Remote Access to the Registry for
Performance Monitor Users

Performance Monitor extracts counter data from the Registry. A Performance Monitor user who monitors another computer remotely must have permission to connect to the Registry of the remote computer.

Permission to connect is set on the remote computer. Users who have permission to connect to a remote computer's Registry can do so from any computer. By default, only the administrators of a Windows NT Server are permitted to connect to its Registry from another computer. This section explains how to give other users this permission.

On computers running Windows NT 4.0 (and Windows NT 3.51 Service Pack 2), the system uses the ACL for winreg, an optional Registry subkey, to determine who can connect to the Registry from another computer. When a user tries to connect to the Registry remotely, the system looks for this winreg subkey, as described previously in the section "winreg: Connecting to the Windows NT Registry." winreg is located in the following Registry path:

HKEY_LOCAL_MACHINE\System
\CurrentControlSet
\Control
\SecurePipeServers
\winreg

When a user tries to connect to the Registry remotely, the system looks for the winreg subkey.

On Windows NT servers, winreg is included in the Registry by default. The default ACL for winreg gives full control to administrators, allowing them to connect to the Registry. No other users have permission by default. If the Performance Monitor user who is monitoring the server remotely is not an administrator, you must add that user to the ACL for winreg and then give him or her at least read/write permission.

On Windows NT workstations, and computers running Windows NT 3.51 Service Pack 2, winreg is not included in the Registry by default. However, administrators can add winreg to the Registry of these computers to control remote access. If winreg appears in the Registry, the Performance Monitor user must be listed in the ACL for winreg and have at least read/write permission to winreg.

Û To display the ACL for winreg

1. Start Regedt32 on the computer to be monitored.

2. Click the winreg subkey in the following Registry path:

HKEY_LOCAL_MACHINE\System
\CurrentControlSet
\Control
\SecurePipeServers
\winreg

If winreg does not appear in the Registry, all users can connect to the Registry remotely. In that case, you can skip both this procedure and the following one and go to the next section, "Access to the Perflib Subkeys."

3. On the Security menu, click Permissions.

The ACL for winreg appears in the Registry Key Permissions dialog box.

4. Double-click the ACL entry for a user or user group to display its permissions.

Users must have at least read/write permission (that is, they must have special access permission to create subkeys and set values) to use winreg to monitor a computer from another computer. Full control is not required. If those people listed as Administrators for your computer have read/write permission to winreg, you can add a user to the list of Administrators. However, you can also give users just the permissions they need to monitor computers remotely.

Û To give a user permission to monitor a computer remotely

1. Display the ACL for the winreg subkey.

2. Click the Add button in the Registry Key Permissions dialog box for winreg.

3. Add the user to the winreg ACL and give the user read access. For detailed instructions, click the Help button in the Registry Key Permissions dialog box.

4. Double-click the name of the user you just added.

5. In the Special Access dialog box, select the Set Value and Create Subkey check boxes.

6. Click OK, and then click OK again to close the dialog boxes.

When you have set the access to winreg, verify that the user has at least read access to all subkeys in the path to winreg. (By default, the Everyone group has permission to read all winreg subkeys and the subkeys in its path.) To check the ACL for each subkey in the path, click Permissions on the Security menu, and then grant the user read access to any ACLs that do not otherwise permit it.