When you attempt to use permissions to restrict access to the Registry, you must understand what each setting does, when to use it, and the ramifications of using it. Table A lists the permissions that restrict Registry access. You can use each permission option to control Registry rights for an individual or a group.

The Registry provides three groupings of these permissions. These groupings simplify the process of defining user access to the Registry keys. The Full Control grouping gives users complete access to the Registry. It includes all of the permissions that Table A lists. The Read grouping gives users the Query Value, Enumerate Subkeys, Notify, and Read Control permissions. The Special Access grouping lets administrators choose any combination of permissions for a user or group.



TABLE A: Registry Permissions Settings
Setting Function
Query Value Lets a user read the key and its subkeys and see the key's values.
Set Value Lets a user set the key's values.
Create Subkey Lets a user create subkeys within the key.
Enumerate Subkeys Lets a user identify the key's subkeys.
Notify Lets a user receive audit notifications about the key.
Create Link Lets a user create a symbolic link to a subkey. (A symbolic link is the type of link that connects HKEY_CLASSES_ROOT and HKEY_LOCAL_MACHINE\SOFTWARE\Classes. The Registry automatically copies a subkey's changes to any subkeys that have symbolic links to it.)
Delete Gives a user the right to delete the key, its subkeys, and its values.
Write DAC Lets the user read and write the Discretionary Access Control (DAC) list for the key, which lets a user change the key's permissions.
Write Owner Lets a user take ownership of the key.
Read Control Lets the user read the key's security information.