Windows NT includes a number of security features that protect the Registry from inadvertent or unwarranted access. Windows NT establishes an access control list (ACL) for each Registry subtree, key, and subkey that determines who has access to a Registry element and what a user is permitted to do to that element.
In addition, Windows NT version 4.0 includes an optional security check that controls remote access to the Registry. This check determines which users can connect to the Registry from another computer. After a user is connected, the ACLs for each Registry element govern the user's access to the Registry.
This section explains how Windows NT controls who can connect to the Registry of a remote computer, and it describes:
How the system determines who can connect to the Registry.
The winreg subkey, whose ACL determines who can connect to the Registry.
The default values for the winreg ACL and how to change them.
The AllowedPaths subkey of winreg, which stores a list of commonly used Registry paths. Users who are not included in the winreg ACL can connect to the Registry by using access keys listed in these exception paths.
This material is intended for users who are familiar with both the basic structure of the Windows NT Registry and the basic security features of Windows NT. It is a supplement to Windows NT Workstation Resource Guide, Part V, "Windows NT Registry," and it corrects an error in Windows NT Workstation Resource Guide Chapter 6, "Windows NT Security."
This material also contains a related topic, "Remote Performance Monitoring," which explains the winreg permissions that must be granted to anyone who uses Performance Monitor to monitor Windows NT computers remotely.
Warning
To add or modify a Registry value entry, use admininstrative tools such as Control Panel or System Policy Editor whenever possible. Using a Registry editor (Regedit or Regedt32) to change a value can have unforeseen effects, including changes that can prevent you from starting your system.