What is an effective way to grant permissions to a registry key using an NSIS installer?

Question

I am attempting to use the AccessControl plugin in NSIS to set the permissions on a registry key. It is not working. After the installer runs, the All Users group does not have Full Control.

I've created a sample below. Is there anything wrong here? Is there another mechanism to accomplish the same thing? I've also attempted to use the numeric form of the Everyone group S-1-1-0 I have not tried using "Everyone" yet.

  ; Create the key for local machine settings (could be a 32 bit or 64 bit location)
  SetRegView 32
  WriteRegStr HKLM "SOFTWARE\MyApp" "x" "y"
  SetRegView 64
  WriteRegStr HKLM "SOFTWARE\MyApp" "x" "y"

  ; Give all authenticated users (BUILTIN\Users) full access on the registry key HKEY_LOCAL_MACHINE\Software\MyApp
  SetRegView 32
  AccessControl::GrantOnRegKey HKLM "SOFTWARE\MyApp" "BUILTIN\USERS" "FullAccess"
  SetRegView 64
  AccessControl::GrantOnRegKey HKLM "SOFTWARE\MyApp" "BUILTIN\USERS" "FullAccess"

At first, I did not bother with the two registry views. But after experimentation, in an attempt to rule out issues with WOW6432Node, I doubled the commands. I hope it is not necessary.

Answer 1

When using a SID with the plugin the syntax is (S-1-....):

WriteRegStr HKCU "Software\test" hello world
AccessControl::GrantOnRegKey HKCU "Software\test" "(S-1-1-0)" "FullAccess" ; Everyone

You can find a list of SIDs here.

You can use AccessControl::NameToSid to transform a name to its SID but doing this can have localization issues on non-English systems:

AccessControl::NameToSid "BUILTIN\USERS"
Pop $0
StrCmp $0 "error" +2
AccessControl::GrantOnRegKey HKCU "Software\test" "($0)" "FullAccess"

When changing the owner you can also use the Machine\Username syntax.

Aliases like (BU) only work in the unicode version and also depend on the Windows version so it is better to just stick with SIDs.