The registry ACLs have undergone changes, just like the file system ACLs. The changes are much smaller in scope than the changes to the file system, however. The most obvious difference from earlier versions of Windows is that, because of the deprecation of Power Users, almost all the Power User ACEs are gone. Power Users are not supposed to be any more powerful than any other users in Windows Vista. It is a testament to just how complicated ACLs really are, however, that not all the ACEs for Power Users are actually gone. A few were, unfortunately, missed.
While you are looking at ACLs in the registry, in a few places you will see an ACE for a SID called RESTRICTED. This is not new to Windows Vista, but it is an interesting and not well understood SID. That SID denotes any process that presents a restricted token. A restricted token is created using a special feature of the CreateRestrictedToken API. Such a token has one or more "restricting SIDs"-SIDs that are used in a separate access check. When a process running with a restricted token attempts to access an object with an ACE for the RESTRICTED SID, the OS actually performs two access checks. The first is the normal access check. The second one works exactly like the first but takes place only against the restricting SIDs in the token. Both access checks must pass.
Currently, several ACLs use the RESTRICTED SID, particularly in the Registry. A screenshot of such an ACL is shown in Figure 1.
At this time, few processes make use of the restricted token functionality, particularly with respect to restricting SIDs. One example of a process that does is the service process that hosts the Windows Firewall, the Base Filtering Engine, and the Diagnostic Policy Service. It also uses a write restricted token. On the Web site for the book (http://www.wiley.com/go/windowsvistasecurity) you will find a document that lists security parameters for every service that ships with Windows Vista Ultimate Edition. Based on the findings outlined in that document, only nine services currently use RESTRICTED and write restricted tokens in Windows Vista.
As with recent previous versions of Windows, the best practice with respect to registry permissions is to tread very carefully. Except for in exceptional, and highly targeted, circumstances, do not modify permissions in the registry. Given the complicated inheritance model and the sensitive operations performed on the registry, you run an unacceptably high likelihood of fatal failure if you modify ACLs in the registry carelessly.
