Checking Registry Subkey Access Rights

Microsoft® Windows® 2000 Scripting Guide

« Previous | Next »   

You can use a registry editor to check and modify the access rights assigned to registry subkeys and entries. Although a registry editor allows you to connect to and manage the registry of a remote computer, it allows you to manage only one computer at a time. If you need to check the access rights of registry subkeys or entries on a large number of computers, a script that uses the Registry Provider is a far better solution.

The Registry Provider CheckAccess method allows you to determine whether the user of a script has a particular access right on a registry subkey or entry. The Registry Provider does not provide a way to list all of the access rights on a given subkeyor entry, or to make any changes to the access rights.

When you use the Registry Provider CheckAccess method to determine access rights, you must use hexadecimal values that refer to the particular rights you are interested in. Table 16.5 lists those hexadecimal values and the access rights to which they correspond.

Table 16.5   Registry Key Access Permissions and Corresponding Values

The CheckAccess method will return a Boolean value: True if the user possesses the access right, False if the user does not.

Scripting Steps

Listing 16.6 contains a script that checks whether the user account under which the script is running has various access rights to a registry subkey. The script reports whether the user account has those rights on the subkey. To carry out this task, the script must perform the following steps:

1. Create the constants that hold the hexadecimal numbers corresponding to the various access rights.
2. Create a constant that holds the hexadecimal number corresponding to the HKEY_LOCAL_MACHINE subtree.
3. Create a variable and set it to the computer name.
4. Use a GetObject call to connect to the WMI namespace root\default, and set the impersonation level to "impersonate."
5. Use the Registry Provider CheckAccess method to determine whether the user account under which the script is running has the KEY_QUERY_VALUE access right on the subkey.
6. Use the Registry Provider CheckAccess method to determine whether the user account under which the script is running has the KEY_SET_VALUE access right on the subkey.
7. Use the Registry Provider CheckAccess method in a similar manner to check KEY_CREATE_SUBKEY and DELETE access rights.

Listing 16.16   Checking Registry Key Access Rights

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 

Const KEY_QUERY_VALUE = &H0001 Const KEY_SET_VALUE = &H0002 Const KEY_CREATE_SUB_KEY = &H0004 Const DELETE = &H00010000 Const HKEY_LOCAL_MACHINE = &H80000002 strComputer = "." Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _      strComputer & "\root\default:StdRegProv") strKeyPath = "SYSTEM\LastKnownGoodRecovery" objReg.CheckAccess HKEY_LOCAL_MACHINE, strKeyPath, KEY_QUERY_VALUE, _     bHasAccessRight If bHasAccessRight = True Then     Wscript.Echo "Have Query Value Access Rights on Key" Else     Wscript.Echo "Do Not Have Query Value Access Rights on Key" End If    objReg.CheckAccess HKEY_LOCAL_MACHINE, strKeyPath, KEY_SET_VALUE, _     bHasAccessRight If bHasAccessRight = True Then     Wscript.Echo "Have Set Value Access Rights on Key" Else     Wscript.Echo "Do Not Have Set Value Access Rights on Key" End If    objReg.CheckAccess HKEY_LOCAL_MACHINE, strKeyPath, KEY_CREATE_SUB_KEY, _     bHasAccessRight If bHasAccessRight = True Then     Wscript.Echo "Have Create SubKey Access Rights on Key" Else     Wscript.Echo "Do Not Have Create SubKey Access Rights on Key" End If objReg.CheckAccess HKEY_LOCAL_MACHINE, strKeyPath, DELETE, bHasAccessRight If bHasAccessRight = True Then     Wscript.Echo "Have Delete Access Rights on Key" Else     Wscript.Echo "Do Not Have Delete Access Rights on Key" End If

Send us your feedback

« Previous | Next »