To edit the registry of a remote computer, choose the Select Computer option
from the Registry menu, and the Select Computer dialog
box will appear. Select the remote computer whose registry you want to edit and
click the OK button. The Registry Editor will then open the remote computer’s
registry and display the HKEY_LOCAL_MACHINE and HKEY_USERS subtrees. The Registry Editor will warn you that
the editor’s Auto-Refresh feature won’t work with the remote computer’s registry
before allowing you to make changes. To close the remote computer’s registry,
select Close from the Registry menu.
Windows NT 3.51 with Service pack 4 or Windows NT version 4.0, remote access
to registry is turned off by default for servers. To turn off for workstation,
create the registry key to restrict access to the
registry:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
Name:
Description
Type: REG_SZ
Value: Registry
Server
In English, you need to add (if it does not exist) the key winreg to
SecurePipeServers; then add the value, Description, of type REG_SZ, with the
data (string), Registry Server.
When you attempt to connect to the registry of a remote computer running
Windows NT, the Server service on the target computer checks for the presence of
the Winreg key and if it does not exist, you are
permitted to connect to the remote computer’s registry. If Winreg exists, the ACL on Winreg is
checked, and if the ACL gives the you read or write access you are connected to
the registry. The gotcha!, since is often misunderstood, is the meaning of
the ACL gives the you read or write access.
Select winreg (highlight it), click Security, and then click Permissions. You add users and groups you want to grant remote access. Thus you would NOT add everyone or
authenicated users and those groups would be blocked. You might want to add or
leave domain admins.
The Registry path names listed in the following key define Registry keys that
are exempt from Winreg‘s otherwise global ACL.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\SecurePipeServers\WinReg\AllowedPaths
Name:
Machine
Type: REG_MULTI_SZ
The value would be a valid path to a
location(s) in the registry. The default value is: SYSTEM\CurrentControlSet\Control\ProductOptions
SYSTEM\CurrentControlSet\Control\Print\Printers
SYSTEM\CurrentControlSet\Services\Eventlog
SYSTEM\CurrentControlSet\Services\Replicator
Software\Microsoft\Windows
NT\CurrentVersion
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\SecurePipeServers\WinReg\AllowedPaths
Name:
Users
Type: REG_MULTI_SZ
The value would be a valid path to a
location(s) in the registry. There is no default value. This allows Users access
to specific locations in the registry providing it not blocked by the keys ACL.
Each key in the registry has its own ACL. The registry ACLs are conceptually
similar to file permission ACLs. The registry ACL access permission types
follow.
| Query Value | Read access to values in key |
| Set Value | Create / update values in key |
| Create Subkey | Create subkey in key |
| Enumerate Subkeys | List subkeys in key |
| Notify | Audit notification events in key |
| Create Link | Create link to key |
| Delete | Delete key |
| Write DAC | Write Discretionary ACL (DAC) on key |
| Write Owner | Take ownership of key |
| Read Control | Read ACL of key |
This tip gives you a method to restrict or block remote access to the
registry. I rewrote it when I couldn’t successfully follow my own tip. To be
honest, I strongly recommend blocking all remote access: registry, shares, or
whatever – by disabling the Server service. It is the single most effective
method to frustrate hackers. In any case, if your environment does not support
disabling Server service, you can use this tip to secure the registry from
inappropriate remote access.
Related Tips:
disable use of
registry editors
Q143474, Q143475, Q161372.
