The inability to lock someone out of the registry is a feature, not a bug


There is no way to lock the registry. Whereas you can open a file with a deny all sharing mode to prevent anyone else from opening the file, the registry has no such provision. You can’t lock a registry key and prevent others from reading from or writing to it. There is an internal lock on the registry, but that’s just to ensure that registry operations are atomic; that is, that if one thread writes a value to the registry and another thread reads that same value from the registry, then the value that comes back is either the value before the write took place or the value after the write took place, but not some sort of mixture of the two.

Some people consider the inability to lock the registry to be a bug but it’s actually a feature. It means that nobody can launch a denial of service attack against the registry by opening a key in an exclusive mode and preventing anybody else from reading it. This is important, because many security settings are stored in the registry, and locking somebody out of a registry key means that the part of the operating system whose job it is to enforce the security of a particular feature would no longer be able to check whether the operation is allowed.

This all means that if you’re reading from the registry, you have to accept that the contents can change while you’re reading them, in the same way that you have to accept that the file system can change. If you’re writing to the registry, you can take advantage of transactional registry support new to Windows Vista.


Comments are closed. Login to edit/delete your existing comments