https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/153183&feed=atom&action=history
Microsoft KB Archive/153183 - Revision history
2024-03-28T08:13:14Z
Revision history for this page on the wiki
MediaWiki 1.39.3
https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/153183&diff=326238&oldid=prev
X010: Text replacement - """ to """
2020-07-21T09:12:15Z
<p>Text replacement - """ to """</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en-GB">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 09:12, 21 July 2020</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l158">Line 158:</td>
<td colspan="2" class="diff-lineno">Line 158:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></div></li></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></div></li></div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><li>Select <del style="font-weight: bold; text-decoration: none;">&quot;</del>winreg<del style="font-weight: bold; text-decoration: none;">&quot;</del>. Click '''Security''' and then click '''Permissions'''. Add users or groups to which you want to grant access.</li></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><li>Select <ins style="font-weight: bold; text-decoration: none;">"</ins>winreg<ins style="font-weight: bold; text-decoration: none;">"</ins>. Click '''Security''' and then click '''Permissions'''. Add users or groups to which you want to grant access.</li></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><li>Exit Registry Editor and restart Windows.</li></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><li>Exit Registry Editor and restart Windows.</li></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><li>If you at a later stage want to change the list of users that can access the registry, repeat steps 10-12.</li></ol></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><li>If you at a later stage want to change the list of users that can access the registry, repeat steps 10-12.</li></ol></div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l166">Line 166:</td>
<td colspan="2" class="diff-lineno">Line 166:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Some services need remote access to the registry to function correctly. For example, the Directory Replicator service and the Spooler service when connecting to a printer over the network require access to the remote registry.<br /></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Some services need remote access to the registry to function correctly. For example, the Directory Replicator service and the Spooler service when connecting to a printer over the network require access to the remote registry.<br /></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><br /></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><br /></div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>You can either add the account name that the service is running under to the access list of the <del style="font-weight: bold; text-decoration: none;">&quot;</del>winreg<del style="font-weight: bold; text-decoration: none;">&quot; </del>key, or you can configure Windows to bypass the access restriction to certain keys by listing them in the Machine or Users value under the AllowedPaths key.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>You can either add the account name that the service is running under to the access list of the <ins style="font-weight: bold; text-decoration: none;">"</ins>winreg<ins style="font-weight: bold; text-decoration: none;">" </ins>key, or you can configure Windows to bypass the access restriction to certain keys by listing them in the Machine or Users value under the AllowedPaths key.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><div class="indent"></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><div class="indent"></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
</table>
X010
https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/153183&diff=76628&oldid=prev
3155ffGd: importing KB archive
2020-07-18T15:25:02Z
<p>importing KB archive</p>
<p><b>New page</b></p><div><div id="nsbanner"><br />
<br />
<div id="bannerrow1"><br />
<br />
{|<br />
| Knowledge Base<br />
|<br />
|}<br />
<br />
<br />
</div><br />
<div id="TitleRow"><br />
<br />
= <span id="KB153183"></span>How to restrict access to the registry from a remote computer =<br />
<br />
<br />
</div><br />
<br />
</div><br />
<div id="nstext" valign="BOTTOM"><br />
<br />
Article ID: 153183<br />
<br />
Article Last Modified on 2/21/2007<br />
<br />
<br />
-----<br />
<br />
APPLIES TO<br /><br />
<br /><br />
<br />
* Microsoft Windows 2000 Server<br />
* Microsoft Windows 2000 Advanced Server<br />
* Microsoft Windows 2000 Professional Edition<br />
* Microsoft Windows 2000 Datacenter Server<br />
* Microsoft Windows NT Workstation 3.51<br />
* Microsoft Windows NT Workstation 4.0 Developer Edition<br />
* Microsoft Windows NT Server 3.51<br />
* Microsoft Windows NT Server 4.0 Standard Edition<br />
<br />
<br />
-----<br />
<br />
<div class="notice_section"><br />
<br />
This article was previously published under Q153183<br />
<br />
</div><br />
<div class="notice_section"><br />
<br />
<div class="notice_section"><br />
<br />
<div class="notice_section"><br />
<br />
For a Microsoft Windows XP version of this article, see [[../314837|314837]].<br />
<br />
</div><br />
<br />
</div><br />
'''Important''' This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:<br />
<div class="indent"><br />
<br />
[[../256986|256986]] Description of the Microsoft Windows Registry<br />
<br />
<br />
</div><br />
<br />
</div><br />
<div class="summary_section"><br />
<br />
== SUMMARY ==<br />
<br />
Registry Editor supports remote access to the Windows Registry; however, you can also restrict this access.<br />
<br />
</div><br />
<div class="moreinformation_section"><br />
<br />
== MORE INFORMATION ==<br />
<br />
By default on a Windows NT 3.51 system any user can access the registry when connecting over the network. On a Windows NT 4.0 system and later, by default only members of the Administrators group can access the registry over the Network.<br /><br />
<br /><br />
Domain users can connect to the registry of a domain controller remotely by using Regedit.exe. They can then see values in the HKEY_CLASSES_ROOT entry and in the HKEY_USERS entry. However, they will have only read-only access. This is by design.<br /><br />
<br /><br />
