If I simply want to create a registry key but don’t intend to do anything else with it, what security access mask should I ask for?

Raymond Chen


A customer wanted to create a registry key if it didn’t already exist, but they weren’t interested in writing anything to the key yet. They just wanted to ensure that it existed. Now, we know that the Reg­Create­Key­Ex function will either open a key (if it exists) or create a key (if it doesn’t already exist). That seems to fit the bill perfectly, so we have this so far:

HKEY subKey;
LONG result = RegCreateKeyEx(
    parentKey, subkeyName, 0, nullptr,
    0, ????, nullptr, &subKey, nullptr);
if (result == ERROR_SUCCESS) {

Now, we know that the parentKey must have been opened with KEY_CREATE_SUB_KEY access in order for us to be able to create a subkey. But what goes into the question marks, which specify the access mask for the subkey? Should we say KEY_WRITE because we are creating the key? Or do we say 0 because we aren’t intending to do anything at all with the new key?

In this case, saying 0 is just fine. The program doesn’t do anything with the subkey aside from close the handle, and closing a handle doesn’t require any special permissions. If you planned to use the subKey to perform any operations on the subkey, then you need to request an access mask that is compatible with the operations you intend to perform.

But if you don’t intend to perform any operations, then you don’t need to request any access. Passing 0 is just fine.

Raymond Chen
Raymond Chen

Follow Raymond