Prevent Changes To A Registry Key | Avoid Softwares To Modify Your Windows Registry

Security has always been one of Microsoft’s favorite marketing buzzwords, and never more so than when Windows Vista was introduced and now Windows 7 has a bit more secure. But as it turns out, Vista and Windows 7’s security features are quite a bit more useful for protecting your PC from itself than from any alleged intruders.

The permissions system in windows VISTA and Windows 7 doesn’t just protect files and folders, it restricts who can read and modify Registry entries. This feature is tremendously important, yet most people don’t even know it’s there. It means you can lock a Registry key to prevent employees from installing software on a company PC, or prevent kids from disabling parental controls on a family PC.

Permissions also let you lock file type associations, preventing other applications from changing them. And by locking certain other keys, you can help protect your PC from viruses and spyware. 

Here’s how you do it:

1. Open the Registry Editor, and navigate to the key you want to protect. You can’t protect individual values, but rather only the keys that contain them. This means that if you lock a key to protect one of its values, none of its values can be modified. You can, however, choose whether or not your changes are made to the subkeys of the selected key.
2. Right-click the key, and select Permissions.
3. Click Advanced, and then click Add.  If the Add button is disabled (grayed out), you’ll have to take ownership of the key, close the Permissions window, and then reopen it before you can make any changes to the permissions of this object.
4. In the Enter the object names to select field, type Everyone, and then click OK. (The “Everyone” user encompasses all user accounts, including those used by Windows processes and individual applications when they access the Registry.)
5. In the next window, “Permission Entry for...”, click the checkbox in the Deny column, next to the actions you want to prohibit, as in Figure (Lock a Registry key to prevent applications or Windows from modifying it) . See below for examples.
6. When you’re done, click OK in each of the three open dialog windows. The change will take effect immediately.

Now, you may be tempted to remove Allow permissions for a particular user (or even all users), rather than add the Deny entry shown here. The problem is that doing so wouldn’t prevent an application or Windows from taking ownership or adding the necessary permissions and breaking your lock. Furthermore, it would make it much more difficult to restore the old permissions should you need to remove the lock; using this procedure, all

you need to do is remove the Deny rule and you’re done. 

This works because Windows gives Deny rules priority over Allow rules, which means you can lock a key even if there’s another Allow rule that expressly gives a user permission to modify the item.

So, which keys do you lock, and which actions do you forbid? Here are some examples:

Make a read-only key. To lock a value yet still allow applications and Windows to read it, place a Deny checkbox next to Set Value, Delete, and Write Owner, as in the above figure.

Create a complete lock-out. To prevent all applications from reading, modifying, or deleting a value, place a Deny checkbox next to Full Control. Keep away ShellNew. To prevent applications from making new keys under the selected key, place a Deny checkbox next to Create Subkey. For instance, you can do this to file type keys to prevent applications from adding themselves to Windows Explorer’s New list. Enforce security policies. 

To prevent another user from modifying a security policy, Lock a Registry key to prevent applications or Windows from modifying it the corresponding key in the Registry. Then, instead of adding a Deny rule to the key as described above, remove any permissions that allow anyone other than an administrator to delete, modify, or add subkeys to the key. Make sure that there’s still at least one rule for the Administrators group (or at least your own administrator-level account) that affords Full Control.

Lock file types. The File Type Doctor utility has a feature that uses permissions to lock file types, thus preventing applications from “stealing” them. 

File Type Doctor, part of Creative Element Power Tools (available at http://www.creativelement.com/powertools/) lets you customize your context menus, change file type icons, and choose defaults.