Monday, November 30, 2009

bench3

Prevent Changes To A Registry Key | Avoid Softwares To Modify Your Windows Registry

Security has always been one of Microsoft’s favorite marketing buzzwords, and never more so than when Windows Vista was introduced and now Windows 7 has a bit more secure. But as it turns out, Vista and Windows 7’s security features are quite a bit more useful for protecting your PC from itself than from any alleged intruders.


The permissions system in windows VISTA and Windows 7 doesn’t just protect files and folders, it restricts who can read and modify Registry entries. This feature is tremendously important, yet most people don’t even know it’s there. It means you can lock a Registry key to prevent employees from installing software on a company PC, or prevent kids from disabling parental controls on a family PC.


Permissions also let you lock file type associations, preventing other applications from changing them. And by locking certain other keys, you can help protect your PC from viruses and spyware. 


Here’s how you do it:
  1. Open the Registry Editor, and navigate to the key you want to protect. You can’t protect individual values, but rather only the keys that contain them. This means that if you lock a key to protect one of its values, none of its values can be modified. You can, however, choose whether or not your changes are made to the subkeys of the selected key.
  2. Right-click the key, and select Permissions.
  3. Click Advanced, and then click Add.  If the Add button is disabled (grayed out), you’ll have to take ownership of the key, close the Permissions window, and then reopen it before you can make any changes to the permissions of this object.
  4. In the Enter the object names to select field, type Everyone, and then click OK. (The “Everyone” user encompasses all user accounts, including those used by Windows processes and individual applications when they access the Registry.)
  5. In the next window, “Permission Entry for...”, click the checkbox in the Deny column, next to the actions you want to prohibit, as in Figure (Lock a Registry key to prevent applications or Windows from modifying it) . See below for examples.
  6. When you’re done, click OK in each of the three open dialog windows. The change will take effect immediately.
Now, you may be tempted to remove Allow permissions for a particular user (or even all users), rather than add the Deny entry shown here. The problem is that doing so wouldn’t prevent an application or Windows from taking ownership or adding the necessary permissions and breaking your lock. Furthermore, it would make it much more difficult to restore the old permissions should you need to remove the lock; using this procedure, all
you need to do is remove the Deny rule and you’re done. 


This works because Windows gives Deny rules priority over Allow rules, which means you can lock a key even if there’s another Allow rule that expressly gives a user permission to modify the item.

So, which keys do you lock, and which actions do you forbid? Here are some examples:
Make a read-only key. To lock a value yet still allow applications and Windows to read it, place a Deny checkbox next to Set Value, Delete, and Write Owner, as in the above figure.

Create a complete lock-out. To prevent all applications from reading, modifying, or deleting a value, place a Deny checkbox next to Full Control. Keep away ShellNew. To prevent applications from making new keys under the selected key, place a Deny checkbox next to Create Subkey. For instance, you can do this to file type keys to prevent applications from adding themselves to Windows Explorer’s New list. Enforce security policies. 

To prevent another user from modifying a security policy, Lock a Registry key to prevent applications or Windows from modifying it the corresponding key in the Registry. Then, instead of adding a Deny rule to the key as described above, remove any permissions that allow anyone other than an administrator to delete, modify, or add subkeys to the key. Make sure that there’s still at least one rule for the Administrators group (or at least your own administrator-level account) that affords Full Control.

Lock file types. The File Type Doctor utility has a feature that uses permissions to lock file types, thus preventing applications from “stealing” them. 

File Type Doctor, part of Creative Element Power Tools (available at http://www.creativelement.com/powertools/) lets you customize your context menus, change file type icons, and choose defaults.

bench3

About bench3 -

Haja Peer Mohamed H, Software Engineer by profession, Author, Founder and CEO of "bench3" you can connect with me on Twitter , Facebook and also onGoogle+

Subscribe to this Blog via Email :

7 comments

Write comments
Anonymous
AUTHOR
May 21, 2013 at 12:34 AM delete

thankyu,after change permission as in picture,virus that loading on startup not load anymore

Reply
avatar
Anonymous
AUTHOR
February 1, 2014 at 8:52 PM delete

Many Thanks!!
Very detailed and clear.

Reply
avatar
April 27, 2015 at 6:23 PM delete

Locksmith Company provide 24 hour emergency locksmith services automotive, commercial and residential locksmiths. locksmith indianapolis 46202

Reply
avatar
Unknown
AUTHOR
April 13, 2016 at 8:28 PM delete

How I undo this? It says I no longer have permissions to change it?

Reply
avatar
April 14, 2016 at 5:55 PM delete

Check if you have the admin rights to modify the register, and if you have the rights, please make sure your Antivirus or Firewall is not blocking you to modify the same. And if the issue still continues, most probably your registry got corrupted, you try the steps on another user ID.

Reply
avatar
Anonymous
AUTHOR
August 24, 2016 at 10:25 PM delete

Many Thanks!
Works flawless as i need.

Reply
avatar
Allan Gomez
AUTHOR
June 28, 2017 at 9:35 PM delete

Many Thanks!
Works flawless as i need.

Reply
avatar