Preventing Local Registry Access

Preventing Local Registry Access

Whenever I bring up registry security, the inevitable question is always how to prevent users from accessing the registry. You can't. Remember that the registry contains settings that the user must be able to read for Windows to work properly. Users also must have full control of their profile hives for the operating system and applications to save their preferences. You can't prevent access–nor do you want to prevent it. The best you should hope for is limiting users' ability to edit the registry using Regedit or other registry editors.

The most elegant way to prevent access to Regedit is by enabling the Prevent access to registry editing tools policy. When users start Regedit, all they see is an error message that says “Registry editing has been disabled by your administrator.” The problem with this policy is that not all registry editors honor this policy. Nothing prevents a determined user from downloading a shareware registry editor, of which there are plenty, and using it. Another possibility is using Software Restriction Policies, which you can learn more about in Help and Support Center. Even this doesn't prevent users from running shareware registry editors unless you use Software Restriction Policies to completely restrict them to a short list of acceptable applications.