next command. The following command revokes members of the users group from being able to access the specified Registry key: > subinacl /verbose=1 /keyreg \\<ComputerName>\<KeyPath> /revoke=<UserOrGroup> For example: > subinacl /verbose=1 /keyreg \\.\HKEY_LOCAL_MACHINE\Software\Rallencorp /revoke=Users Lastly, you can view what users and groups have access on a Registry key using the /display option with subinacl as shown here: > subinacl /verbose=1 /keyreg \\<ComputerName>\<KeyPath> /display For example: > subinacl /verbose=1 /keyreg \\fs01\HKEY_LOCAL_MACHINE\Software\Rallencorp /display DiscussionAnother useful feature of the permissions function in Registry Editor is Effective Permissions. With it, you can select a user or group and determine what rights it has over a key. |