注册表的权限设置

怎样用VC 函数设置WIN2000下的注册表加密键的权限？

UNPROTECTED_DACL_SECURITY_INFORMATION 常数在哪里有定义？

没编译通过，看GetLastError没用，
UNPROTECTED_DACL_SECURITY_INFORMATION 为 0x20000000

在Aclapi.h中声明，连接时需要连接Advapi32.lib

怎样用VC 函数设置WIN2000下的注册表加密键的权限？

UNPROTECTED_DACL_SECURITY_INFORMATION 常数在哪里有定义？

好像应该有专门的win32 API对注册表操作的，，，

没有用啊！
用lResult = SetSecurityInfo(hRegHandle, SE_REGISTRY_KEY, \\
DACL_SECURITY_INFORMATION | 0x20000000,\\
NULL, NULL, NULL, NULL);时和用
lResult = SetSecurityInfo(hRegHandle, SE_REGISTRY_KEY, \\
DACL_SECURITY_INFORMATION ,\\
NULL, NULL, NULL, NULL);时结果是一样的，怎么回事呢？

发给你全文
  
  Platform SDK: Security
SetSecurityInfo

The SetSecurityInfo function sets specified security information in the security descriptor of a specified object. The caller identifies the object by a handle.

Windows 2000/XP: If you are setting the object\'s DACL or SACL, the system automatically propagates any inheritable ACEs to existing child objects, according to the rules of inheritance.


DWORD SetSecurityInfo(
  HANDLE handle,
  SE_OBJECT_TYPE ObjectType,
  SECURITY_INFORMATION SecurityInfo,
  PSID psidOwner,
  PSID psidGroup,
  PACL pDacl,
  PACL pSacl
);

Parameters
handle
[in] Handle to the object for which to set security information.
ObjectType
[in] Specifies a value from the SE_OBJECT_TYPE enumeration that indicates the type of object identified by the handle parameter.
SecurityInfo
[in] Specifies the components of the security descriptor to set. This parameter can be a combination of the following values. Value Meaning
DACL_SECURITY_INFORMATION Sets the DACL in the object\'s security descriptor. The pDacl parameter is a pointer to the new DACL.
If neither PROTECTED_DACL_SECURITY_INFORMATION nor UNPROTECTED_DACL_SECURITY_INFORMATION is set, the current inheritance settings are preserved.
 
GROUP_SECURITY_INFORMATION Sets the primary group SID in the object\'s security descriptor. The psidGroup parameter is a pointer to the new SID.
OWNER_SECURITY_INFORMATION Sets the owner SID in the object\'s security descriptor. The psidOwner parameter is a pointer to the new SID.
PROTECTED_DACL_SECURITY_INFORMATION Windows 2000/XP: Protects the DACL from inheriting ACEs.
This value is ignored unless DACL_SECURITY_INFORMATION is also used.
 
PROTECTED_SACL_SECURITY_INFORMATION Windows 2000/XP: Protects the SACL from inheriting ACEs.
This value is ignored unless SACL_SECURITY_INFORMATION is also used.
 
SACL_SECURITY_INFORMATION Sets the SACL in the object\'s security descriptor. The pSacl parameter is a pointer to the new SACL.
If neither PROTECTED_SACL_SECURITY_INFORMATION nor UNPROTECTED_SACL_SECURITY_INFORMATION is set, the current inheritance settings are preserved.
 
UNPROTECTED_DACL_SECURITY_INFORMATION Windows 2000/XP: Inherits ACEs from the parent whenever applicable.
This value is ignored unless DACL_SECURITY_INFORMATION is also used.
 
UNPROTECTED_SACL_SECURITY_INFORMATION Windows 2000/XP: Inherits ACEs from the parent whenever applicable.
This value is ignored unless SACL_SECURITY_INFORMATION is also used.
 

psidOwner
[in] Pointer to a SID that identifies the object\'s owner. The SID must be one that can be assigned as the owner SID of a security descriptor. The SecurityInfo parameter must include the OWNER_SECURITY_INFORMATION flag. This parameter can be NULL if you are not setting the owner SID.
psidGroup
[in] Pointer to a SID that identifies the object\'s primary group. The SecurityInfo parameter must include the GROUP_SECURITY_INFORMATION flag. This parameter can be NULL if you are not setting the primary group SID.
pDacl
[in] Pointer to the new DACL for the object. The SecurityInfo parameter must include the DACL_SECURITY_INFORMATION flag. This parameter can be NULL if you are not setting the DACL.
pSacl
[in] Pointer to the new SACL for the object. The SecurityInfo parameter must include the SACL_SECURITY_INFORMATION flag. This parameter can be NULL if you are not setting the SACL.
Return Values
If the function succeeds, the return value is ERROR_SUCCESS.

If the function fails, the return value is a nonzero error code defined in Winerror.h.

