Admin Tips
- Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base
  - Windows 2000
    - Registry Tips
      - Registry Tools
        Block Write Access To Run and RunOnce Registry Entries.

Section(s): Booting, Boot , Miscellaneous, Miscellaneous, Registry Tools
Published on Oct 01, 2008.
Last Modified on Oct 03, 2008.
Last Modified by Nirmal Sharma.
Rated 5 out of 5 based on 2 votes.

Blocking write access to Run and RunOnce registry entries for malware or other unwanted programs running in the system.

Your system becomes unstable because of the malware programs running in the background. You identify these programs and kill them in the Task Manager but these programs will re-appear in the Task Manager after you reboot the system. This is because these programs will run again from the below mentioned registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

To run only allowed programs, you need to modify the permissions on the Run and RunOnce registry keys.

Steps:

1. Remove all the unwanted programs from Run and RunOnce registry keys using Registry Editor.
2. Remove any other account from the Security Tab except SYSTEM Account and grant this accound only the "Read Only" permission.
3. Reboot your system.

About Nirmal Sharma

Nirmal is a Microsoft MVP in Directory Services and working as a Technical Architect/Consultant. He has been involved in Microsoft Technologies since 1994 and followed the progression of Microsoft Operating Systems and software. He is specialized in Directory Services, Microsoft Clustering, SQL, MOM, Exchange and Citrix. In his spare time, he likes to help others and write "internal" technical articles, white papers and tips on various Microsoft technologies. You can contact him at nirmal_sharma@mvps.org.