Freigeben über


Writing to Registry? Some best-practices...

Use the following best practices when dealing with the Windows registry.

  • Use of registry reduces application portability. Therefore, use only if required.
  • Don’t use the registry as a configuration trash–bin.
  • Don’t store secrets in registry.
  • Encrypt application data stored in the registry.
  • Discourage users from directly editing the registry.
  • Perform input validation on data read and written to registry.
  • Don’t write data to HKLM. Reading back the data will require the user to be logged on as administrator as by default only Read-access is provided to HKLM all users.
  • Don't open registry keys for FULL_CONTROL or ALL_ACCESS.

Vista update:
a) Always open registry keys with read-only access when possible. Use read-write access only when needed and revert the permissions back to read-only once the operation is complete.
b) Beware of WRP (Windows Resource Protection) that might be protecting a hive you might want to store your app data into and may result in access denied error message and ultimately broken app functionality.
c) How to find out if WRP is active for a registry key, Two ways of doing this.

a. Programmatic: Call the SfcIsKeyProtected function in your code .
b. Administratively: Use Regedit by right-clicking the key in question  Permissions. Keys that are WRP will show Trusted Installer with Full Control.  SYSTEM, Administrators, and Users will only have Read permissions.

d) Hopefully, the registry changes are being doing through a thick-client and not IE. If it is IE, btw, remember that in Vista runs IE in protected mode and so wont be able to store to HKCU.

Comments

  • Anonymous
    June 12, 2007
    "Don’t write data to HKLM. Reading back the data will require the user to be logged on as administrator..." Should this not read: "Writing data to HKLM will require that the user be logged on as an administrative user..." - as you corrrectly point out anyone can read data from HKLM

  • Anonymous
    July 04, 2007
    "Discourage users from directly editing the registry" -- Instead of that Don't give any rights to the normal user to access registry. Only Administrator can open the registry. & if some one wants to edit  / write some values in registry he /she should have administrative rights.

  • Anonymous
    September 13, 2007
    Writing to the registry in Vista... prob. The purpose of the HKLM is to store data to all users (Machine specific)? Yes this could be stored in an INI file but I thought the registry was the replacement of INI files. The actual problem is that the Install prog appears to be a user, not administrator. If this is right then, either the program needs administrative rights or you give user rights to the specific hive of a HKLM key say SOFTWARE/.... (No Way..) So the issue is in the install. The registry is a wonderfull way to store user specific and machine specific data, is Microsoft locking it down so only Windows has access?

  • Anonymous
    October 14, 2007
    Can IE extensions get read only access to HKLM or HKCU?

  • Anonymous
    January 16, 2011
    I had an UnauthorizedAccessException when starting a WinForms application. I tried to start the application as an administrator but that didn't worked. I even added a App.manifest with requestedExecutionLevel as requireAdministrator or highestAvailable and when using Microsoft.Win32.Registry.CurrentUser.OpenSubKey( key, writeToKey ) the exception was thrown. The program wanted to read a HKLM (HKEY_LOCAL_MACHINE) key. I changed for HKEY_CURRENT_USER and now the aplication runs smotthly.