'''Note''' Some services need access to the registry to function correctly. For example, if you add this key to a 3.51 system that is running Directory Replication, it is necessary to grant the Replicator account access to the registry as described later in this article.<br /><br />
<br /><br />
<br />
=== Restricting Network Access to the Registry ===<br />
<br />
'''Warning''' If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.<br /><br />
'''Note''' In Windows 2000 and later, only Administrators and Backup Operators have default network access to the registry. This section may not apply in certain instances. To restrict network access to the registry, follow the steps listed below to create the following Registry key:<br />
<div class="indent"><br />
<br />
<code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg</code><br /><br />
Name: Description<br /><br />
Type: REG_SZ<br /><br />
Value: Registry Server<br />
<br />
<br />
</div><br />
The Security permissions set on this key define what Users or Groups can connect to the system for remote Registry access. The default Windows installation defines this key and sets the Access Control List to restrict remote registry access as follows:<br />
<div class="indent"><br />
<br />
Administrators have Full Control<br />
<br />
<br />
</div><br />
The default configuration for Windows permits only Administrators remote access to the Registry. Changes to this key to allow users remote registry access require a system reboot to take effect.<br /><br />
<br /><br />
To create the registry key to restrict access to the registry:<br />
<ol><br />
<li>Start Registry Editor (Regedt32.exe) and go to the following subkey:<br />
<div class="indent"><br />
<br />
<p><code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control</code></p><br />
<br />
</div></li><br />
<li>On the '''Edit''' menu, click '''Add Key'''.</li><br />
<li>Enter the following values:<br />
<div class="indent"><br />
<br />
<p>Key Name: SecurePipeServers<br /><br />
Class: REG_SZ</p><br />
<br />
</div></li><br />
<li>Go to the following subkey:<br />
<div class="indent"><br />
<br />
<p><code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers</code></p><br />
<br />
</div></li><br />
<li>On the '''Edit''' menu, click '''Add Key'''.</li><br />
<li>Enter the following values:<br />
<div class="indent"><br />
<br />
<p>Key Name: winreg<br /><br />
Class: REG_SZ</p><br />
<br />
</div></li><br />
<li>Go to the following subkey:<br />
<div class="indent"><br />
<br />
<p><code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg</code></p><br />
<br />
</div></li><br />
<li>On the '''Edit''' menu, click '''Add Value'''.</li><br />
<li>Enter the following values:<br />
<div class="indent"><br />
<br />
<p>Value Name: Description<br /><br />
Data Type: REG_SZ<br /><br />
String: Registry Server</p><br />
<br />
</div></li><br />
<li>Go to the following subkey.<br />
<div class="indent"><br />
<br />
<p><code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg</code></p><br />
<br />
</div></li><br />
<li>Select &quot;winreg&quot;. Click '''Security''' and then click '''Permissions'''. Add users or groups to which you want to grant access.</li><br />
<li>Exit Registry Editor and restart Windows.</li><br />
<li>If you at a later stage want to change the list of users that can access the registry, repeat steps 10-12.</li></ol><br />
<br />
=== Bypassing the Access Restriction ===<br />
<br />
Some services need remote access to the registry to function correctly. For example, the Directory Replicator service and the Spooler service when connecting to a printer over the network require access to the remote registry.<br /><br />
<br /><br />
You can either add the account name that the service is running under to the access list of the &quot;winreg&quot; key, or you can configure Windows to bypass the access restriction to certain keys by listing them in the Machine or Users value under the AllowedPaths key.<br />
<div class="indent"><br />
<br />
<code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths</code><br />
<br />
<br />
</div><br />
<pre class="fixed_text"> Value: Machine<br />
Value Type: REG_MULTI_SZ - Multi string<br />
Default Data: System\CurrentControlSet\Control\ProductOptions<br />
System\CurrentControlSet\Control\Print\Printers<br />
System\CurrentControlSet\Services\Eventlog<br />
Software\Microsoft\Windows NT\CurrentVersion<br />
System\CurrentControlSet\Services\Replicator<br />
<br />
Valid Range: A valid path to a location in the registry.<br />
Description: Allow machines access to listed locations in the<br />
registry provided that no explicit access<br />
restrictions exists for that location.<br />
<br />
Value: Users<br />
Value Type: REG_MULTI_SZ - Multi string<br />
Default Data: (None)<br />
Valid Range: A valid path to a location in the registry.<br />
Description: Allow Users access to listed locations in the<br />
registry provided that no explicit access<br />
restrictions exists for that location. </pre><br />
Changed slightly in Windows 2000 and later:<br />
<pre class="fixed_text"> Value: Machine<br />
Value Type: REG_MULTI_SZ - Multi string<br />
Default Data: System\CurrentControlSet\Control\ProductOptions<br />
System\CurrentControlSet\Control\Print\Printers<br />
system\CurrentControlSet\control\Server Applications<br />
System\CurrentControlSet\Services\Eventlog<br />
Software\Microsoft\Windows NT\CurrentVersion<br />
<br />
Value: Users - Does not exist by default. </pre><br />
For additional information about how to programmatically access the Windows registry and apply security to a registry key, click the following article number to view the article in the Microsoft Knowledge Base:<br />
<div class="indent"><br />
<br />
[[../146906|146906]] How to secure performance data in Windows 2000, Windows NT, Windows XP<br />
<br />
<br />
</div><br />
<br /><br />
<br /><br />
'''Note''' It is possible to have remote access to the registry after you follow the steps in this article if the RestrictNullSessAccess registry value has been created and is set to 0. This value allows remote access to the registry by using a null session. The value overrides other explicit restrictive settings.<br />
<br />
</div><br />
<br /><br />
<br />
Additional query words: prodnt<br />
<br />
Keywords: kbnetwork KB153183<br />
<br />
<div class="footer"><br />
<br />
<br /><br />
<br />
<br />
-----<br />
<br />
[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]<br />
<br />
<span>© Microsoft Corporation. All rights reserved.</span><br />
<br />
<br />
</div><br />
<br />
</div></div>
3155ffGd