Don't Open Objects for FULL_CONTROL or ALL_ACCESS
This advice has been around since the early days of Windows NT 3.1 in 1993 and it's covered in detail in other parts of this book, but it's also worth repeating: if you want to open an object, such as a file or a registry key for read access, open the object for read-only access don't request all access. Requiring this means the ACL on the objects in question must be very insecure indeed for the operation to succeed.