Windows NT 4.0 uses the ACL for winreg, an optional Registry subkey, to determine who can connect to the Registry from another computer. This section explains how to use the winreg subkey ACL to control remote access to the Registry.
Note
The ACL for winreg, not a Boolean value stored in winreg, controls remote access to the Registry. The information in Windows NT Workstation Resource Guide, Chapter 6, "Windows NT Security," is incorrect in this regard.
When a user tries to connect to the Registry remotely, Windows NT looks for the winreg subkey.
If winreg is in the Registry, the ACL for winreg determines which users can connect to the Registry remotely. To connect to the Registry, users must have at least read/write permission, including permission to create subkeys and set values.
If winreg does not appear in the Registry, all users can connect to the Registry remotely.
After a user is connected to the Registry, the ACL for each Registry key or subkey determines whether the user can read, edit, add, and/or delete Registry contents.
The winreg subkey must be located in the following Registry path:
HKEY_LOCAL_MACHINE\System
\CurrentControlSet
\Control
\SecurePipeServers
\winreg
By default, winreg is included in the Registry of Windows NT 4.0 servers only. Administrators can add winreg to the Registry of Windows NT workstations and to the Registry of workstations and servers running Windows NT 3.51 Service Pack 2.
Note
If you add a winreg subkey to the Registry, be sure to add an AllowedPaths subkey under it. Failure to do so can disable some system services. The AllowedPaths subkey is described in the following sections.
The default ACL for winreg is as follows:
Operating system | Default ACL | |
Windows NT Server | Administrators: Full Control | |
Windows NT Workstation | (Not in the Registry) | |
Û To give a user permission to connect to the Registry remotely
1. Start Regedt32.
2. Click the winreg subkey to select it.
3. On the Security menu, click Permissions.
The ACL for winreg appears in the Registry Key Permissions dialog box.
4. Click the Add button in the Registry Key Permissions dialog box.
5. Add the user to the winreg ACL and give the user read access. For detailed instructions, click the Help button in the Registry Key Permissions dialog box.
6. Double-click the name of the user you just added.
7. In the Special Access dialog box, select the Set Value and Create Subkeycheck boxes.
8. Click OK, and then click OK again to close the dialog boxes.
If a user does not have sufficient access to winreg, that user may still be able to connect to the Registry. The winreg subkey contains the AllowedPaths subkey, which stores exceptions to the permissions set in winreg.