Here’s a quick write-up of the fundamentals of registry SDDLs that you may find helpful.
Just like files in Windows have Access Control Entries (ACEs), registry keys also can control what users and user groups can create/edit/delete keys. This is done using a Security Description Definition Language (SDDL).
SDDL syntax is a list of ACEs that state what level of access a user/group has for a given key, and whether it is to be inherited by the child keys.
Example: sddl="O:BAG:SYD:PAI(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CI;KA;;;LS)(A;CI;KA;;;NS)(A;CI;KR;;;IU)(A;CI;KA;;;SY)"
Let’s break this down.
O:BA = Owner -> Built in Admin group
G:SY = Group -> SYSTEM
Each of the values in the parentheses “()” represents a single ACE entry.
(A;CI;KA;;;BA)
A = Allow entry (this can also be a D à Deny entry)
CI = Container Inherit (means this ACE will be inherited by the children)
KA = Key All Access (Full Access to all permissions for this key)
BA = Built in Admin group
Similarly for (A;CI;KR;;;AU), this means KR (Key Read-only) to the AU (Authenticated Users = low privilege users) group.
This link is helpful in understanding SDDL syntax in more detail