October 1st, 2024

Misunderstanding the “Prevent access to registry editing tools” policy

There is a group policy called “Prevent access to registry editing tools”. A customer found that even if they enabled the policy, malware was still able to call Reg­Set­Value to modify values in the registry. The malware was able to modify the registry even though the policy blocked access to the registry! Is the policy broken?

Take a closer look at the policy name: “Prevent access to registry editing tools.” If you missed it, look at the policy description.

This setting disables the Windows registry editor or Regedit.exe.

If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action.

If you disable this policy setting or do not configure it, users can run Regedit.exe normally.

To prevent users from using other administrative tools, use the “Run only specified Windows applications” policy setting.

What this policy does is prevent tools like regedit.exe and reg.exe from running. Those programs check the policy setting when they start up, and if the policy is set, then they display an error message and exit.

C:\> reg.exe query HKLM\Software\Microsoft\Windows
ERROR: Registry editing has been disabled by your administrator.

C:\> regini.exe
Error: Registry editing has been disabled by your administrator.
Registry Editor
ⓧ Registry editing has been disabled by your administrator.
OK

The policy has no effect on other programs. They are still allowed to access the registry, subject to the normal rules.

In other words, this is not “prevent access to the registry”. It’s “prevent access to registry editing tools.”

After all, if this policy prevented anybody from accessing the registry, then a lot of things would stop working. For one thing, Windows keeps some of its own configuration data in the registry, so blocking access to the registry would prevent Windows from knowing, say, which drivers to load.

Bonus chatter: Since the policy check is performed voluntarily from reg.exe and regedit.exe, a dedicated end user could look for other ways to perform registry modifications, such as PowerShell scripting or downloading their own alternate registry editing tool. This policy is intended to block casual users from messing up their own machines. It is not a security boundary.

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

5 comments

  • Arek MarciniakMicrosoft employee

    it’s one of these things that are obvious – obvious when you dealt with them already.

  • Jonathan Harston

    “the user could use an alternate registry editor”

    I use notepad. 🙂

  • Joshua Hudson 1 week ago

    Back in my college days the admins thought they were being smart by setting that. I copied regedit.exe to my home directory, took a hexeditor to it, changed the string for where it looked for the policy to some other location, and ran that binary. The policy was stupid.

    Run only specified windows programs would have only stopped me because it would be more trouble than it's worth to overthrow; not because I couldn't figure out...

    Read more
  • Drew 1 week ago

    It does what it says but that doesn’t make what it says or does any less stupid.

    Ours is not to reason why. Ours is but to facepalm. Repeatedly.

    • Michael Quinlan 1 week ago

      At work I would say “I don’t make the policies; I just mock them.”