DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 153183 - Last Review: February 21, 2007 - Revision: 8.5

This article was previously published under Q153183
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center (http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000) is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy (http://support.microsoft.com/lifecycle/) .
For a Microsoft Windows XP version of this article, see 314837  (http://support.microsoft.com/kb/314837/ ) .
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center (http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000) is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy (http://support.microsoft.com/lifecycle/) .

On This Page

SUMMARY

Registry Editor supports remote access to the Windows Registry; however, you can also restrict this access.

MORE INFORMATION

By default on a Windows NT 3.51 system any user can access the registry when connecting over the network. On a Windows NT 4.0 system and later, by default only members of the Administrators group can access the registry over the Network.

Domain users can connect to the registry of a domain controller remotely by using Regedit.exe. They can then see values in the HKEY_CLASSES_ROOT entry and in the HKEY_USERS entry. However, they will have only read-only access. This is by design.

Note Some services need access to the registry to function correctly. For example, if you add this key to a 3.51 system that is running Directory Replication, it is necessary to grant the Replicator account access to the registry as described later in this article.

Restricting Network Access to the Registry

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
Note In Windows 2000 and later, only Administrators and Backup Operators have default network access to the registry. This section may not apply in certain instances. To restrict network access to the registry, follow the steps listed below to create the following Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
Name: Description
Type: REG_SZ
Value: Registry Server
The Security permissions set on this key define what Users or Groups can connect to the system for remote Registry access. The default Windows installation defines this key and sets the Access Control List to restrict remote registry access as follows:
Administrators have Full Control
The default configuration for Windows permits only Administrators remote access to the Registry. Changes to this key to allow users remote registry access require a system reboot to take effect.

To create the registry key to restrict access to the registry:
  1. Start Registry Editor (Regedt32.exe) and go to the following subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
  2. On the Edit menu, click Add Key.
  3. Enter the following values:
    Key Name: SecurePipeServers
    Class: REG_SZ
  4. Go to the following subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers
  5. On the Edit menu, click Add Key.
  6. Enter the following values:
    Key Name: winreg
    Class: REG_SZ
  7. Go to the following subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
  8. On the Edit menu, click Add Value.
  9. Enter the following values:
    Value Name: Description
    Data Type: REG_SZ
    String: Registry Server
  10. Go to the following subkey.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
  11. Select "winreg". Click Security and then click Permissions. Add users or groups to which you want to grant access.
  12. Exit Registry Editor and restart Windows.
  13. If you at a later stage want to change the list of users that can access the registry, repeat steps 10-12.

Bypassing the Access Restriction

Some services need remote access to the registry to function correctly. For example, the Directory Replicator service and the Spooler service when connecting to a printer over the network require access to the remote registry.

You can either add the account name that the service is running under to the access list of the "winreg" key, or you can configure Windows to bypass the access restriction to certain keys by listing them in the Machine or Users value under the AllowedPaths key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
   Value:        Machine
   Value Type:   REG_MULTI_SZ - Multi string
   Default Data: System\CurrentControlSet\Control\ProductOptions
                 System\CurrentControlSet\Control\Print\Printers
                 System\CurrentControlSet\Services\Eventlog
                 Software\Microsoft\Windows NT\CurrentVersion
                 System\CurrentControlSet\Services\Replicator

   Valid Range:  A valid path to a location in the registry.
   Description:  Allow machines access to listed locations in the
                 registry provided that no explicit access
                 restrictions exists for that location.

   Value:        Users
   Value Type:   REG_MULTI_SZ - Multi string
   Default Data: (None)
   Valid Range:  A valid path to a location in the registry.
   Description:  Allow Users access to listed locations in the
                 registry provided that no explicit access
                 restrictions exists for that location. 
Changed slightly in Windows 2000 and later:
   Value:        Machine
   Value Type:   REG_MULTI_SZ - Multi string
   Default Data: System\CurrentControlSet\Control\ProductOptions
                 System\CurrentControlSet\Control\Print\Printers
                 system\CurrentControlSet\control\Server Applications
                 System\CurrentControlSet\Services\Eventlog
                 Software\Microsoft\Windows NT\CurrentVersion
                 
   Value:  Users - Does not exist by default. 
For additional information about how to programmatically access the Windows registry and apply security to a registry key, click the following article number to view the article in the Microsoft Knowledge Base:
146906  (http://support.microsoft.com/kb/146906/ ) How to secure performance data in Windows 2000, Windows NT, Windows XP


Note It is possible to have remote access to the registry after you follow the steps in this article if the RestrictNullSessAccess registry value has been created and is set to 0. This value allows remote access to the registry by using a null session. The value overrides other explicit restrictive settings.

APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows NT Workstation 3.51
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0 Standard Edition
Keywords: 
kbnetwork KB153183
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support