{"id":110330,"date":"2024-10-01T09:10:22","date_gmt":"2024-10-01T16:10:22","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=110330"},"modified":"2024-10-01T09:10:22","modified_gmt":"2024-10-01T16:10:22","slug":"20241001-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20241001-22\/?p=110330","title":{"rendered":"Misunderstanding the &#8220;Prevent access to registry editing tools&#8221; policy"},"content":{"rendered":"<p>There is a group policy called &#8220;Prevent access to registry editing tools&#8221;. A customer found that even if they enabled the policy, malware was still able to call <code>Reg\u00adSet\u00adValue<\/code> to modify values in the registry. The malware was able to modify the registry even though the policy blocked access to the registry! Is the policy broken?<\/p>\n<p>Take a closer look at the policy name: &#8220;Prevent access to <i>registry editing tools<\/i>.&#8221; If you missed it, look at the policy description.<\/p>\n<blockquote class=\"q\">\n<p>This setting disables the Windows registry editor or Regedit.exe.<\/p>\n<p>If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action.<\/p>\n<p>If you disable this policy setting or do not configure it, users can run Regedit.exe normally.<\/p>\n<p>To prevent users from using other administrative tools, use the &#8220;Run only specified Windows applications&#8221; policy setting.<\/p>\n<\/blockquote>\n<p>What this policy does is prevent tools like <tt>regedit.exe<\/tt> and <tt>reg.exe<\/tt> from running. Those programs check the policy setting when they start up, and if the policy is set, then they display an error message and exit.<\/p>\n<pre>C:\\&gt; reg.exe query HKLM\\Software\\Microsoft\\Windows\r\nERROR: Registry editing has been disabled by your administrator.\r\n\r\nC:\\&gt; regini.exe\r\nError: Registry editing has been disabled by your administrator.\r\n<\/pre>\n<table style=\"border: solid 1px currentcolor; padding: 1ex;\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td>\n<div>Registry Editor<\/div>\n<div style=\"padding: 1em;\">\u24e7 Registry editing has been disabled by your administrator.<\/div>\n<div style=\"text-align: center;\">\n<div style=\"border: solid 1px currentcolor; width: 6em; display: inline-block; padding: 1px; margin: 1ex;\">OK<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The policy has no effect on other programs. They are still allowed to access the registry, subject to the normal rules.<\/p>\n<p>In other words, this is not &#8220;prevent access to the registry&#8221;. It&#8217;s &#8220;prevent access to registry editing tools.&#8221;<\/p>\n<p>After all, if this policy prevented anybody from accessing the registry, then a lot of things would stop working. For one thing, Windows keeps some of its own configuration data in the registry, so blocking access to the registry would prevent Windows from knowing, say, which drivers to load.<\/p>\n<p><b>Bonus chatter<\/b>: Since the policy check is performed voluntarily from <tt>reg.exe<\/tt> and <tt>regedit.exe<\/tt>, a dedicated end user could look for other ways to perform registry modifications, such as PowerShell scripting or downloading their own alternate registry editing tool. This policy is intended to block casual users from messing up their own machines. It is not a security boundary.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It prevents access to the tools, but not to the registry itself.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[104],"class_list":["post-110330","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-tipssupport"],"acf":[],"blog_post_summary":"<p>It prevents access to the tools, but not to the registry itself.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/110330","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=110330"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/110330\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=110330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=110330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=110330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}