Account SYSTEM must have Full Control access to Registry

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

NEVER remove SYSTEM as a qualified user in Registry permissions. Doing so will make changing the Registry with Control Panel or during software installation impossible. Changes will not take effect and software will most likely be unusable. Similarly, access permissions for the boot and system partitions: the critical entry on the ACL is the SYSTEM/Full Control ACE. Do not under any circumstances remove this ACL from the list or modify it; NT crashes and will not restart. It might be temping to to exclude unncessary users from the NT installation direcory tree. Don't experiment on production boxes.

Each key in the registry has its own ACL. The registry ACLs are conceptually similar to file permission ACLs. The registry ACL access permission types follow.

Query Value Read access to values in key
Set Value Create / update values in key
Create Subkey Create subkey in key
Enumerate Subkeys List subkeys in key
Notify Audit notification events in key
Create Link Create link to key
Delete Delete key
Write DAC Write Discretionary ACL (DAC) on key
Write Owner Take ownership of key
Read Control Read ACL of key

See Also

Featured Links