You are currently offline, waiting for your internet to reconnect

Controlling remote Performance Monitor access to Windows NT servers

This article was previously published under Q164018

IMPORTANT: This article contains information about editing the registry.Before you edit the registry, make sure you understand how to restore it ifa problem occurs. For information on how to do this, view the "Restoringthe Registry" online Help topic in Regedit.exe or the "Restoring a RegistryKey" online Help topic in Regedt32.exe.
SUMMARY
Depending on the networking environment, administrators may want to extendor deny remote access to the performance data of their computers runningWindows NT Server 3.51 or 4.0. The default permissions are different inWindows NT 3.51 and Windows NT 4.0, and the methods for granting orrestricting access are also different. The information below details thesedefaults and methods.
MORE INFORMATION
To remotely view performance data on a computer running Windows NT Server,follow these steps:
  1. On a computer running either Windows NT Workstation or Server, run Performance Monitor.
  2. On the Edit menu, click Add to Chart.

    -or-

    On the toolbar, click the button with the plus (+) on it.
After entering \\<ComputerName> in the Add to Chart dialog box, you areeither denied access in some way or allowed to add counters from the remotecomputer to the local performance chart.

Default Behavior on Windows NT Server 3.51 Computers

Prior to Windows NT 3.51, any user (Guest, User, Administrator) who couldmake a connection to IPC$ on a server could also use Performance Monitor toremotely view the server's performance data.

By default, the Everyone group has READ access in the following registrykeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib \009


NOTE: The above registry key is one path; it has been wrapped forreadability.

READ access is all that is required to read the performance data, soEveryone could access the data remotely.

Restricting Remote Access to Performance Data on Windows NT Server 3.51

Computers

To restrict access on a computer running Windows 3.51 Server, follow thesesteps:

WARNING: Using Registry Editor incorrectly can cause serious problems thatmay require you to reinstall your operating system. Microsoft cannotguarantee that problems resulting from the incorrect use of Registry Editorcan be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys AndValues" online Help topic in Registry Editor (Regedit.exe) or the "Add andDelete Information in the Registry" and "Edit Registry Data" online Helptopics in Regedt32.exe. Note that you should back up the registry beforeyou edit it.
  1. Run Registry Editor (Regedt32.exe).
  2. From the HKEY_LOCAL_MACHINE subtree, go to the following key:
    \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perfl
  3. Select the Perflib key.
  4. On the Security menu, click Permissions.
  5. Select Everyone and click Remove.

    NOTE: Check to make sure that Administrator and System have Full Control access to Perflib and its subkey, 009.

    NOTE: 009 is the language ID for the English version of Windows NT.
  6. Add a value called CheckSystemProfileRight to the Perflib key. The value type is REG_DWORD and should be set to 1.

    NOTE: In Windows NT 3.51 and 4.0, if the CheckSystemProfileRight value under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\ key has been defined and given a value of 1, Read access to this key is necessary to retrieve the performance data. If this value is not defined or is defined and set to zero, the ACL will NOT be checked (to provide Windows NT 3.5 compatible behavior).
  7. Click OK and quit Registry Editor.
  8. If the Windows NT system partition is NTFS, use Explorer or File Manager to check the security on the following files:
    %windir%\system32\PERFCxxx.DAT
    %windir%\system32\PERFHxxx.DAT
    NOTE: xxx is the basic language ID for the system. For example, 009 is the ID for the English version.

    These files contain performance data. If you want to restrict remote access to this data, remove Everyone (or other appropriate groups) from the access list for these files.

    NOTE: Read access to both Perfc009.dat and Perfh009.dat is required to monitor performance data. BOTH files must have the correct ACL.
  9. Shut down and restart Windows NT 3.51.
Users who attempt to remotely access performance data with PerformanceMonitor should now receive the following message:
Insufficient privilege to access performance data

Default Behavior on Windows NT Server 4.0 Computers

In Windows NT 4.0, guests (if the Guest account is enabled) andadministrators are supposed to be able to access performance data remotely.However, security on the following registry key is restricted toadministrators:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers \Winreg


NOTE: The above registry key is one path; it has been wrapped for readability.

Without read access to this key, no one will be able to access performancedata on this server. Prior to Service Pack 3.0 for Windows NT Server 4.0,neither guests nor users are able to access performance data. Adding readaccess to the Winreg key for the Guests, Domain Guests, Users, DomainUsers, or Everyone group will grant the desired user(s) access toperformance data. Anyone attempting to view remote performance data withoutthis permission will receive the following error message:
Computer name not found

This message would normally mean that the client had network connectivityproblems or perhaps a NetBIOS name resolution problem. In this case, it isthe equivalent of "Insufficient privilege to access performance data."

Restricting Remote Access to Performance Data on Windows NT SERVER 4.0Computers

Follow steps 1 through 6 above to restrict access to Windows NT 4.0performance data. After step 6, perform the following step:

- Before closing the registry, locate this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winr


NOTE: The above registry key is one path; it has been wrapped forreadability.

Check the security permissions for this key. If there, remove theEveryone group (and other appropriate groups) from the permissions list.However, be sure that administrators and system retain Full Control ofthis key.

After securing the permissions on this key, complete steps 7 through 9 fromabove. Now, no one except administrators should be able to remotely accessthe server's performance data using Performance Monitor.
perfmon
Properties

Article ID: 164018 - Last Review: 02/23/2007 19:40:39 - Revision: 2.2

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0 Standard Edition
  • kbinfo KB164018
Feedback