TOC & Recently Viewed

Recently Viewed Topics


This policy item checks if the registry key ACL is correct. The check is performed by calling the function RegGetKeySecurity on the registry key handle.

Note: This check requires remote registry access for the remote Windows system to function properly.




description: ["description"]

value_type: [value_type]

value_data: [value]

reg_key: ["regkeyname"]

(optional) acl_option: [acl_option]


The allowed type is:

value_type: REG_ACL

value_data: "ACLname"

reg_key: "RegistryKeyName"

The following predefined path can be used for the reg_key field:




When using this audit, please note the following:

  • The reg_key field must include the full path to the file registry key.
  • The value_data field is the name of the ACL defined in the policy file.
  • The acl_option filed can be set to CAN_BE_NULL or CAN_NOT_BE_NULL to force a success/error if the key does not exist.
  • The acl_allow and acl_deny fields correspond to “Successful” and “Failed” audit events.


Here is an example .audit file that audits the registry key of “HKLM\SOFTWARE\Microsoft” against an access control list named “ACL2” that is not shown:



description: "Audit for HKLM\SOFTWARE\Microsoft"

value_type: REG_ACL

value_data: "ACL2"

reg_key: "HKLM\SOFTWARE\Microsoft"


Copyright © 2019 Tenable, Inc. All rights reserved. Tenable,, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.., Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.