Set GRANT_ACCESS back with SetNamedSecurityInfo

Question

I use this method to grant\deny access to a registry key:

First GRANT_ACCESS

AddAceToObjectsSecurityDescriptor(wKey, SE_REGISTRY_KEY, UserName, TRUSTEE_IS_NAME, GENERIC_ALL, GRANT_ACCESS, SUB_CONTAINERS_AND_OBJECTS_INHERIT);

and then DENY_ACCESS

AddAceToObjectsSecurityDescriptor(wKey, SE_REGISTRY_KEY, UserName, TRUSTEE_IS_NAME, GENERIC_ALL, DENY_ACCESS, SUB_CONTAINERS_AND_OBJECTS_INHERIT);

They both worked. After this two calls I'm trying to call the first one again to grant access back. But I can't do it. There is no error messages like ERROR_ACCESS_DENIED. AddAceToObjectsSecurityDescriptor returns no error code. And my user account is owner of corresponding registry key. Moreover I still can change permissions manually by regedit under the same UserName. Is there somethind wrong with AddAceToObjectsSecurityDescriptor method?

Answer 1

Try to use DENY_ACCESS to and SET_ACCESS. Example:

AddAceToObjectsSecurityDescriptor(wKey, SE_REGISTRY_KEY, UserName, TRUSTEE_IS_NAME, GENERIC_ALL, SET_ACCESS, SUB_CONTAINERS_AND_OBJECTS_INHERIT);

and

AddAceToObjectsSecurityDescriptor(wKey, SE_REGISTRY_KEY, UserName, TRUSTEE_IS_NAME, GENERIC_ALL, DENY_ACCESS, SUB_CONTAINERS_AND_OBJECTS_INHERIT);

Answer 2

Well, since your last call was to DENY access on the given object (Registry key), you cannot expect to successfully access the same object you just Denied access to. This is the reason why you get ERROR_ACCESS_DENIED. Since you are the owner of the object, you can of course take ownership of the object and reset the security descriptor as you would like it.