The Security Configuration Manager (SCM) set of tools allows security administrators to define security templates that can be applied to individual machines or any number of machines via group policy. Security templates can contain password policies, lockout policies, Kerberos policies, audit policies, event log settings, registry values, service startup modes, service permissions, user rights, group membership restrictions, registry permissions and file system permissions.

This article describes how to extend the set of registry values supported by the security configuration manager set of tools.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

The security relevant registry values configurable by SCM appear under Local Policies\Security Options when using SCM tools such as the security templates snap-in, the security configuration and analysis snap-in, or the security settings extension to Group Policy. You may want to extend the default list of registry values to include additional values that are security relevant in your environment.

Customizing the list of registry values exposed by SCM is accomplished by modifying then registering the information in the Sceregvl.inf file located in the %windir%\inf folder. The Sceregvl.inf file should be modified on the machines where you use the SCM user interfaces (UI's) to create templates, define policies, perform analyses etc. The Sceregvl.inf file does not have to be modified or registered on every machine where the security template is applied since it affects only SCM UI's.

Once the Sceregvl.inf file has been modified and registered, your custom registry values are exposed in the SCM UI's on that machine. You can then create security templates or policies that define your new registry values. These templates or policies can then be applied to any machine regardless of whether Sceregvl.inf has been modified on the target machine or not.

The following example illustrates how the NoLMHash registry value is exposed as "Network security: Do not store LAN Manager hash value on next password change" on the Windows XP version of SCM: The syntax for the entries in the [Register Registry Values] section is as follows: The following table provides an explanation for each of the parameters listed above:

Parameter	Explanation
RegistryPath	Defines the full path of the registry key and value that you want to expose in the UI. Only values that exist in the HKEY_LOCAL_MACHINE hive can be configured and this hive is referenced by the keyword MACHINE.
RegistryType	Is a number that defines the type of the registry value as follows: 1 - REG_SZ 2 - REG_EXPAND_SZ 3 - REG_BINARY 4 - REG_DWORD 7 - REG_MULTI_SZ
DisplayName	Is the string that ultimately appears in the security options section of the SCM UI's. This is usually a replaceable parameter that refers to an entry in the [strings] section of the Sceregvl.inf file thus making localization easier.
DisplayType	Specifies the type of dialogue the SCM UI should render in order to allow the user to define the setting for the registry value. Supported DisplayTypes include: 0 - Boolean: Causes the UI to render two radio buttons to "Enable" or "Disable" the registry value. If "Enabled" is selected, the registry value is set to 1. If "Disabled" is selected, the registry value is set to 0.1 - Numeric: Causes the UI to render a numeric spin control that allows the user to type in or select a numeric value in the range 0 to 99999. Numeric display types can specify "unit" strings such as "minutes", "seconds" etc. that appear next to the spin control in the UI. These "unit" strings are defined in the Options field described below. The registry value is set to the number entered by the user.2 - String: Causes the UI to render a text box. The registry value is set to the string entered by the user.3 - List: Causes the UI to render a list box from which the user can select one of several options. The registry value is set to the numeric value associated with the option chosen by the user. The options presented to the user are defined in the Options field described below.4 - Multivalued (available on Windows XP only): Causes the UI to render a Multi-line edit control that allows the user to enter multiple lines of text. This display type should be used to define values for MULTI_SZ types. The registry value is set to the strings entered by the user where each line is separated by a NULL byte.5 - Bitmask (available on Windows XP only): Causes the UI to render a series of checkboxes where each checkbox corresponds to a numeric value defined in the Options field described below. The registry value is set to the bitwise OR of the selected values.
Options	Qualifies different DisplayTypes as follows: If DisplayType=1 (Numeric), the options field may contain a string that defines the units for the numeric value. The unit string is displayed next to the spin control in the UI. The unit string has no impact on the value set in the registry. If DisplayType=3 (List), the options field defines the list options that are available to the user. Each option consists of a numeric value separated by the "pipe" character '|' followed by the text for the choice. The registry value is set to the numeric value associated with the choice made by the user. See the LMCompatibilityLevel entry in Sceregvl.inf for an example of a registry value that allows the user to select from one of five possible values. If DisplayType=5 (Bitmask), the options field defines the choices that are available to the user. Each choice consists of a numeric value separated by the "pipe" character '|' followed by the text for the choice. The registry value is set to the bitwise OR of the choices selected by the user. See the NTLMMinClientSec entry in Sceregvl.inf for an example of a registry value that allows the user to combine several choices into one numeric registry setting.

NOTE: After you have modified the Sceregvl.inf file to include your custom registry settings, the changes need to be registered by running the following command: Subsequent launches of the SCM UI's exposes your custom registry values. Security templates or polices that contain settings for your new registry values can be applied to any machine regardless of whether or not the target machine has received these UI modifications.

Important The entry is stored in the registry. If you want to remove the new entry that you made, you have to remove the relevant registry entries and then reregister them. To do this, follow these steps:

1.	Remove the customized registry entries from the Sceregvl.inf file.
2.	Delete the following registry entries: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg entries
3.	Click Start, click Run, type regsvr32 scecli.dll, and then press Enter.