Securing Registry Permissions
The registry is a dynamic, hierarchical database that contains values of variables for the operating system and applications. The operating system and other programs also store data about users and about the current configuration of the system and its components in the registry. Because the registry is available whenever the system is running, programs that start and stop can keep persistent data in the registry and the settings will be saved when the system shuts down. The registry is constructed of six hives that are used for different purposes, as described in Table 7-12.
Hive | Abbreviation | Description |
HKEY_CURRENT_USER | HKCU | Stores information about the profile of the currently logged-on user that is persistently stored in HKU |
HKEY_USERS | HKU | Contains subkeys for all local user profiles |
HKEY_CLASSES_ROOT | HKCR | Contains file association and COM registration information |
HKEY_LOCAL_MACHINE | HKLM | Contains entries for the configuration of the operating system and applications. |
HKEY_CURRENT_CONFIG | HKCC | Contains the current hardware profile that is persistently stored in HKLM\SYSTEM\CurrentControlSet\ Hardware Profiles\Current |
HKEY_PERFORMANCE_DATA | HKPD | Contains information about performance counters |
When the computer is running, the registry is loaded in memory and active. When the computer is powered down, the persistent information stored in the registry is written to the hard drive. Table 7-13 lists the storage location for some common registry hives.
Hive | Storage Location |
HKEY_LOCAL_MACHINE\SYSTEM | %systemroot%\system32\Config\System |
HKEY_LOCAL_MACHINE\SAM | %systemroot%\system32\Config\Sam |
HKEY_LOCAL_MACHINE\SECURITY | %systemroot%\system32\Config\Security |
HKEY_LOCAL_MACHINE\SOFTWARE | %systemroot%\system32\Config\Software |
HKEY_USERS | %systemdrive%\Documents and Settings\<username>\Ntuser.dat |
HKEY_USERS | %systemdrive%\Documents and Settings\ <username>\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat |
HKEY_USERS\DEFAULT | %systemroot%\system32\Config\Default |
When you use an administrative tool to change the configuration of a system feature or service, the change usually takes effect immediately or soon thereafter. However, if you make the same change by editing the registry, you might need to log off and log on again, restart the service, or restart. In general, if you change the value of any entry in HKLM\Services\System\CurrentControlSet, you must restart the computer for the changes to take effect. Also, if you use a registry editor to change values for most entries in HKEY_CURRENT_USER, you must log off and log on again for the changes to take effect.
For detailed information on the structure of the registry and the specifics of the data stored in the registry, see the Technical Reference to the Registry eBook (Regentry.chm) in the Microsoft Windows 2000 Server Resource Kit, Supplement One (Microsoft Press, 2000).
Configuring Registry Permissions
As with files and folders stored on NTFS partitions, the registry is secured by using DACLs. Unlike NTFS permissions, registry permissions are assigned to container objects only. An individual registry value inherits its security from its parent object. A registry key has two basic permissions: Full Control and Read. The Full Control permission includes all of the special permissions in Table 7 14. The Read permission is comprised of the following special permissions: Read Control, Query Value, Notify, and Enumerate Subkeys. Table 7-14 lists the special permissions on registry keys.
Permissions | Description |
Query Value | Allows the value of the registry key to be read |
Set Value | Allows the value of an existing key to be written |
Create Subkey | Allows the creation of subkeys |
Enumerate Subkeys | Allows the enumeration of subkeys |
Notify | Required to request change notifications for a registry key or for subkeys of a registry key |
Create Link | Reserved for use by the operating system |
Delete | Allows the key to be deleted |
Write DACL | Allows the modification of the DACL |
Write Owner | Allows the modification of the owner |
Read Control | Allows the SACL to be read |
In Windows 2000 and Windows XP, you can use Regedt32.exe to alter registry permissions from the user interface or you can use the Subinacl.exe command-line tool. Changing permissions on registry values requires the same techniques as modifying NTFS permissions.