Normal accounts & reg edit

Discussion in 'Windows Vista Security' started by Jason, Apr 6, 2006.

  1. Jason

    Jason Guest

    Hey all,

    I was wondering with all this security that is being talked about, can
    anyone tell me if a normal account could type in regedit or regedit32 from a
    run line without it prompting to enter the admin password?

    If this comes up, maybe, that should be a needed security feature..
     
    Jason, Apr 6, 2006
    #1
    1. Advertisements

  2. Yes, but of course you will only be able to modify your own HKCU hive (and
    virtualized Class IDs)
    --
    Pierre Szwarc
    Paris, France
    PGP key ID 0x75B5779B
    ------------------------------------------------
    Multitasking: Reading in the bathroom !
    ------------------------------------------------

    "Jason" <> a écrit dans le message de ...
    | Hey all,
    |
    | I was wondering with all this security that is being talked about, can
    | anyone tell me if a normal account could type in regedit or regedit32 from
    a
    | run line without it prompting to enter the admin password?
    |
    | If this comes up, maybe, that should be a needed security feature..
    |
    |
     
    Pierre Szwarc, Apr 6, 2006
    #2
    1. Advertisements

  3. Try this, Click Start > All Programs > Accessories > right click Command
    Prompt > Run As Administrator > Allow > and type in regedit, you should have
    full access to make changes to the registry.
     
    Andre Da Costa [Extended64], Apr 6, 2006
    #3
  4. Jason

    Jason Guest

    Thanks for the info. However, my concern is having normal users in the
    registry editors. IMO, normal users have no reason to be going into the
    registry. If an administrator wishes to have access to it, it should prompt
    for the Admin password like it does to run MSConfig.
     
    Jason, Apr 7, 2006
    #4
  5. Andre Da Costa [Extended64], Apr 7, 2006
    #5
  6. Jason

    Alan Adams Guest

    The ability to disable the running of REGEDIT already exists as a
    Windows policy. (“Prevent Access to Registry Editing Tools”,
    http://support.microsoft.com/kb/831787/) The users do have rights to
    modify their own profile's area of the registry, whether we as
    administrators feel like we make it easy on them to do so or not.

    So I wouldn't get too bent over whether REGEDIT.EXE will prompt normal
    users for the Administrator password (even if the user just wants to
    edit something the user actually has rights to edit). I think the
    existing "DisableRegistryTools" probably goes as far as anything
    should in providing a false sense of security that users can't get
    into registry trouble without REGEDIT.

    Alan Adams
     
    Alan Adams, Apr 8, 2006
    #6
  7. Jason

    Alun Jones Guest

    As has already been pointed out by others, you can certainly deploy a policy
    that prevents your users from having access to the registry editing tools, but
    the users do actually have a need to access their own registry hives, so you
    need to leave the registry ACLs on their own HKCU hive open to them.

    And if they're allowed to change registry settings through other programs, are
    you really achieving much by preventing them from directly editing the
    registry? I can think of a couple of benefits of disabling their access to
    regedit:

    1. Stops people from downloading and installing .REG files that might
    otherwise cause damage. Of course, that means that it also prevents them from
    downloading and installing .REG files that come as part of their local
    installation of a program...
    2. Stops users from tinkering with things they do not understand. But then,
    they'll tinker with other things they do not understand, anyway, so perhaps
    you just have to come up with creative ways of persuading them to hold out
    their hands for you to slap every time they do this.

    Alun.
    ~~~~

    [Please don't email posters, if a Usenet response is appropriate.]
     
    Alun Jones, Apr 10, 2006
    #7
  8. All good, and valid, comments so far.
    I might add that we should not judge the advisability of limited
    accounts having access to reg editing based on how per-user
    settings are (partially, limply - at least by the third-party ISV
    community) used today. Imagine if the HKCU were very actively
    used for app (and OS) per-user perference/history/etc persistence.

    Roger
     
    Roger Abell [MVP], Apr 21, 2006
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.