Remote Registry Editing

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

To edit the registry of a remote computer, choose the Select Computer option from the Registry menu, and the Select Computer dialog box will appear. Select the remote computer whose registry you want to edit and click the OK button. The Registry Editor will then open the remote computer's registry and display the HKEY_LOCAL_MACHINE and HKEY_USERS subtrees. The Registry Editor will warn you that the editor's Auto-Refresh feature won't work with the remote computer's registry before allowing you to make changes. To close the remote computer's registry, select Close from the Registry menu.

Windows NT 3.51 with Service pack 4 or Windows NT version 4.0, remote access to registry is turned off by default for servers. To turn off for workstation, create the registry key to restrict access to the registry:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
Name: Description
Type: REG_SZ
Value: Registry Server

In English, you need to add (if it does not exist) the key winreg to SecurePipeServers; then add the value, Description, of type REG_SZ, with the data (string), Registry Server.

When you attempt to connect to the registry of a remote computer running Windows NT, the Server service on the target computer checks for the presence of the Winreg key and if it does not exist, you are permitted to connect to the remote computer's registry. If Winreg exists, the ACL on Winreg is checked, and if the ACL gives the you read or write access you are connected to the registry. The gotcha!, since is often misunderstood, is the meaning of the ACL gives the you read or write access. Select winreg (highlight it), click Security, and then click Permissions. You add users and groups you want to grant remote access. Thus you would NOT add everyone or authenicated users and those groups would be blocked. You might want to add or leave domain admins.

The Registry path names listed in the following key define Registry keys that are exempt from Winreg's otherwise global ACL.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\SecurePipeServers\WinReg\AllowedPaths
Name: Machine
Type: REG_MULTI_SZ
The value would be a valid path to a location(s) in the registry. The default value is: SYSTEM\CurrentControlSet\Control\ProductOptions
SYSTEM\CurrentControlSet\Control\Print\Printers
SYSTEM\CurrentControlSet\Services\Eventlog
SYSTEM\CurrentControlSet\Services\Replicator
Software\Microsoft\Windows NT\CurrentVersion

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\SecurePipeServers\WinReg\AllowedPaths
Name: Users
Type: REG_MULTI_SZ
The value would be a valid path to a location(s) in the registry. There is no default value. This allows Users access to specific locations in the registry providing it not blocked by the keys ACL. Each key in the registry has its own ACL. The registry ACLs are conceptually similar to file permission ACLs. The registry ACL access permission types follow.

Query Value Read access to values in key
Set Value Create / update values in key
Create Subkey Create subkey in key
Enumerate Subkeys List subkeys in key
Notify Audit notification events in key
Create Link Create link to key
Delete Delete key
Write DAC Write Discretionary ACL (DAC) on key
Write Owner Take ownership of key
Read Control Read ACL of key

This tip gives you a method to restrict or block remote access to the registry. I rewrote it when I couldn't successfully follow my own tip. To be honest, I strongly recommend blocking all remote access: registry, shares, or whatever - by disabling the Server service. It is the single most effective method to frustrate hackers. In any case, if your environment does not support disabling Server service, you can use this tip to secure the registry from inappropriate remote access.

Featured Links