2.2.7 Registry Keys

This section defines settings that enable an administrator to specify how to protect registry keys on the client. The ABNF syntax for the entries in this category MUST be as follows.

 Header = "[" HeaderValue "]" LineBreak
 HeaderValue = "Registry Keys"
 Settings = Setting / Setting Settings
 Setting = RegistryKeyName "," PermPropagationMode "," 
           AclString LineBreak
 RegistryKeyName = KeyPath / DQUOTE KeyPath DQUOTE 
 KeyPath = Key / KeyPath "\" Key 
 Key = 1*IdCharacter 
 IdCharacter = %x0020-0021 / %x0023-005B / %x005D-007E
 PermPropagationMode = DIGIT

The ABNF specification for the SDDL element above can be found in [MS-DTYP] section

The following table provides an explanation for each of the parameters listed.

Note All numerical values are decimal unless explicitly specified otherwise, or unless preceded by 0x.

Setting key



The full name of the registry key that MUST be protected. It MUST be the Fully Qualified Name (as specified in [MS-RRP] section of the registry value to set.


Controls whether and how permissions are propagated. It MUST be one of the following values:

  • A value of "0": MUST propagate inheritable permissions to all subkeys.

  • A value of "1": MUST replace existing permissions on all subkeys with inheritable permissions.

  • A value of "2": MUST NOT allow permissions on this key to be replaced.


A security descriptor that MUST be applied to the registry key. The security descriptor MUST conform to the syntax specified in [MS-DTYP] section