AllowedPaths: Exceptions to winreg

The AllowedPaths subkey in winreg contains a single value entry, Machine, which stores a list of paths from the HKEY_LOCAL_MACHINE subtree. The paths named in AllowedPaths are known as exception paths. Users who are not included in the winreg ACL can connect to the Registry to access one of these exception paths.

AllowedPaths was added to enable users to use system services that require that they connect to the Registry. Users must have permission to access the final subkey in an exception path before they can view or edit the Registry remotely.

Note

The exception paths in AllowedPaths are necessary to maintain backward compatibility with system components that need remote Registry access. If you add a winreg subkey to the Registry, be sure to also add an AllowedPaths subkey under it, and then add the default values for the Machine value entry, as described following.

The allowed paths are stored in the Machine value entry in the AllowedPaths subkey. AllowedPaths must appear in the following Registry path:

HKEY_LOCAL_MACHINE\System
\CurrentControlSet
\Services
\SecurePipeServers
\winreg
\AllowedPaths

The Machine value entry appears as follows:

Machine REG_MULTI_SZ
Range: HKEY_LOCAL_MACHINE registry paths
Default: System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\EventLog
Software\Microsoft\Windows NT\CurrentVersion

Administrators can add paths to this list. However, if you delete a path, you might disable an essential system service.

The exception granted to paths listed in Machine applies to the last subkey listed in the path and to all subkeys it contains. For example, if Machine includes System\CurrentControlSet\Services\EventLog, any user could connect remotely to the EventLog subkey or to any of its subkeys (or to the subkeys of its subkeys), but not to any other subkey directly under Services, unless that other subkey was specifically listed in Machine.