To edit the registry of a remote computer, choose the Select Computer option from the Registry menu, and the Select Computer dialog box will appear. Select the remote computer whose registry you want to edit and click the OK button. The Registry Editor will then open the remote computer's registry and display the HKEY_LOCAL_MACHINE and HKEY_USERS subtrees. The Registry Editor will warn you that the editor's Auto-Refresh feature won't work with the remote computer's registry before allowing you to make changes. To close the remote computer's registry, select Close from the Registry menu.

Windows NT 3.51 with Service pack 4 or Windows NT version 4.0, remote access to registry is turned off by default for servers. To turn off for workstation, create the registry key to restrict access to the registry:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
Name: Description
Type: REG_SZ
Value: Registry Server

In English, you need to add (if it does not exist) the key winreg to SecurePipeServers; then add the value, Description, of type REG_SZ, with the data (string), Registry Server.

When you attempt to connect to the registry of a remote computer running Windows NT, the Server service on the target computer checks for the presence of the Winreg key and if it does not exist, you are permitted to connect to the remote computer's registry. If Winreg exists, the ACL on Winreg is checked, and if the ACL gives the you read or write access you are connected to the registry. The gotcha!, since is often misunderstood, is the meaning of the ACL gives the you read or write access. Select winreg (highlight it), click Security, and then click Permissions. You add users and groups you want to grant remote access. Thus you would NOT add everyone or authenicated users and those groups would be blocked. You might want to add or leave domain admins.

The Registry path names listed in the following key define Registry keys that are exempt from Winreg's otherwise global ACL.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\SecurePipeServers\WinReg\AllowedPaths
Name: Machine
Type: REG_MULTI_SZ
The value would be a valid path to a location(s) in the registry. The default value is: SYSTEM\CurrentControlSet\Control\ProductOptions
SYSTEM\CurrentControlSet\Control\Print\Printers
SYSTEM\CurrentControlSet\Services\Eventlog
SYSTEM\CurrentControlSet\Services\Replicator
Software\Microsoft\Windows NT\CurrentVersion

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\SecurePipeServers\WinReg\AllowedPaths
Name: Users
Type: REG_MULTI_SZ
The value would be a valid path to a location(s) in the registry. There is no default value. This allows Users access to specific locations in the registry providing it not blocked by the keys ACL. Each key in the registry has its own ACL. The registry ACLs are conceptually similar to file permission ACLs. The registry ACL access permission types follow.

This tip gives you a method to restrict or block remote access to the registry. I rewrote it when I couldn't successfully follow my own tip. To be honest, I strongly recommend blocking all remote access: registry, shares, or whatever - by disabling the Server service. It is the single most effective method to frustrate hackers. In any case, if your environment does not support disabling Server service, you can use this tip to secure the registry from inappropriate remote access.

Related Tips:
disable use of registry editors
Q143474, Q143475, Q161372

Excellent!!!! Scary. Hack Win9x, NT, Netware, Unix, Web, ...

Covers NT4 & NT2000. 3Ps covered well: policies, permissions, profiles.