Viewing Registry Access Permissions

PC Repair Tools

Advanced Registry Cleaner PC Diagnosis and Repair

Get Instant Access

In this exercise, we'll step through reviewing Registry access permissions. We will not make any changes to the Registry settings, but you should still use care. You should also choose to Cancel out of screens or dialogs instead of clicking OK. If you were making changes that you wanted to keep (on the job), you would click OK instead. Most needed changes can be made without directly editing the Registry, and best practices dictate that any time you can avoid directly editing the Registry, you should do so.


Any changes to the Registry, whether intentional or not, could cause your system to become unstable or unusable. Please do this exercise with care.

1. Click Start | Run and then type regedt32 in the Open text box. Click OK to launch the Registry Editor.

2. Click File on the Registry Editor menu. Notice there is no Save or Save As function. This is because any changes you make in the various dialogs are applied immediately. Exiting closes the Registry Editor with whatever settings currently exist. There is no way to exit without saving changes. This is why it's critical to save the Registry before working on it, and use care when working in it.

3. In the Registry Editor, the left pane displays the nodes and the right pane displays any nodes or keys beneath the one selected on the left. Depending on the state of your Registry tree, you might only see one node, My Computer. If so, click the + to the left of My Computer to expand the tree. In most cases, you'll see My Computer listed with five nodes beneath it:

hkey_classes_root, hkey_current_user,

HKEY_LOCAL_MACHINE, HKEY_USERS, and hkey_current_config.

4. Click the + to the left of HKEY_CURRENT_USER to expand the tree. Notice the keys beneath HKEY_CURRENT_USER, including AppEvents, Control Panel, Printers, Software, and others.

5. Click HKEY_CURRENT_USER to select it. Right-click the selection or click Edit on the menu and select Permissions.

6. The Permissions dialog for HKEY_CURRENT_USER is displayed. In this dialog, you can add or remove users listed in the Group or user names: dialog. You can also edit permissions for the currently selected user or group. Figure 9.11 shows this dialog; notice that you can modify permissions for the Administrator group, which is currently selected in Figure 9.11.

Figure 9.11 Modifying Default Permissions on Registry Key

Security |

t ^Administrator [S MALLBUSINESS V^dministiatoi]

^Administrators (SMALLBUSINESSWdministratois)



Add... 1

Remove |

Permissions for Administrator



Full Control




Special Permissions

For special permissions or for advanced settings. Advanced click Advanced. -—--

OK I Cancel | Apply

For special permissions or for advanced settings. Advanced click Advanced. -—--

OK I Cancel | Apply

7. You can set special permissions and set advanced settings as well. Click the Advanced button to access this dialog.

8. The Advanced Security Settings for HKEY_CURRENT_USER

dialog is shown in Figure 9.12. Notice several things in this dialog. First, you can view or modify permissions as well as set auditing, view or modify the owner, and view effective permissions. In addition, there are two important check boxes you should be familiar with.

9. The first check box is labeled Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here. This box is checked by default. This will cause permissions to be inherited by all child objects. Removing this check box will cause permissions to be applied only to the object for which they are explicitly set. Understanding how permissions apply to child objects is important for understanding permissions throughout the network structure.

10. The second check box is Replace permissions entries on all child objects with entries shown here that could apply to child objects. This check box is not checked by default. Checking this box will cause all subfolders and files to have their permissions reset to those inheritable from the parent object. Once you select this, there is no Undo function and changes are permanent. If you want to modify permissions for child objects below the parent, you can use this to reset permissions but care should be used.

Figure 9.12 Advanced Registry Settings for HKEY_CURRENT_USER

Figure 9.12 Advanced Registry Settings for HKEY_CURRENT_USER

11. Click the Auditing tab. You can create, modify, or review auditing set for this object. Notice the same two check boxes regarding inheritance of permissions are located here as well, as shown in Figure 9.13.

Figure 9.13 Auditing Tab Options

Figure 9.13 Auditing Tab Options

12. Click the Owner tab. On this tab, you can take or assign ownership of this object if you have the appropriate permissions to do so. You can also change ownership of subcontainers or child objects by selecting the check box labeled Replace owner on subcontainers and objects.

13. Click the Effective Permissions tab. On this tab, you can view the permissions that would be granted to the selected group or user based solely on the permissions granted directly through group membership, as shown in Figure 9.14. You begin by clicking the Select button, selecting the user or group, and then viewing effective permissions. This tool calculates the permissions granted to a specific user or group and takes into account group membership (for the user or group) and inherited permissions (from the parent object).

Figure 9.14 Effective Permissions Options

Figure 9.14 Effective Permissions Options

Click Cancel to exit the Advanced Security Settings for HKEY_CUR-RENT_USER dialog. Click Cancel to exit the Permissions for HKEY_CURRENT_USER dialog.

Click File on the Registry Editor menu, and select Exit to close the Registry Editor.

Now that we've looked at how to modify Registry settings via the Registry Editor, we'll look at a more global method of setting Registry settings. As you learned in Chapter 2,"Securing Servers based on Function," security templates can be used to set security across the enterprise in a consistent manner. There are also security settings that can be access via group policy. Using group policy to set Registry access is the recommended way for managing Registry access. It provides an efficient and reliable method for setting permissions, and ensures that settings are reapplied every time group policy is applied. This can help ensure that permissions are maintained as specified in the policy and avoids errors that might be made when directly editing the Registry. To use this method, the computer must be joined to a domain. Policy settings are refreshed every 90 minutes on workstations or member servers, and every 5 minutes on DCs by default (including every 16 hours if no changes have been detected). In Exercise 9.04, you'll step through setting Registry access permissions using the Group Policy Editor snap-in in the MMC.

Was this article helpful?

0 0
Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook

Post a comment