How to Manage Remote Access to the Registry

For a Microsoft Windows 2000 version of this article, see 153183 .

Summary

This article describes how to manage access to the registry on a remote computer.

Some services must have access to the registry to function correctly. For example, on a system that runs directory replication, the Replicator account must have access to the relevant registry key. Registry Editor supports remote access to the Windows registry; however, you can also restrict this access.

More Information

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

Using a Registry Key to Manage Remote Access to the Registry

The following registry key restricts remote access to the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\ winreg
Description: REG_SZ
Value: Registry Server
The Security permissions that are set on this key define which Users or Groups can have remote registry access.

  • On a Windows XP Professional-based computer, by default only members of the Administrators Group and Backup Operators Group have access to the registry over the network. Administrators have Full Control access, and Backup Operators have Read access.
  • On a Windows XP Home Edition-based computer, by default only members of the Administrators Group can gain access to the registry over the network. Administrators have Full Control access.
If the key to restrict access to the registry is already present in the registry, start Registry Editor and then skip to steps 7 and 8 to add, remove, or edit the Users, Groups, and permissions.


Creating a Registry Key to Manage Remote Access to the Registry

If you need to create the key to restrict access to the registry, follow these steps:

  1. Start Registry Editor (Regedt32.exe), and then locate the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
  2. On the Edit menu, click Add Key, and then enter the following values:
    Key Name: SecurePipeServers
    Class: REG_SZ
  3. Locate the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers
  4. On the Edit menu, click Add Key, and then enter the following values:
    Key Name: winreg
    Class: REG_SZ
  5. Locate the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers\winreg
  6. On the Edit menu, click Add Value, and then enter the following values:
    Value Name: Description
    Data Type: REG_SZ
    String: Registry Server
  7. Locate the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers\winreg
  8. Right-click winreg, click Permissions, and then edit the current permissions or add the users or groups to whom you want to grant access.
  9. Quit Registry Editor, and then restart Windows.

Bypassing the Access Restrictions That Are Set on the Registry Key

Some services need remote access to the registry to function correctly. For example, the Directory Replicator service requires access to the remote registry, as does the Spooler service when it is connecting to a printer over the network.


You can either add the account name of the service to the access list on the Winreg key, or you can configure Windows to bypass the access restriction to certain keys by listing the keys in the Machine or Users value under the AllowedPaths key.

If you want to list certain keys under the AllowedPaths key, follow these steps:

  1. Start Registry Editor (Regedt32.exe), and then locate the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\ Winreg\AllowedPaths
  2. Under the Machine value, use the following information to add the keys for which you want to bypass restrictions:

    Value: Machine
    Value Type: REG_MULTI_SZ - Multi string
    Default Data: System\CurrentControlSet\Control\ProductOptions
    System\CurrentControlSet\Control\Print\Printers
    System\CurrentControlSet\Control\Server Applications
    System\CurrentControlSet\Services\Eventlog
    Software\Microsoft\Windows NT\CurrentVersion

    Valid Range: A valid path to a location in the registry
    Description: Allow machine access to listed locations in the
    registry provided that no explicit access
    restriction exists for that location
  3. Under the Users value, use the following information to add the keys for which you want to bypass restrictions:

    Value: Users
    Value Type: REG_MULTI_SZ - Multi string
    Default Data: (None)

    Valid Range: A valid path to a location in the registry
    Description: Allow users access to listed locations in the
    registry provided that no explicit access
    restriction exists for that location
    Note that "Value: Users" does not exist by default. You might have to create the value.

  4. Quit Registry Editor, and then restart the computer.
Propriedades

ID do Artigo: 314837 - Última Revisão: 07/01/2017 - Revisão: 1

Microsoft Windows XP Home Edition, Microsoft Windows XP Professional Edition, Microsoft Windows Server 2003 Service Pack 2, Windows Vista Business, Windows Vista Enterprise, Windows Vista Ultimate, Windows Server 2008 Standard, Windows Server 2008 Enterprise, Windows 7 Professional, Windows 7 Enterprise, Windows 7 Ultimate, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows 8, Windows Server 2012 Essentials, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard

Comentários