internal override void AdjustRegKeyPermission() { const uint maxSecurityDescriptorSize = 40960; byte[] binarySecurityDescriptor; CommonSecurityDescriptor securityDescriptor = null; int ret; uint dwSize = 256; do { binarySecurityDescriptor = new byte[dwSize]; ret = SafeNativeMethods.ClusterRegGetKeySecurity(hKey, SecurityInfos.DiscretionaryAcl, binarySecurityDescriptor, ref dwSize); if (ret == SafeNativeMethods.ERROR_SUCCESS) { break; } else if (ret == SafeNativeMethods.ERROR_INSUFFICIENT_BUFFER) { dwSize *= 2; } else { throw registryExceptionHelper.CreateRegistryWriteException(null); } } while (dwSize <= maxSecurityDescriptorSize); if (dwSize > maxSecurityDescriptorSize) { throw registryExceptionHelper.CreateRegistryWriteException(null); } try { securityDescriptor = new CommonSecurityDescriptor(false, false, binarySecurityDescriptor, 0); DiscretionaryAcl dacl = securityDescriptor.DiscretionaryAcl; if (dacl.Count == 1) { CommonAce ace = dacl[0] as CommonAce; if (ace != null && ace.AceType == AceType.AccessAllowed && ace.SecurityIdentifier.IsWellKnown(WellKnownSidType.WorldSid)) { // This is the Allowed for everyone full access ACE that's automatically added by // CommonSecurityDescriptor ctor; we should remove it dacl.Purge(new SecurityIdentifier(WellKnownSidType.WorldSid, null)); } } // Add Read access for Authenticated Users account and Network Service account dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null), unchecked ((int)0x80000000), InheritanceFlags.None, PropagationFlags.None); dacl.AddAccess(AccessControlType.Allow, new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null), unchecked ((int)0x80000000), InheritanceFlags.None, PropagationFlags.None); } #pragma warning suppress 56500 catch (Exception e) { // MSDN does not have a spec of possible exceptions for the APIs used above. // To be safe, we should be a bit more generic in catching exceptions if (Utilities.IsCriticalException(e)) { throw; } throw registryExceptionHelper.CreateRegistryWriteException(e); } int dsNewSecDescSize = securityDescriptor.BinaryLength; byte[] newBinarySecurityDescriptor = new byte[dsNewSecDescSize]; securityDescriptor.GetBinaryForm(newBinarySecurityDescriptor, 0); ret = SafeNativeMethods.ClusterRegSetKeySecurity(hKey, SecurityInfos.DiscretionaryAcl, newBinarySecurityDescriptor); if (ret != SafeNativeMethods.ERROR_SUCCESS) { throw registryExceptionHelper.CreateRegistryWriteException(null); } }