Clarification of Winreg Operation in Windows NT

ID: Q186433

The information in this article applies to:

Microsoft Windows NT Server versions 3.51, 4.0
Microsoft Windows NT Workstation versions 3.51, 4.0
Microsoft Windows NT Server, Enterprise Edition version 4.0
Microsoft Windows 2000 Server
Microsoft Windows 2000 Professional

SUMMARY

The Winreg registry key does not limit registry access in the same manner that share permissions can restrict file access. Winreg works by allowing or disallowing remote access to the registry.

MORE INFORMATION

When a user attempts to connect to the registry of a remote computer running Windows NT, the Server service on the target computer checks for the presence of the Winreg key. If Winreg does not exist, the user is permitted to connect to the target computer's registry. If Winreg exists, the ACL on Winreg is checked. If the ACL gives the user read or write access, either explicitly or through group membership, that user may connect to the registry.

After a remote connection is made to the registry, the permissions on the individual registry keys are the only restrictions on the user manipulating the registry. So, if a user has read permission on Winreg, it will still be possible for that user to modify registry keys with less restrictive ACLs.

For additional information on the winreg key, please see the following article in the Microsoft Knowledge Base:

Q153183 How to Restrict Access to NT Registry from a Remote Computer

Keywords : ntsecurity
Version : WinNT:3.51,4.0;Windows:2000
Platform : winnt
Issue type : kbinfo