You don't need the REG_KEY_READ permissions to access the SD of a key.
And for instance, the key HKLM\security ususally has no specific bits
set for builtin\administrators, but the READ_CONTROL_ACCESS.
I.e. builtin\administrators can get the sd but not enumerate the key.
uint32_t sec_info;
DATA_BLOB blob;
struct security_descriptor sec_desc;
- uint32_t access_mask = REG_KEY_READ |
- SEC_FLAG_MAXIMUM_ALLOWED |
+ uint32_t access_mask = SEC_FLAG_MAXIMUM_ALLOWED |
SEC_FLAG_SYSTEM_SECURITY;
if (argc <1 || argc > 2 || c->display_usage) {