Geoff Chappell - Software Analyst
Sets the integrity level for an open registry key.
HRESULT
SetRegistryKeyIntegrityLevel (
HKEY hKey,
PVOID pIntegritySid);
The hKey argument provides a handle to an open registry key.
The pIntegritySid argument provides the address of a SID that represents the desired integrity level.
The function returns zero for success, else an error code.
If not running on Windows Vista or higher, there is no operating-system support for integrity levels, and the function fails (returning S_FALSE).
The general idea is that if the key does not already have the integrity level represented by the given SID, the function creates a SYSTEM_MANDATORY_LABEL_ACE from the given SID, and sets it into the key’s SACL.
A key that does not have a SACL with a SYSTEM_MANDATORY_LABEL_ACE counts as having medium integrity already. Any failure to determine the integrity level, including because the key has a mandatory-label ACE with the ACE_INHERIT_ONLY flag, is not failure for the function but means only that the key has no integrity level to compare with the desired level.
If the function does proceed to setting the integrity level, it first validates the given SID. The new mandatory-label ACE is inheritable both by values and subkeys, and has SYSTEM_MANDATORY_LABEL_NO_WRITE_UP as the access policy.
The SetRegistryKeyIntegrityLevel function is exported from IERTUTIL as ordinal 53 in version 7.0 and higher.