Remarks
You can use the SetSecurityInfo function with the following types of objects:


Local or remote files or directories on an NTFS file system
Named pipes
Local or remote printers
Local or remote Windows services
Network shares
Registry keys
Semaphores, events, mutexes, and waitable timers
Processes, threads, jobs, and file-mapping objects
Window stations and desktops
Directory service objects

The SetSecurityInfo function does not reorder access-allowed or access-denied ACEs based on the preferred order. When propagating inheritable ACEs to existing child objects, SetSecurityInfo puts inherited ACEs in order after all of the non-inherited ACEs in the DACLs of the child objects.

Note  If share access to the children of the object is not available, this function will not propagate unprotected ACEs to the children. For example, if a directory is opened with exclusive access, the operating system will not propagate unprotected ACEs to that directory\'s subdirectories or files when the security on the directory is changed.

Requirements
Client: Included in Windows XP, Windows 2000 Professional, Windows NT Workstation 4.0.
Server: Included in Windows Server 2003, Windows 2000 Server, Windows NT Server 4.0.
Header: Declared in Aclapi.h.
Library: Use Advapi32.lib.


See Also
Access Control Overview, Basic Access Control Functions, ACL, GetNamedSecurityInfo, GetSecurityInfo, SE_OBJECT_TYPE, SECURITY_DESCRIPTOR, SECURITY_INFORMATION, SetNamedSecurityInfo, SID

Platform SDK Release: February 2003  What did you think of this topic?
  Order a Platform SDK CD

 

Requirements
Client: Included in Windows XP, Windows 2000 Professional, Windows NT Workstation 4.0.
Server: Included in Windows Server 2003, Windows 2000 Server, Windows NT Server 4.0.
Header: Declared in Aclapi.h.
Library: Use Advapi32.lib.

See Also
Access Control Overview, Basic Access Control Functions, ACL, GetNamedSecurityInfo, GetSecurityInfo, SE_OBJECT_TYPE, SECURITY_DESCRIPTOR, SECURITY_INFORMATION, SetNamedSecurityInfo, SID


  
Platform SDK: Security
ACE Inheritance Rules

The system propagates inheritable ACEs to child objects according to a set of inheritance rules. The system places inherited ACEs in the child\'s DACL according to the preferred order of ACEs in a DACL. The system sets the INHERITED_ACE flag in all inherited ACEs.


Windows NT, Windows Me/98/95:  The system does not set the INHERITED_ACE flag in all inherited ACEs.




The following table shows the ACEs inherited by container and noncontainer child objects for different combinations of inheritance flags. These inheritance rules work the same for both DACLs and SACLs.

Parent ACE type Effect on Child ACL
OBJECT_INHERIT_ACE only Noncontainer child objects: Inherited as an effective ACE.
Container child objects: Containers inherit an inherit-only ACE unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
 
CONTAINER_INHERIT_ACE only Noncontainer child objects: No effect on the child object.
Container child objects: The child object inherits an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
 
CONTAINER_INHERIT_ACE and OBJECT_INHERIT_ACE Noncontainer child objects: Inherited as an effective ACE.
Container child objects: The child object inherits an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
 
No inheritance flags set No effect on child container or noncontainer objects.


If an inherited ACE is an effective ACE for the child object, the system maps any generic rights to the specific rights for the child object. Similarly, the system maps generic SIDs, such as CREATOR_OWNER, to the appropriate SID. If an inherited ACE is an inherit-only ACE, any generic rights or generic SIDs are left unchanged so that they can be mapped appropriately when the ACE is inherited by the next generation of child objects.

For a case in which a container object inherits an ACE that is both effective on the container and inheritable by its descendants, the container may inherit two ACEs. This occurs if the inheritable ACE contains generic information. The container inherits an inherit-only ACE containing the generic information and an effective-only ACE in which the generic information has been mapped.

An object-specific ACE has an InheritedObjectType member that can contain a GUID to identify the type of object that can inherit the ACE. If the InheritedObjectType GUID is not specified, the inheritance rules for an object-specific ACE are the same as for a standard ACE.

If the InheritedObjectType GUID is specified, the ACE is inheritable by objects that match the GUID if OBJECT_INHERIT_ACE is set, and by containers that match the GUID if CONTAINER_INHERIT_ACE is set. Note that currently only DS objects support object-specific ACEs, and the DS treats all object types as containers.


Platform SDK Release: February 2003  What did you think of this topic?
  Order a Platform SDK CD
看这里
pDacl
[in] Pointer to the new DACL for the object. The SecurityInfo parameter must include the DACL_SECURITY_INFORMATION flag. This parameter can be NULL if you are not setting the DACL.
pSacl
[in] Pointer to the new SACL for the object. The SecurityInfo parameter must include the SACL_SECURITY_INFORMATION flag. This parameter can be NULL if you are not setting the SACL.
你给参数为NULL，表示什么

 

我不会搞啊，我刚试过了，将PDACL 指向一个新的ACL 结构体，连该键的权限都设不了，子键盘也设不了，而用NULL只是子键盘的只读权限都给去掉了，搞不明白啊，我啥也不懂，是领导硬要我写一个USB设备的卸载程序，举个实例呀，拜托了！！！！！！！！！！小弟实在是搞不懂！！！！！