SetSecurityDescriptor

Sets the security descriptor for a key.

The Win32_SecurityDescriptor instance represents a SECURITY_DESCRIPTOR_CONTROL data type and contains a discretionary access control list (DACL) and a system access control list (SACL). For more information, see Access Control Lists.

If the SeSecurityPrivilege is not granted or enabled when getting a security descriptor, then only the DACL is returned in the returned security descriptor. For more information, see Privilege Constants and Executing Privileged Operations.

You can update both the DACL and the SACL in the Win32_SecurityDescriptor instance when calling this method, but you also can update only the DACL or only the SACL.

The following values in SECURITY_DESCRIPTOR_CONTROL determine whether the DACL or the SACL or both are updated.

If the Group trustee and the Owner trustee properties are not NULL, then they are updated. Otherwise, WMI preserves the original values. For more information, see WMI Security Descriptor Objects.

When a new SACL is NULL in a call this method, then the security descriptor SACL on the target securable object is left unchanged.

Example

Do not run below example code just to see what happens next. Many methods seriously affect your system. Always make sure you actually understand what the method and the code do.

param
(
  [Parameter(Mandatory)]
  [Object]
  $Descriptor,

  [Parameter(Mandatory)]
  [UInt32]
  $hDefKey,

  [Parameter(Mandatory)]
  [String]
  $sSubKeyName
)


Invoke-CimMethod -ClassName StdRegProv -MethodName SetSecurityDescriptor -Arguments $PSBoundParameters

To run this method on one or more remote systems, use New-CimSession:

param
(
  [Parameter(Mandatory)]
  [Object]
  $Descriptor,

  [Parameter(Mandatory)]
  [UInt32]
  $hDefKey,

  [Parameter(Mandatory)]
  [String]
  $sSubKeyName,

  [String[]]
  $ComputerName,

  [PSCredential]
  $Credential
)


$session = New-CimSession -ComputerName $ComputerName -Credential $Credential

Invoke-CimMethod -ClassName StdRegProv -MethodName SetSecurityDescriptor -Arguments $PSBoundParameters -CimSession $session

Remove-CimSession -CimSession $session

Learn more about Invoke-CimMethod and invoking WMI methods.

Syntax

uint32 SetSecurityDescriptor(
  [in] uint32               hDefKey = HKEY_LOCAL_MACHINE,
  [in] string               sSubKeyName,
  [in] __SecurityDescriptor Descriptor
);

Parameters

Name Type Description
Descriptor Object Contains the security descriptor to set on the key name.
hDefKey UInt32 Parameter that specifies the tree that contains the sSubKeyName path. The default value is HKEY_LOCAL_MACHINE (0x80000002). The following trees are defined in Winreg.h:
HKEY_CLASSES_ROOT (0x80000000)
HKEY_CURRENT_USER (0x80000001)
HKEY_LOCAL_MACHINE (0x80000002)
HKEY_USERS (0x80000003)
HKEY_CURRENT_CONFIG (0x80000005)
sSubKeyName String Contains the key name to set the security descriptor on.

hDefKey

[Flags()]Enum StdRegProvhDefKey
{
  HKEY_CLASSES_ROOT     = 2147483648 # 
  HKEY_CURRENT_USER     = 2147483649 # 
  HKEY_LOCAL_MACHINE    = 2147483650 # 
  HKEY_USERS            = 2147483651 # 
  HKEY_CURRENT_CONFIG   = 2147483653 # 
}

Return Value

Returns a value of type UInt32. Typically, a value of 0 indicates success.

See Also

Additional methods implemented by StdRegProv:

CheckAccess()

CheckAccess() verifies that the user has the specified access permissions.

CreateKey()

CreateKey() creates a subkey.

DeleteKey()

DeleteKey() deletes a subkey.

DeleteValue()

DeleteValue() deletes a named value.

EnumKey()

EnumKey() enumerates subkeys.

EnumValues()

EnumValues() enumerates the named values of a key.

GetBinaryValue()

GetBinaryValue() gets the binary data value of a named value.

GetDWORDValue()

GetDWORDValue() gets the DWORD data value of a named value.

GetExpandedStringValue()

GetExpandedStringValue() gets the expanded string data value of a named value.

GetMultiStringValue()

GetMultiStringValue() gets the multiple string data values of a named value.

GetQWORDValue()

GetQWORDValue() gets the QWORD data values of a named value.

GetSecurityDescriptor()

GetSecurityDescriptor() gets the security descriptor for a key.

GetStringValue()

GetStringValue() gets the string data value of a named value.

SetBinaryValue()

SetBinaryValue() sets the binary data value of a named value.

SetDWORDValue()

SetDWORDValue() sets the DWORD data value of a named value.

SetExpandedStringValue()

SetExpandedStringValue() sets the expanded string data value of a named value.

SetMultiStringValue()

SetMultiStringValue() sets the multiple string values of a named value.

SetQWORDValue()

SetQWORDValue() sets the QWORD data values of a named value.

SetStringValue()

SetStringValue() sets the string value of a named value.

Requirements

To use StdRegProv, the following requirements apply:

PowerShell

Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.

If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.

Operating System

StdRegProv was introduced on clients with Windows Vista and on servers with Windows Server 2008.

Namespace

StdRegProv lives in the Namespace Root/CIMv2. This is the default namespace. There is no need to use the -Namespace parameter in Get-CimInstance.

Implementation

StdRegProv is implemented in Stdprov.dll and defined in RegEvent.mof. Both files are located in the folder C:\Windows\system32\wbem:

explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\RegEvent.mof