Disable Remote Registry Editing

To edit the registry of a remote computer, choose the Select Computer option
from the Registry menu, and the Select Computer dialog
box will appear. Select the remote computer whose registry you want to edit and
click the OK button. The Registry Editor will then open the remote computer’s
registry and display the HKEY_LOCAL_MACHINE and HKEY_USERS subtrees. The Registry Editor will warn you that
the editor’s Auto-Refresh feature won’t work with the remote computer’s registry
before allowing you to make changes. To close the remote computer’s registry,
select Close from the Registry menu.

Windows NT 3.51 with Service pack 4 or Windows NT version 4.0, remote access
to registry is turned off by default for servers. To turn off for workstation,
create the registry key to restrict access to the

Key: SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
Type: REG_SZ
Value: Registry

In English, you need to add (if it does not exist) the key winreg to
SecurePipeServers; then add the value, Description, of type REG_SZ, with the
data (string), Registry Server.

When you attempt to connect to the registry of a remote computer running
Windows NT, the Server service on the target computer checks for the presence of
the Winreg key and if it does not exist, you are
permitted to connect to the remote computer’s registry. If Winreg exists, the ACL on Winreg is
checked, and if the ACL gives the you read or write access you are connected to
the registry. The gotcha!, since is often misunderstood, is the meaning of
the ACL gives the you read or write access.
Select winreg (highlight it), click Security, and then click Permissions. You add users and groups you want to grant remote access. Thus you would NOT add everyone or
authenicated users and those groups would be blocked. You might want to add or
leave domain admins.

The Registry path names listed in the following key define Registry keys that
are exempt from Winreg‘s otherwise global ACL.

Key: SYSTEM\CurrentControlSet\Control\SecurePipeServers\WinReg\AllowedPaths
The value would be a valid path to a
location(s) in the registry. The default value is: SYSTEM\CurrentControlSet\Control\ProductOptions

Key: SYSTEM\CurrentControlSet\Control\SecurePipeServers\WinReg\AllowedPaths
The value would be a valid path to a
location(s) in the registry. There is no default value. This allows Users access
to specific locations in the registry providing it not blocked by the keys ACL.
Each key in the registry has its own ACL. The registry ACLs are conceptually
similar to file permission ACLs. The registry ACL access permission types

Query Value
Read access to values in key
Set Value
Create / update values in key

Create Subkey
Create subkey in key

Enumerate Subkeys
List subkeys in key

Audit notification events in key

Create Link
Create link to key

Delete key

Write DAC
Write Discretionary ACL (DAC) on key

Write Owner
Take ownership of key

Read Control
Read ACL of key

This tip gives you a method to restrict or block remote access to the
registry. I rewrote it when I couldn’t successfully follow my own tip. To be
honest, I strongly recommend blocking all remote access: registry, shares, or
whatever – by disabling the Server service. It is the single most effective
method to frustrate hackers. In any case, if your environment does not support
disabling Server service, you can use this tip to secure the registry from
inappropriate remote access.

Related Tips:
disable use of
registry editors

Q143474, Q143475, Q161372.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top