I am attempting to install a registry key that should only be accessible by certain users. Every other part of the installer works (it installs a service and registers a component). Here is the fragment.

<Component Id="cmpXXX" Guid="{YYY}">
    <RegistryKey Root="HKLM" Key="Software\ZZZ" Action="createAndRemoveOnUninstall">
        <RegistryKey Key="Machine" Action="createAndRemoveOnUninstall">
            <Permission User="Administrators" GenericAll="yes" />
            <RegistryValue Type="string" Name="ID" Value="SecretID" />
            <RegistryValue Type="string" Name="Key" Value="SecretKey" />
        </RegistryKey>
    </RegistryKey>
</Component>

When the installer is complete, all users can read the key (instead of just administrators). My command line to install is this:

msiexec /i installer.msi /l*v installlog.txt

The log says nothing about permissions. When I open the database in Orca, the LockPermissions table shows the permission row and it looks fine.

What am I doing wrong?

It seemed to start working after I added the permission entry to each RegistryValue.

<Component Id="cmpXXX" Guid="{YYY}">
    <RegistryKey Root="HKLM" Key="Software\ZZZ" Action="createAndRemoveOnUninstall">
        <RegistryKey Key="Machine" Action="createAndRemoveOnUninstall">
            <Permission User="Administrators" GenericAll="yes" />
            <RegistryValue Type="string" Name="ID" Value="SecretID">
                <Permission User="Administrators" GenericAll="yes" />
            </RegistryValue>
            <RegistryValue Type="string" Name="Key" Value="SecretKey">
                <Permission User="Administrators" GenericAll="yes" />
            </RegistryValue>
        </RegistryKey>
    </RegistryKey>
</Component>

But it has the side effect of locking down the entire Software\ZZZ key. Less than ideal, but I can work around that.

If you create values in multiple components, or you create intermediate keys (Software\XXX and Software\XXX\YYY) make sure that all the and have a child element.