How to Disable Access to the Windows Registry
Messing around in the Windows Registry can cause all kinds of problems if you’re not careful. If you share your PC with others, you can prevent less experienced users from accessing and editing the Registry.
When you share a PC with other people, it can be really helpful to lock down certain aspects of Windows. For example, we’ve talked about how to prevent users from shutting down Windows and how to disable the Control Panel and settings interface. You can also disable access to the mother of all administrative tools—Registry Editor—if you’d prefer not everyone be able to get into it. Here’s how.
One very important warning, though. We’re going to remind you throughout these instructions to make sure you’re preventing access only for the users you want, but you should always leave at least one administrative account on your PC that isn’t locked down in any way—including access to the Registry. Otherwise, you may find yourself unable to reverse these changes.
Home Users: Disable Access to the Registry by Editing the Registry
If you have Windows 7, 8, or 10 Home, you will have to edit the Windows Registry to make these changes. You can also do it this way if you have Windows Pro or Enterprise, but just feel more comfortable working in the Registry. (If you have Pro or Enterprise, though, we recommend using the easier Local Group Policy Editor, as described in the next section.)
Standard warning: Registry Editor is a powerful tool and misusing it can render your system unstable or even inoperable. This is a pretty simple hack and as long as you stick to the instructions, you shouldn’t have any problems. That said, if you’ve never worked with it before, consider reading about how to use the Registry Editor before you get started. And definitely back up the Registry (and your computer!) before making changes.
Before you get started editing the Registry, you’ll need to take two steps:
- If the user account for which you want to restrict the Registry is a standard account, you’ll need to temporarily change it be an administrator account. This will allow you to make the changes you need to make. And we’ll remind you to change it back again after it’s done.
- You’ll need to sign in as the user you want to make changes for, and then edit the Registry while logged in to their account.
And if you have multiple users for whom you want to make changes, you’ll have to repeat those two steps for each user.
After signing on as the user you’re making changes for, open the Registry Editor by hitting Start and typing “regedit.” Press Enter to open Registry Editor and give it permission to make changes to your PC.
In the Registry Editor, use the left sidebar to navigate to the following key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Next, you’ll create a new value inside that System key. Right-click the System key and choose New > DWORD (32-bit) value. Name the new value “DisableRegistryTools.”
Next, double-click the DisableRegistryTools value to open its properties window. Change the value from 0 to 1 in the “Value data” box and then click “OK.”
You can now exit Registry Editor. The changes take place immediately and you can test them by simply trying to open Registry Editor again. You should get an error message. Now, you can sign out as that user, sign back on with your administrative account, and change that user’s account back to a standard account if that’s how it was before.
If you ever want to reverse the changes, you’ll need to sign back on as that user—changing the account to administrative one if it’s not already—and open up the Command Prompt with administrative privileges, since you won’t be able to access the Registry. At the prompt type the following command:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /t Reg_dword /v DisableRegistryTools /f /d 0
This command changes the DisableRegistryTools value from 1 back to 0. Alternatively, you can use the downloadable hack we detail in the next section.
Download Our One-Click Registry Hack
If you don’t feel like diving into the Registry yourself, we’ve created two downloadable registry hacks you can use. One hack disables access to Registry Editor and the other hack enables access. To use them, you’ll need to follow these steps:
- Change the user account for which you want to disable the Registry to an administrator account, if it isn’t one already.
- Sign on with the user account for which you want to make changes.
- Double-click the hack you want to use and click through the prompts.
- Sign out and then sign in with your administrative account.
- Change the user account you made changes for back to a standard account if that’s how it was set up before.
Both hacks are included in the following ZIP file.
Disable Registry Hacks
These hacks are really just the System key, stripped down to the DisableRegistryTools value we described above, and then exported to a .REG file. Running the “Disable Registry for Current User” hack creates the DisableRegistryTools value and sets the value to 1. Running the “Enable Registry for Current User (Default)” hack sets the value back to 0. And if you enjoy fiddling with the Registry, it’s worth taking the time to learn how to make your own Registry hacks.
Pro and Enterprise Users: Disable Access to the Registry with Local Group Policy Editor
If you’re using Windows Pro or Enterprise, the easiest way to disable access to the Registry for specific users is by using the Local Group Policy Editor. It also gives you a bit more power over which users have this restriction. You’ll need to do a little extra setup by first creating a policy object for those users. You can read all about that in our guide to applying local Group Policy tweaks to specific users.
You should also be aware that group policy is a pretty powerful tool, so it’s worth taking some time to learn what it can do. Also, if you’re on a company network, do everyone a favor and check with your admin first. If your work computer is part of a domain, it’s also likely that it’s part of a domain group policy that will supersede the local group policy, anyway.
Start by finding the MSC file you created for controlling policies for those particular users. Double-click to open it and allow it to make changes to your PC. In this example, we’re using one we created for applying policy to all non-administrative user accounts.
In the Group Policy window for those users, on the left-hand side, drill down to User Configuration > Administrative Templates > System. On the right, find the “Prevent access to registry editing tools” item and double-click it to open its properties dialog.
In the setting’s properties window, click the “Enabled” option and also make sure the “Disable regedit from running silently” option is set to “Yes.” When it’s allowed to run silently, users can still apply preconfigured REG files by executing them from the command line with a silent option. When you disallow this option by selecting “Yes,” users will not be able to make any changes to the Registry. When you’re done, click “OK.”
You can now exit the Local Group Policy Editor. Changes should take place immediately. To test it, just sign in as one of the affected users and make sure you can’t start Registry Editor. To reverse the change later, just go back to the same “Prevent access to registry editing tools” setting and change it back to “Not Configured.”
No comments:
Post a Comment