Get Registry Key ACL in SDDL Format - Delphi Snippet

Get Registry Key ACL in SDDL Format - Delphi

DarkCoderSc

Jean-Pierre LESUEUR

uses
  System.SysUtils, Winapi.Windows;

// ...

function ConvertSecurityDescriptorToStringSecurityDescriptorW(
  SecurityDescriptor           : PSecurityDescriptor;
  RequestedStringSDRevision    : DWORD;
  SecurityInformation          : SECURITY_INFORMATION;
  var StringSecurityDescriptor : LPWSTR;
  StringSecurityDescriptorLen  : PULONG
): BOOL; stdcall; external 'Advapi32.dll';

// ...

const
  SDDL_REVISION_1 = 1;

// ...

function GetRegistryACLString(const AHive : HKEY; const AKeyPath : String) : String;
begin
  result := '';
  ///

  var ASecurityDescriptorSize := DWORD(0);

  var ptrSecurityDescriptor := PSecurityDescriptor(nil);
  var hToken := THandle(0);
  ///

  var AKeyHandle := HKEY(0);
  try
    var AResult := RegOpenKeyExW(AHive, PWideChar(AKeyPath), 0, READ_CONTROL, AKeyHandle);
    if AResult <> ERROR_SUCCESS then
      raise EWindowsException.Create('RegOpenKeyW', AResult);
    ///

    var AFlags := OWNER_SECURITY_INFORMATION or GROUP_SECURITY_INFORMATION or DACL_SECURITY_INFORMATION;

    AResult := RegGetKeySecurity(AKeyHandle, AFlags, nil, ASecurityDescriptorSize);
    if (AResult <> ERROR_SUCCESS) and (AResult <> 122) then
      raise EWindowsException.Create('GetNamedSecurityInfoW', AResult);

    GetMem(ptrSecurityDescriptor, ASecurityDescriptorSize);

    AResult := RegGetKeySecurity(AKeyHandle, AFlags, ptrSecurityDescriptor, ASecurityDescriptorSize);
    if AResult <> ERROR_SUCCESS then
      raise EWindowsException.Create('GetNamedSecurityInfoW', AResult);

    var pSDDL : LPWSTR := nil;
    if not ConvertSecurityDescriptorToStringSecurityDescriptorW(
      ptrSecurityDescriptor,
      SDDL_REVISION_1,
      AFlags,
      pSDDL,
      nil
    ) then
      raise EWindowsException.Create('ConvertSecurityDescriptorToStringSecurityDescriptorW');

    ///
    result := string(pSDDL);
  finally
    if AKeyHandle <> 0 then
      RegCloseKey(AKeyHandle);

    if Assigned(ptrSecurityDescriptor) then
      FreeMem(ptrSecurityDescriptor, ASecurityDescriptorSize);

    if hToken <> 0 then
      CloseHandle(hToken);
  end;
end;
// ...

begin
  try
    WriteLn(Format('HKCU\Software: %s', [GetRegistryACLString(HKEY_CURRENT_USER, 'Software')]));
    WriteLn;
    WriteLn(Format('HKLM\Software: %s', [GetRegistryACLString(HKEY_LOCAL_MACHINE, 'Software')]));
  except
    on e : Exception do
      WriteLn(e.Message);
  end;

// ...

Creating and researching code snippets takes time and effort. You’re welcome to share them through your own platforms, but please don’t forget to credit the original author, here: Jean-Pierre LESUEUR.

Depends On

EWindowsException

Implemented By Technique

Windows Registry Enumeration

Featured Windows APIs

Created

December 2, 2025

Last Revised

December 2, 2025