For a Microsoft Windows XP version of this
article, see
314837.
This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that you
understand how to restore the registry if a problem occurs. For information
about how to back up, restore, and edit the registry, click the following
article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
MORE INFORMATION
By default on a Windows NT 3.51 system any user can access
the registry when connecting over the network. On a Windows NT 4.0 system and
later, by default only members of the Administrators group can access the
registry over the Network.
Domain users can connect to the registry
of a domain controller remotely by using Regedit.exe. They can then see values
in the HKEY_CLASSES_ROOT entry and in the HKEY_USERS entry. However, they will
have only read-only access. This is by design.
Note Some services need access to the registry to function correctly.
For example, if you add this key to a 3.51 system that is running Directory
Replication, it is necessary to grant the Replicator account access to the
registry as described later in this article.
Restricting Network Access to the Registry
Warning If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.
Note In Windows 2000 and later, only Administrators and Backup
Operators have default network access to the registry. This section may not
apply in certain instances. To restrict network access to the registry, follow
the steps listed below to create the following Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
Name: Description
Type: REG_SZ
Value: Registry
Server
The Security permissions set on this key define what Users or
Groups can connect to the system for remote Registry access. The default
Windows installation defines this key and sets the Access Control List to
restrict remote registry access as follows:
Administrators have Full Control
The default configuration for Windows permits only Administrators
remote access to the Registry. Changes to this key to allow users remote
registry access require a system reboot to take effect.
To create
the registry key to restrict access to the registry:
- Start Registry Editor (Regedt32.exe) and go to the
following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
- On the Edit menu, click Add Key.
- Enter the following values:
Key Name: SecurePipeServers
Class: REG_SZ
- Go to the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers
- On the Edit menu, click Add Key.
- Enter the following values:
Key Name: winreg
Class: REG_SZ
- Go to the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
- On the Edit menu, click Add Value.
- Enter the following values:
Value Name: Description
Data Type: REG_SZ
String: Registry Server
- Go to the following subkey.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
- Select "winreg". Click Security and then click Permissions. Add users or groups to which you want to grant
access.
- Exit Registry Editor and restart Windows.
- If you at a later stage want to change the list of users
that can access the registry, repeat steps 10-12.
Bypassing the Access Restriction
Some services need remote access to the registry to function
correctly. For example, the Directory Replicator service and the Spooler
service when connecting to a printer over the network require access to the
remote registry.
You can either add the account name that the
service is running under to the access list of the "winreg" key, or you can
configure Windows to bypass the access restriction to certain keys by listing
them in the Machine or Users value under the AllowedPaths key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
Value: Machine
Value Type: REG_MULTI_SZ - Multi string
Default Data: System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\Windows NT\CurrentVersion
System\CurrentControlSet\Services\Replicator
Valid Range: A valid path to a location in the registry.
Description: Allow machines access to listed locations in the
registry provided that no explicit access
restrictions exists for that location.
Value: Users
Value Type: REG_MULTI_SZ - Multi string
Default Data: (None)
Valid Range: A valid path to a location in the registry.
Description: Allow Users access to listed locations in the
registry provided that no explicit access
restrictions exists for that location. Changed slightly in Windows 2000 and later:
Value: Machine
Value Type: REG_MULTI_SZ - Multi string
Default Data: System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Print\Printers
system\CurrentControlSet\control\Server Applications
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\Windows NT\CurrentVersion
Value: Users - Does not exist by default. For additional information
about how to programmatically access the Windows registry and apply security to
a registry key, click the following article number to view the article in the
Microsoft Knowledge Base:
146906
How to secure performance data in Windows 2000, Windows NT, Windows XP
It is possible to have remote access to the registry after you
follow the steps in this article if the RestrictNullSessAccess registry value
has been created and is set to 0. This value allows remote access to the
registry by using a null session. The value overrides other explicit
restrictive settings.