Here's a neat trick I found recently. If you use your favorite registry editor and open HKLM\Security\Policy\Secrets, you'll find a number of registry keys that you just can't open, no matter what you security privileges are, like HKLM\Security\...\SAC, SAI, etc. The reason you can't open them has nothing to do with ACL-based security. What's going on is a lot stranger. Internally, at the "Native API" level, you represent registry key names with structures called UNICODE_STRINGs, which are *counted* strings rather than null-terminated ones. The sneaky trick is that if you include a null character in your UNICODE_STRING, you can create a key with a name it's impossible to express properly using the usual Win32 RegXxx() functions. For instance, passing "SAC" to RegOpenKeyEx (to open HKLM\Security\Policy\Secrets\SAC), results in an internal call to ZwOpenKey (a.k.a NtOpenKey) with a UNICODE_STRING of "SAC", length 3, when what you really need is "SAC\0", length 4. If you use the low-level Zw/NtXxx calls exported from ntdll.dll, however, you can open & use these "special" keys without any trouble. SysInternals has a little demo app called RegHide ( http://www.sysinternals.com/files/reghide.zip ) that demonstrates how to create your own key that can't be opened with normal registry tools, though they neglect to mention Microsoft's use of this trick to protect certain sensitive registry keys. For more info on the Native API, I recommend the book "Windows NT/2000 Native API Reference", by Gary Nebbett.