Re: SfcIsKeyProtected (Windows Resource Protection)


First, I apologize if I used your last name previously.

Secondly, thank you very much for responding again. This time I was able to
work through some issues and get my code to work. My first problem was
assuming that certain keys were protected when it turns out they are not.
Your REGEDIT tip helped out there. Before you posted this last response, I
re-wrote my code to enumerate through all the registry keys to find the
protected ones. Your example helped me prove that the function does actually
work and forged on to figure out what I was doing wrong. I thought your
suggestion of KEY_READ for the 3rd parameter in SfcIsKeyProtected was the
answer at first, but it wasn't. I finally determined that my main problem
must be in the conversion from ANSI to UNICODE. I was using
MultiByteToWideChar to provide input to the LPCWSTR (2nd parm). The call
works fine when hardcoding a subkey using L"subkey" but not my converted text
- I'll have to figure that out later. So, your other suggestion to the recue
- calling SfcIsKeyProtected on an opened key with NULL for parm 2. I had
only tried that combination on an opened key (back to my assumption again)
that wasn't protected. When I tried my "enumerate the entire registry code"
using the open key and NULL for parm 2 - it worked like a charm!

Thanks again for responding and helping me to save a little of my hair!!


"Idan" wrote:

First let's review SfcIsKeyProtected a bit. This function returns a
boolean value which indicate whether the registry key is WRP protected
or not. (if you want more info about the WRP feature let me know). All
base keys such as HKLM, HKCR are not WRP protected, therefore the value
0 (FALSE) is actually the right value.

the parameters of the functions are:
HKEY - a handle to a registry key. This is a required parameters, and
cannot be NULL. When you passed NULL you got error 6 which is
ERROR_INVALID_HANDLE and this is also by design.
LPCWSTR - a string containing a sub key of the opened registry key.
This parameter is optional and can be NULL.
REGSAM - this parametrer is used to check 32bit registry keys on 64bit
machine. I'd pass KEY_READ.

To check if a registry key is WRP, you can do the following:
1. open regedit.
2. right click on a registry key and choose 'Permissions..."
3. A key is WRP if TrustedInstaller service has full access to it and
all other users/groups have only read access. TI is the owner of the
key in most cases.
(check out HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\UX for example)

so if you want to the API to return true you have to do the following:
HKEY key;
BOOL isProtected = SfcIsKeyProtected(key,NULL,KEY_READ);

Let me know if you have other questions/problems.

Jim wrote:
Hi Rubin,

Thanks for responding - I can't find anything other than the MS doc on

I was using Beta 2 Build 53?? and installed the most recent build the other
day. Neither of them worked and bothed behaved the same way. I'm away from
my office so I can't get access to see what the latest build number is.

SfcIsKeyProtected returns 0 with GetLastError returning 0 when I provide one
anything for the SubKey. I tried "SOFTWARE",
"SOFTWARE\Microsoft\Windows\CurrentVersion", keys that don't exist, other
keys that do but shouldn't be protected. I tried passing NULL for the subkey
to check the root key and it returned the same codes. I tried calling
RegOpenKeyEx on a subkey and passing the returned HKEY as the root and it
still behaved the same. The only test I made that returned something
different was when I passed NULL for the root key, in which case the function
returned 0 and GetLastError returned 6.


"rubin.idan@xxxxxxxxx" wrote:

Hi Jim,

1. What build of Vista are you using?
2. How were you using SfcIsKeyProtected? (what were the parameters you
3. What was the failure? (Did it return FALSE on a WRP protected key?
did it return an error message?)

Idan Rubin

Jim wrote:
Has anyone been able to get SfcIsKeyProtected or SfcGetNextProtectedFile to
work on Vista? I have been able to use SfcIsFileProtected but the other two
don't seem to work at all?

Are there any tricks to using them? Is the documentation wrong?

Thanks for any information.


Relevant Pages

  • Re: SfcIsKeyProtected (Windows Resource Protection)
    ... "Idan " wrote: ... HKEY - a handle to a registry key. ... I tried passing NULL for the subkey ... to check the root key and it returned the same codes. ...
  • Re: SfcIsKeyProtected (Windows Resource Protection)
    ... HKEY - a handle to a registry key. ... I tried passing NULL for the subkey ... to check the root key and it returned the same codes. ...
  • Re: SMTP server wont start
    ... then Export the "ClientProtocols" registry key from a working machine with the same network protocol and import it to the problem server. ... When responding to posts, please "Reply to Group" via your newsreader so ... Only SMTP won't start. ... >>> The event viewer shows no events associated with SMTP. ...
  • RE: Problem with EULA popup window
    ... Besides Gyorgy's suggestion, I would suggest you have a check to see ... please find the registry key ... Get Secure! ... When responding to posts, ...
  • RE: POP3 Connector 15 Minute Interval
    ... This registry key does not exist on SBS 2000 and I reccomend not using it ... Microsoft Online Support Engineer ... Get Secure! ... When responding to posts, ...