Windows 7 Default HKCU Registry Permissions

This is a complete listing of all Windows 7 HKEY_CURRENT_USER registry permissions. The list was generated on a 32-bit installation with SetACL. More default permission listings can be found here.

How to Interpret the List

As mentioned above the list contains only non-inherited permissions. This means that if permission X is set on HKCU and the subkey HKCU\Software is configured to not block inherited permissions, X is valid on HKCU\Software, too. The permissions of HKCU\Software will not be included in this listing, because that would make it much, much longer and harder to read.

If a key is configured to not inherit permissions from its parent it is marked with “DACL(protected)” or “DACL(pseudo_protected)”. A key that does inherit from its parent can still add permissions not present in the parent. Those are listed here, of course.

Remarks

The computer where I created this listing was a domain member and had a local user account named “Helge”.

Permission Listing

HKCU

   Owner: BUILTIN\Administrators 

   DACL(protected):
   HK\helge                  full   allow   container_inherit+object_inherit
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit
   NT AUTHORITY\RESTRICTED   read   allow   container_inherit+object_inherit

HKCU\Software\Microsoft\EventSystem

   Owner: NT AUTHORITY\SYSTEM    

   DACL(protected+auto_inherited):
   BUILTIN\Administrators    full   allow   container_inherit
   CREATOR OWNER             full   allow   container_inherit+inherit_only
   HK\helge                  full   allow   container_inherit
   NT AUTHORITY\SYSTEM       full   allow   container_inherit
   NT SERVICE\EventSystem    read   allow   container_inherit

HKCU\Software\Microsoft\Internet Explorer\User Preferences

   Owner: HK\helge

   DACL(not_protected+auto_inherited):
   HK\helge                  KEY_SET_VALUE+KEY_WRITE   deny   no_inheritance

HKCU\Software\Microsoft\Protected Storage System Provider\<SID>

   Owner: BUILTIN\Administrators 

   DACL(pseudo_protected):
   NT AUTHORITY\SYSTEM       full   allow   container_inherit

HKCU\Software\Microsoft\SystemCertificates\Root\ProtectedRoots

   Owner: HK\helge

   DACL(pseudo_protected):
   NT SERVICE\CryptSvc       full   allow   container_inherit
   HK\helge                  read   allow   container_inherit

HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy

   Owner: NT AUTHORITY\SYSTEM    

   DACL(pseudo_protected):
   NT AUTHORITY\SYSTEM       full   allow   no_inheritance
   BUILTIN\Administrators    full   allow   no_inheritance
   HK\helge                  read   allow   no_inheritance
   HK\helge                  read   allow   container_inherit+object_inherit+inherit_only
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit+inherit_only
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit+inherit_only

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

   Owner: NT AUTHORITY\SYSTEM    

   DACL(protected):
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit
   NT AUTHORITY\RESTRICTED   read   allow   container_inherit+object_inherit
   HK\helge                  read   allow   container_inherit+object_inherit

HKCU\Software\Policies

   Owner: NT AUTHORITY\SYSTEM    

   DACL(protected):
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit
   NT AUTHORITY\RESTRICTED   read   allow   container_inherit+object_inherit
   HK\helge                  read   allow   container_inherit+object_inherit

HKCU\Software\Classes

   Owner: NT AUTHORITY\SYSTEM    

   DACL(protected):
   HK\helge                  full   allow   container_inherit+object_inherit
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit
   NT AUTHORITY\RESTRICTED   read   allow   container_inherit+object_inherit

HKCU\Software\Classes\VirtualStore

   Owner: NT AUTHORITY\SYSTEM    

   DACL(protected):
   HK\helge                  full   allow   container_inherit+object_inherit
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit
   NT AUTHORITY\RESTRICTED   read   allow   container_inherit+object_inherit

HKCU\Software\Classes\VirtualStore\MACHINE

   Owner: NT AUTHORITY\SYSTEM    

   DACL(protected):
   HK\helge                  full   allow   container_inherit+object_inherit
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit
   NT AUTHORITY\RESTRICTED   read   allow   container_inherit+object_inherit

HKCU\System\CurrentControlSet\Policies

   Owner: NT AUTHORITY\SYSTEM    

   DACL(protected):
   NT AUTHORITY\SYSTEM       full   allow   container_inherit+object_inherit
   BUILTIN\Administrators    full   allow   container_inherit+object_inherit
   NT AUTHORITY\RESTRICTED   read   allow   container_inherit+object_inherit
   HK\helge                  read   allow   container_inherit+object_inherit
Default PermissionsPermissionsRegistrySetACL

Comments

Related Posts

How to Prevent Users from Changing Permissions on File Servers

On file servers in corporate environments one typically does not want users to change permissions, even on their own files. It might seem that it would be sufficient to simply grant change permissions instead of full control, but unfortunately that is not the case. The problem is that whenever a new file gets created, the user creating the file will be its owner. And owners can always change permissions, regardless of the contents of the DACL.
Tips and Tools

Error Message Explained: User Profile Service Failed the Logon

Error Message Explained: User Profile Service Failed the Logon
This article is part of Helge’s Profile Toolkit, a set of posts explaining the knowledge and tools required to tame Windows user profiles. Many errors related to user profiles result in the user getting a temporary profile instead of the regular local or roaming profile. I have written about possible causes for that here. In addition to that, there is an entirely different category of errors that occur when even a temporary profile cannot be created. This article describes likely causes.
User Profiles

Latest Posts