What registry access can you get without Administrator privileges?
I know that we shouldn't being using the registry to store Application Data anymore, but in updating a Legacy application (and wanting to do the fewest changes), what Registry Hives are non-administrators allowed to use?
Can I access all of HKEY_CURRENT_USER
(the application currently access HKEY_LOCAL_MACHINE
) without Administrator privileges?
Solution 1:
In general, a non-administrator user has this access to the registry:
Read/Write to:
HKEY_CURRENT_USER
Read Only:
HKEY_LOCAL_MACHINE
-
HKEY_CLASSES_ROOT
(which is just a link toHKEY_LOCAL_MACHINE\Software\Classes
)
It is possible to change some of these permissions on a key-by-key basis, but it's extremely rare. You should not have to worry about that.
For your purposes, your application should be writing settings and configuration to HKEY_CURRENT_USER
. The canonical place is anywhere within HKEY_CURRENT_USER\Software\YourCompany\YourProduct\
You could potentially hold settings that are global (for all users) in HKEY_LOCAL_MACHINE
. It is very rare to need to do this, and you should avoid it. The problem is that any user can "read" those, but only an administrator (or by extension, your setup/install program) can "set" them.
Other common source of trouble: your application should not write to anything in the Program files
or the Windows
directories. If you need to write to files, there are several options at hand; describing all of them would be a longer discussion. All of the options end up writing to a subfolder or another under %USERPROFILE%
for the user in question.
Finally, your application should stay out of HKEY_CURRENT_CONFIG
. This hive holds hardware configuration, services configurations and other items that 99.9999% of applications should not need to look at (for example, it holds the current plug-and-play device list). If you need anything from there, most of the information is available through supported APIs elsewhere.
Solution 2:
Yes, you should be able to write to any place under HKEY_CURRENT_USER without having Administrator privileges. But this is effectively a private store that no other user on this machine will be able to access, so you can't put any shared configuration there.