Disable Registry Editors

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Prevents standard Registry tools from running. This will only protect against the casual, unsophisticated user. You can start the Registry editors but they exit with a brief security messsage.

Hive: HKEY_CURRENT_USER
Key: Software\Microsoft\Windows\CurrentVersion\Policies\System
Name: DisableRegistryTools
Type: REG_DWORD
Value: 1

To prevent remote editing of registry. The registry ACLs have special access permissions:

Query Value: Read any values within the key
Set Value: Create or update a value within the key
Create Subkey: Create a subkey to the current key
Enumerate Subkeys: List the subkeys of the current key
Notify: Audit notification events raised by the key
Create Link: Create a link in the current key
Delete: Delete the current key
Write DAC: Write a discretionary ACL to the key
Write Owner: Take ownership of the key
Read Control: Read the key's ACL

Windows NT and Windows 2000 ship with two registry editors, regedit.exe, and regedt32.exe. Regedt32.exe provides access to a key's ACL. You can list the access permissions in regedt32.exe by selecting a registry key, then Security|Permissions from the main menu, click the Advanced button to open the Access Control Settings for Names dialog box, select the Permissions tab, and click the View/Edit button.

As with other objects secured by ACLs, you can audit activity for a particular key. From the same Access Control Settings for Names dialog box, select the Auditing tab and the Add button. You can audit all of the same actions in the above list, selecting success, failure, or both for each activity. Any such events are then recorded in the Windows NT / Windows 2000 security event log.

See Also

Featured Links