Windows 7 Default HKCU Registry Permissions

This is a complete listing of all Windows 7 HKEY_CURRENT_USER registry permissions. The list was generated on a 32-bit installation with SetACL. More default permission listings can be found here.

How to Interpret the List

As mentioned above the list contains only non-inherited permissions. This means that if permission X is set on HKCU and the subkey HKCU\Software is configured to not block inherited permissions, X is valid on HKCU\Software, too. The permissions of HKCU\Software will not be included in this listing, because that would make it much, much longer and harder to read.

If a key is configured to not inherit permissions from its parent it is marked with “DACL(protected)” or “DACL(pseudo_protected)”. A key that does inherit from its parent can still add permissions not present in the parent. Those are listed here, of course.

Remarks

The computer where I created this listing was a domain member and had a local user account named “Helge”.

Permission Listing

HKCU

   Owner: BUILTIN\Administrators 

   DACL(protected):
   HK\helge                  full   allow   container_inherit+object_inherit
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit
   NT AUTHORITY\RESTRICTED   read   allow   container_inherit+object_inherit

HKCU\Software\Microsoft\EventSystem

   Owner: NT AUTHORITY\SYSTEM    

   DACL(protected+auto_inherited):
   BUILTIN\Administrators    full   allow   container_inherit
   CREATOR OWNER             full   allow   container_inherit+inherit_only
   HK\helge                  full   allow   container_inherit
   NT AUTHORITY\SYSTEM       full   allow   container_inherit
   NT SERVICE\EventSystem    read   allow   container_inherit

HKCU\Software\Microsoft\Internet Explorer\User Preferences

   Owner: HK\helge

   DACL(not_protected+auto_inherited):
   HK\helge                  KEY_SET_VALUE+KEY_WRITE   deny   no_inheritance

HKCU\Software\Microsoft\Protected Storage System Provider\<SID>

   Owner: BUILTIN\Administrators 

   DACL(pseudo_protected):
   NT AUTHORITY\SYSTEM       full   allow   container_inherit

HKCU\Software\Microsoft\SystemCertificates\Root\ProtectedRoots

   Owner: HK\helge

   DACL(pseudo_protected):
   NT SERVICE\CryptSvc       full   allow   container_inherit
   HK\helge                  read   allow   container_inherit

HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy

   Owner: NT AUTHORITY\SYSTEM    

   DACL(pseudo_protected):
   NT AUTHORITY\SYSTEM       full   allow   no_inheritance
   BUILTIN\Administrators    full   allow   no_inheritance
   HK\helge                  read   allow   no_inheritance
   HK\helge                  read   allow   container_inherit+object_inherit+inherit_only
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit+inherit_only
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit+inherit_only

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

   Owner: NT AUTHORITY\SYSTEM    

   DACL(protected):
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit
   NT AUTHORITY\RESTRICTED   read   allow   container_inherit+object_inherit
   HK\helge                  read   allow   container_inherit+object_inherit

HKCU\Software\Policies

   Owner: NT AUTHORITY\SYSTEM    

   DACL(protected):
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit
   NT AUTHORITY\RESTRICTED   read   allow   container_inherit+object_inherit
   HK\helge                  read   allow   container_inherit+object_inherit

HKCU\Software\Classes

   Owner: NT AUTHORITY\SYSTEM    

   DACL(protected):
   HK\helge                  full   allow   container_inherit+object_inherit
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit
   NT AUTHORITY\RESTRICTED   read   allow   container_inherit+object_inherit

HKCU\Software\Classes\VirtualStore

   Owner: NT AUTHORITY\SYSTEM    

   DACL(protected):
   HK\helge                  full   allow   container_inherit+object_inherit
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit
   NT AUTHORITY\RESTRICTED   read   allow   container_inherit+object_inherit

HKCU\Software\Classes\VirtualStore\MACHINE

   Owner: NT AUTHORITY\SYSTEM    

   DACL(protected):
   HK\helge                  full   allow   container_inherit+object_inherit
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit
   NT AUTHORITY\RESTRICTED   read   allow   container_inherit+object_inherit

HKCU\System\CurrentControlSet\Policies

   Owner: NT AUTHORITY\SYSTEM    

   DACL(protected):
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit
   NT AUTHORITY\RESTRICTED   read   allow   container_inherit+object_inherit
   HK\helge                  read   allow   container_inherit+object_inherit
Default PermissionsPermissionsRegistrySetACL

Comments

Related Posts

Error Message Explained: User Profile Service Failed the Logon

Error Message Explained: User Profile Service Failed the Logon
This article is part of Helge’s Profile Toolkit, a set of posts explaining the knowledge and tools required to tame Windows user profiles. Many errors related to user profiles result in the user getting a temporary profile instead of the regular local or roaming profile. I have written about possible causes for that here. In addition to that, there is an entirely different category of errors that occur when even a temporary profile cannot be created. This article describes likely causes.
User Profiles

Taking Ownership Fails With UNC Path, Works Locally!?! Why?

Here is an interesting tidbit related to Windows security: Create a test file share, e.g. C:\temp\test, and share it with full permissions for everyone (share, not NTFS permissions) as “test” Create the following directory hierarchy below the share: C:\temp\test\1\2\3\4 Assign ownership of the four folders 1, 2, 3 and 4 to any user (but do not use your own account, just anyone else’s) Set permissions on 1, 2, 3 and 4 that only the user from the previous step has full access, nobody else, not even the SYSTEM Now try to use SetACL to change the owner of directory “4” over the network (SetACL uses backup and restore privileges so this should be no problem) by issuing the following command locally: setacl -on \localhost\test\1\2\3\4 -ot file -actn setowner -ownr n:domain\administrator SetACL will fail with access denied (full message: “ERROR: Writing SD to <\?\UNC\localhost\test\1\2\3\4> failed with: Access is denied.”) Now issue the same command, but instead of using a UNC path use the local drive letter: setacl -on c:\temp\test\1\2\3\4 -ot file -actn setowner -ownr n:domain\administrator That works! Why is this so? I have no clue.
Security

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware