System.Security.AccessControl.RegistrySecurity Class

Represents the Windows access control security for a registry key. This class cannot be inherited.

See Also: RegistrySecurity Members


public sealed class RegistrySecurity : NativeObjectSecurity


A System.Security.AccessControl.RegistrySecurity object specifies access rights for a registry key, and also specifies how access attempts are audited. Access rights to the registry key are expressed as rules, with each access rule represented by a System.Security.AccessControl.RegistryAccessRule object. Each auditing rule is represented by a System.Security.AccessControl.RegistryAuditRule object.

This mirrors the underlying Windows security system, in which each securable object has at most one discretionary access control list (DACL) that controls access to the secured object, and at most one system access control list (SACL) that specifies which access attempts are audited. The DACL and SACL are ordered lists of access control entries (ACE) that specify access and auditing for users and groups. A System.Security.AccessControl.RegistryAccessRule or System.Security.AccessControl.RegistryAuditRule object might represent more than one ACE.


Windows access control security can only be applied to registry keys. It cannot be applied to individual key/value pairs stored in a key.

The System.Security.AccessControl.RegistrySecurity, System.Security.AccessControl.RegistryAccessRule, and System.Security.AccessControl.RegistryAuditRule classes hide the implementation details of ACLs and ACEs. They allow you to ignore the seventeen different ACE types and the complexity of correctly maintaining inheritance and propagation of access rights. These objects are also designed to prevent the following common access control errors:

The only capabilities not supported by the .NET security objects are dangerous activities that should be avoided by the majority of application developers, such as the following:

To modify Windows access control security for a registry key, use the Microsoft.Win32.RegistryKey.GetAccessControl method to get the System.Security.AccessControl.RegistrySecurity object. Modify the security object by adding and removing rules, and then use the Microsoft.Win32.RegistryKey.SetAccessControl(RegistrySecurity) method to reattach it.


Changes you make to a System.Security.AccessControl.RegistrySecurity object do not affect the access levels of the registry key until you call the Microsoft.Win32.RegistryKey.SetAccessControl(RegistrySecurity) method to assign the altered security object to the registry key.

To copy access control security from one registry key to another, use the Microsoft.Win32.RegistryKey.GetAccessControl method to get a System.Security.AccessControl.RegistrySecurity object representing the access and audit rules for the first registry key, and then use the Microsoft.Win32.RegistryKey.SetAccessControl(RegistrySecurity) method to assign those rules to the second registry key. You can also assign the rules to a second registry key with an erload:Microsoft.Win32.RegistryKey.OpenSubKey or erload:Microsoft.Win32.RegistryKey.CreateSubKey method that takes a System.Security.AccessControl.RegistrySecurity object parameter.

Users with an investment in the security descriptor definition language (SDDL) can use the ObjectSecurity.SetSecurityDescriptorSddlForm(string) method to set access rules for a registry key, and the ObjectSecurity.GetSecurityDescriptorSddlForm(AccessControlSections) method to obtain a string that represents the access rules in SDDL format. This is not recommended for new development.


Namespace: System.Security.AccessControl
Assembly: mscorlib (in mscorlib.dll)
Assembly Versions:,
Since: .NET 2.0