Are Windows services registry keys stored securely, such as being encrypted on the disk or protected by an Access Control List (ACL) by default? The key for a service is typically located in HKLM\System\CurrentControlSet\Services{SERVICE_NAME}.

For example, if I have a Java application running on Windows as a service and it requires environment-specific passwords/passphrases on startup, is it safe to store these in the registry as startup parameters for the service? My guess is no, as the keys are likely stored in cleartext on the disk in a location such as c:\windows and ACLs do not typically apply to normal registry keys. However, I have been unable to find definitive information on this topic.

As a follow-up question, what is a good approach for passing secrets to a service when it starts?

Askify Moderator Edited question April 19, 2023