CheckAccess

Verifies that the user has the specified access permissions.

The Registry Provider CheckAccess method allows you to determine whether the user of a script has a particular access right on a registry subkey or entry. The Registry Provider does not provide a way to list all of the access rights on a given subkey or entry, or to make any changes to the access rights.

This method returns false if you do not have appropriate permissions; the method also returns false if the parent key described in hDefKey does not exist.

The List Registry Key Access Rights VBScript sample uses WMI to check access rights for the logged on user to the HKLM\SYSTEM\CurrentControlSet portion of the registry.

The Robust Office Inventory Scan Tool (ROISCAN) is a VBScript script to inventory all Microsoft Office installations on the computer to aid in troubleshooting patch and product installation issues.

The following VBScript code example shows how to use the CheckAccess method to verify that the user has the right to read the values of the registry key:

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet

Example

Do not run below example code just to see what happens next. Many methods seriously affect your system. Always make sure you actually understand what the method and the code do.

param
(
  [Parameter(Mandatory)]
  [UInt32]
  $hDefKey,

  [Parameter(Mandatory)]
  [String]
  $sSubKeyName,

  [Parameter(Mandatory)]
  [UInt32]
  $uRequired
)


Invoke-CimMethod -ClassName StdRegProv -MethodName CheckAccess -Arguments $PSBoundParameters

To run this method on one or more remote systems, use New-CimSession:

param
(
  [Parameter(Mandatory)]
  [UInt32]
  $hDefKey,

  [Parameter(Mandatory)]
  [String]
  $sSubKeyName,

  [Parameter(Mandatory)]
  [UInt32]
  $uRequired,

  [String[]]
  $ComputerName,

  [PSCredential]
  $Credential
)


$session = New-CimSession -ComputerName $ComputerName -Credential $Credential

Invoke-CimMethod -ClassName StdRegProv -MethodName CheckAccess -Arguments $PSBoundParameters -CimSession $session

Remove-CimSession -CimSession $session

Learn more about Invoke-CimMethod and invoking WMI methods.

Syntax

uint32 CheckAccess(
  [in]  uint32 hDefKey = HKEY_LOCAL_MACHINE,
  [in]  string sSubKeyName,
  [in]  uint32 uRequired = 3,
  [out] bool   bGranted
);

Parameters

Name Type Description
hDefKey UInt32 Optional parameter that specifies the tree that contains the sSubKeyName path. The default value is HKEY_LOCAL_MACHINE (0x80000002). The following trees are defined in Winreg.h:
HKEY_CLASSES_ROOT (0x80000000)
HKEY_CURRENT_USER (0x80000001)
HKEY_LOCAL_MACHINE (0x80000002)
HKEY_USERS (0x80000003)
HKEY_CURRENT_CONFIG (0x80000005)
HKEY_DYN_DATA (0x80000006)
Note that HKEY_DYN_DATA is a valid tree for Windows 95 and Windows 98 computers only.
sSubKeyName String Contains the key to be verified.
uRequired UInt32 Optional parameter that specifies the access permissions to be verified. You can add these values together to verify more than one access permission. The default value is 3. The following access permission values are defined in Winnt.h:
KEY_QUERY_VALUE (0X0001)
KEY_SET_VALUE (0X0002)
KEY_CREATE_SUB_KEY (0X0004)
KEY_ENUMERATE_SUB_KEYS (0X0008)
KEY_NOTIFY (0X0010)
KEY_CREATE_LINK (0X0020)
DELETE (0x00010000)
READ_CONTROL (0x00020000)
WRITE_DAC (0X00040000)
WRITE_OWNER (0X00080000)

hDefKey

[Flags()]Enum StdRegProvhDefKey
{
  HKEY_CLASSES_ROOT     = 2147483648 # 
  HKEY_CURRENT_USER     = 2147483649 # 
  HKEY_LOCAL_MACHINE    = 2147483650 # 
  HKEY_USERS            = 2147483651 # 
  HKEY_CURRENT_CONFIG   = 2147483653 # 
}

uRequired

[Flags()]Enum StdRegProvuRequired
{
  QUERY_VALUE         = 1        # Required to query the values of a registry key.
  SET_VALUE           = 2        # Required to create, delete, or set a registry value.
  CREATE_SUBKEY       = 4        # Required to create a subkey of a registry key.
  ENUMERATE_SUBKEYS   = 8        # Required to enumerate the subkeys of a registry key.
  NOTIFY              = 16       # Required to request change notifications for a registry key or for subkeys of a registry key.
  CREATE              = 32       # Required to create a registry key.
  DELETE              = 65536    # Required to delete a registry key.
  READ_CONTROL        = 131072   # Combines the STANDARD_RIGHTS_READ, KEY_QUERY_VALUE, KEY_ENUMERATE_SUB_KEYS, and KEY_NOTIFY values.
  WRITE_DAC           = 262144   # Required to modify the DACL in the object's security descriptor.
  WRITE_OWNER         = 524288   # Required to change the owner in the object's security descriptor.
}

Return Value

Returns a value of type UInt32. Typically, a value of 0 indicates success.

See Also

Additional methods implemented by StdRegProv:

CreateKey()

CreateKey() creates a subkey.

DeleteKey()

DeleteKey() deletes a subkey.

DeleteValue()

DeleteValue() deletes a named value.

EnumKey()

EnumKey() enumerates subkeys.

EnumValues()

EnumValues() enumerates the named values of a key.

GetBinaryValue()

GetBinaryValue() gets the binary data value of a named value.

GetDWORDValue()

GetDWORDValue() gets the DWORD data value of a named value.

GetExpandedStringValue()

GetExpandedStringValue() gets the expanded string data value of a named value.

GetMultiStringValue()

GetMultiStringValue() gets the multiple string data values of a named value.

GetQWORDValue()

GetQWORDValue() gets the QWORD data values of a named value.

GetSecurityDescriptor()

GetSecurityDescriptor() gets the security descriptor for a key.

GetStringValue()

GetStringValue() gets the string data value of a named value.

SetBinaryValue()

SetBinaryValue() sets the binary data value of a named value.

SetDWORDValue()

SetDWORDValue() sets the DWORD data value of a named value.

SetExpandedStringValue()

SetExpandedStringValue() sets the expanded string data value of a named value.

SetMultiStringValue()

SetMultiStringValue() sets the multiple string values of a named value.

SetQWORDValue()

SetQWORDValue() sets the QWORD data values of a named value.

SetSecurityDescriptor()

SetSecurityDescriptor() sets the security descriptor for a key.

SetStringValue()

SetStringValue() sets the string value of a named value.

Requirements

To use StdRegProv, the following requirements apply:

PowerShell

Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.

If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.

Operating System

StdRegProv was introduced on clients with Windows Vista and on servers with Windows Server 2008.

Namespace

StdRegProv lives in the Namespace Root/CIMv2. This is the default namespace. There is no need to use the -Namespace parameter in Get-CimInstance.

Implementation

StdRegProv is implemented in Stdprov.dll and defined in RegEvent.mof. Both files are located in the folder C:\Windows\system32\wbem:

explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\RegEvent.mof