First I have to provide some context.
I can set procmon to run at some non-default altitude by making two changes in key 'HKLM\SYSTEM\CurrentControlSet\Services\PROCMON24\Instances\Process Monitor 24 Instance':
- Changing the Altitude value from its default '385200' to the required value; eg. '136500'
- And adding a special permission to the key: user:Everyone type:Deny permissions:('set value' | 'delete')
The reason for changing the Altitude is obvious. The reason for add a special permission is less obvious: without this procmon will simply reset the Altitude to its default value.
Okay, here is my question:
I cannot programmatically remove the added permission or change that key or its values. This is not surprising because the permission denies 'everyone' that access.
However I can easily remove that permission using regedit. I just select the permission and remove it.
So what trick is regedit using to override that permission?
I can see it is running as the current user, not 'SYSTEM'. I can use psexec to run a remove script as 'SYSTEM' but that is denied access too.
In retrospect it is clear that regedit is not using any special trick or privilege to remove the 'deny everyone' ACE. The problematic ACE is not denying all operations on the registry key. It is only denying 'remove' and 'set value'. With that ACE is place not even regedit can remove or set values. That is, it cannot open the key with 'remove' or 'set value' access.
What regedit can do is open the key with write-dacl access. The problematic ACE doesn't deny that.
Once regedit (or any other program) opens the key with write-dacl access, it can remove the problematic ACE and then make any other needed changes to the key.
Doh!