NEVER remove SYSTEM as a
qualified user in Registry permissions. Doing so will make changing the Registry
with Control Panel or during software installation impossible. Changes will not
take effect and software will most likely be unusable. Similarly, access
permissions for the boot and system partitions: the critical entry on the ACL is
the SYSTEM/Full Control ACE. Do not under any circumstances remove this ACL from
the list or modify it; NT crashes and will not restart. It might be temping to
to exclude unncessary users from the NT installation direcory tree. Don’t
experiment on production boxes.
Each key in the registry has its own ACL. The registry ACLs are conceptually
similar to file permission ACLs. The registry ACL access permission types
follow.
Query Value | Read access to values in key |
Set Value | Create / update values in key |
Create Subkey | Create subkey in key |
Enumerate Subkeys | List subkeys in key |
Notify | Audit notification events in key |
Create Link | Create link to key |
Delete | Delete key |
Write DAC | Write Discretionary ACL (DAC) on key |
Write Owner | Take ownership of key |
Read Control | Read ACL of key |