System.Security.AccessControl.RegistryAccessRule Class

Represents a set of access rights allowed or denied for a user or group. This class cannot be inherited.

See Also: RegistryAccessRule Members


public sealed class RegistryAccessRule : AccessRule


The System.Security.AccessControl.RegistryAccessRule class is one of a set of classes that the .NET Framework provides for managing Windows access control security on registry keys. For an overview of these classes, and their relationship to the underlying Windows access control structures, see System.Security.AccessControl.RegistrySecurity.


Windows access control security can only be applied to registry keys. It cannot be applied to individual key/value pairs stored in a key.

To get a list of the rules currently applied to a registry key, use the Microsoft.Win32.RegistryKey.GetAccessControl method to get a System.Security.AccessControl.RegistrySecurity object, and then use its CommonObjectSecurity.GetAccessRules(bool, bool, Type) method to obtain a collection of System.Security.AccessControl.RegistryAccessRule objects.

System.Security.AccessControl.RegistryAccessRule objects do not map one-to-one with access control entries in the underlying discretionary control access list (DACL). When you get the set of all access rules for a registry key, the set contains the minimum number of rules currently required to express all the access control entries.


The underlying access control entries change as you apply and remove rules. The information in rules is merged if possible, to maintain the smallest number of access control entries. Thus, when you read the current list of rules, it might not look exactly like the list of all the rules you have added.

Use System.Security.AccessControl.RegistryAccessRule objects to specify access rights to allow or deny to a user or group. A System.Security.AccessControl.RegistryAccessRule object always represents either allowed access or denied access, never both.

To apply a rule to a registry key, use the Microsoft.Win32.RegistryKey.GetAccessControl method to get the System.Security.AccessControl.RegistrySecurity object. Modify the System.Security.AccessControl.RegistrySecurity object by using its methods to add the rule, and then use the Microsoft.Win32.RegistryKey.SetAccessControl(RegistrySecurity) method to reattach the security object.


Changes you make to a System.Security.AccessControl.RegistrySecurity object do not affect the access levels of the registry key until you call the Microsoft.Win32.RegistryKey.SetAccessControl(RegistrySecurity) method to assign the altered security object to the registry key.

System.Security.AccessControl.RegistryAccessRule objects are immutable. Security for a registry key is modified using the methods of the System.Security.AccessControl.RegistrySecurity class to add or remove rules; as you do this, the underlying access control entries are modified.


Namespace: System.Security.AccessControl
Assembly: mscorlib (in mscorlib.dll)
Assembly Versions:,
Since: .NET 2.0