Remove a 'Deny' rule (permission) from the 'UserChoice' key in the Registry via C#

I am working on File Associations. I have identified that there is a key called UserChoice in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\[ext].

I have been able to read from and write to the UserChoice key provided that I create it and that it has not already been created by Windows. However, if the UserChoice key has already been created by Windows, then I need to run as Administrator to get access to the key. My ultimate goal is to delete the UserChoice key.

I have noted that Windows places a Deny rule on the UserChoice key which is preventing me from deleting that key. If I can succeed in removing that rule, I believe that I'll be able to delete the UserChoice key. Here is the code that I have tried:

public static void ShowSecurity(RegistryKey regKeyRoot, string user) {
    RegistrySecurity security = regKeyRoot.GetAccessControl(AccessControlSections.All);

    foreach (RegistryAccessRule ar in
        security.GetAccessRules(true, true, typeof(NTAccount))) {

        if (ar.IdentityReference.Value.Contains(User) &&
                ar.AccessControlType.ToString().ToLower() == "deny") {

            security.RemoveAccessRuleSpecific(ar);
            regKeyRoot.SetAccessControl(security);
        }
    }
}

When Windows creates the UserChoice key it adds a security rule for the current user of Type Deny; permission: Special. This rule is not inherited and applies to the UserChoice key only.

With some messing about and running as Administrator I am able to access that RegistryAccessRule. However even running as Administrator, I cannot remove this rule. I have read somewhere in my research that there is not a programmatic way to do it. I can remove this rule via RegEdit. I can also remove the UserChoice ke开发者_Python百科y using File Types Manager from NirSoft. So I assume there is some way to do this.

Summary: Is there a way that I can remove the Deny rule so that I can delete the UserChoice key?

Your code example and the revisions suggested in the answer by @ali lead me to a solution for overcoming the security setting that Windows places on the UserChoice key which enabled me to delete that key.

My solution presumes that the UserChoice key is present in the HKEY_CURRENT_USER (HKCU) hive. If that is the case, the user owns the UserChoice key and therefore has the necessary privileges to change the security settings on that key and ultimately delete it. (This means that the user does not need to be a member of the Administrators group.)

The extensionKey parameter of this method is the parent key of the UserChoice key.

static void DeleteUserChoiceKey(RegistryKey extensionKey)
{
    const string userChoiceKeyName = "UserChoice";

    using (RegistryKey userChoiceKey =
        extensionKey.OpenSubKey(userChoiceKeyName,
            RegistryKeyPermissionCheck.ReadWriteSubTree,
            RegistryRights.ChangePermissions))
    {
        if (userChoiceKey == null) { return; }
        string userName = WindowsIdentity.GetCurrent().Name;
        RegistrySecurity security = userChoiceKey.GetAccessControl();

        AuthorizationRuleCollection accRules =
            security.GetAccessRules(true, true, typeof(NTAccount));

        foreach (RegistryAccessRule ar in accRules)
        {
            if (ar.IdentityReference.Value == userName &&
                ar.AccessControlType == AccessControlType.Deny)
            {
                security.RemoveAccessRuleSpecific(ar); // remove the 'Deny' permission
            }
        }

        userChoiceKey.SetAccessControl(security); // restore all original permissions
                                                  // *except* for the 'Deny' permission
    }

    extensionKey.DeleteSubKeyTree(userChoiceKeyName, true);
}

A quick thought. Does it work if you take ownership og the regKey, before changing the rules on it

public static void ShowSecurity(RegistryKey regKeyRoot, string user) 
{

regKeyRoot.OpenSubKey("", RegistryKeyPermissionCheck.ReadWriteSubTree,
                    RegistryRights.ChangePermissions);

RegistrySecurity security = regKeyRoot.GetAccessControl(AccessControlSections.All);

security.SetGroup( new NTAccount("Administrators") );
security.SetOwner( new NTAccount("ali") ); //Your account name
security.SetAccessRuleProtection(true, false);
regKeyRoot.SetAccessControl(security);

//---------

  foreach (RegistryAccessRule ar in security.GetAccessRules(true, true, typeof(NTAccount))) 
  {
    if (ar.IdentityReference.Value.Contains(User) && ar.AccessControlType ==  AccessControlType.Deny )
       security.RemoveAccessRuleSpecific(ar);
  }

regKeyRoot.SetAccessControl(security);


}