Account SYSTEM must have Full Control access to Registry

Registry Tip #199: Account SYSTEM must have Full Control access to Registry

Hits: Failed to execute CGI : Win32 Error Code = 3

NEVER remove SYSTEM as a qualified user in Registry permissions. Doing so will make changing the Registry with Control Panel or during software installation impossible. Changes will not take effect and software will most likely be unusable. Similarly, access permissions for the boot and system partitions: the critical entry on the ACL is the SYSTEM/Full Control ACE. Do not under any circumstances remove this ACL from the list or modify it; NT crashes and will not restart. It might be temping to to exclude unncessary users from the NT installation direcory tree. Don't experiment on production boxes.

Each key in the registry has its own ACL. The registry ACLs are conceptually similar to file permission ACLs. The registry ACL access permission types follow.

Query Value	Read access to values in key
Set Value	Create / update values in key
Create Subkey	Create subkey in key
Enumerate Subkeys	List subkeys in key
Notify	Audit notification events in key
Create Link	Create link to key
Delete	Delete key
Write DAC	Write Discretionary ACL (DAC) on key
Write Owner	Take ownership of key
Read Control	Read ACL of key

Table of Contents