normal accounts reg edit

Hey all,
I was wondering with all this security that is being talked about, can anyone tell me if a normal account could type in regedit or regedit32 from a run line without it prompting to enter the admin password?
If this comes up, maybe, that should be a needed security feature..

Yes, but of course you will only be able to modify your own HKCU hive (and virtualized Class IDs) -- Pierre Szwarc Paris, France PGP key ID 0x75B5779B ------------------------------------------------ Multitasking: Reading in the bathroom ! ------------------------------------------------
"Jason" a écrit dans le message de news: uj7ryzaWGHA.4972@TK2MSFTNGP02.phx.gbl... | Hey all, | | I was wondering with all this security that is being talked about, can | anyone tell me if a normal account could type in regedit or regedit32 from a | run line without it prompting to enter the admin password? | | If this comes up, maybe, that should be a needed security feature.. | |

Try this, Click Start > All Programs > Accessories > right click Command Prompt > Run As Administrator > Allow > and type in regedit, you should have full access to make changes to the registry. -- Andre Extended64 | http://www.extended64.com Blog | http://www.extended64.com/blogs/andre http://spaces.msn.com/members/adacosta FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
"Jason" wrote in message

Hey all,
I was wondering with all this security that is being talked about, can anyone tell me if a normal account could type in regedit or regedit32 from a run line without it prompting to enter the admin password?
If this comes up, maybe, that should be a needed security feature..

Thanks for the info. However, my concern is having normal users in the registry editors. IMO, normal users have no reason to be going into the registry. If an administrator wishes to have access to it, it should prompt for the Admin password like it does to run MSConfig.
"Andre Da Costa [Extended64]" wrote in message

Try this, Click Start > All Programs > Accessories > right click Command Prompt > Run As Administrator > Allow > and type in regedit, you should have full access to make changes to the registry. -- Andre Extended64 | http://www.extended64.com Blog | http://www.extended64.com/blogs/andre http://spaces.msn.com/members/adacosta FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
"Jason" wrote in message Hey all,
I was wondering with all this security that is being talked about, can anyone tell me if a normal account could type in regedit or regedit32 from a run line without it prompting to enter the admin password?
If this comes up, maybe, that should be a needed security feature..

Well, this in a protected space, its not access to the entire system really. I am also sure there are Group Policy Edition settings to further restrict Standard users from accessing the registry. -- -- Andre Windows Connected | http://www.windowsconnected.com Extended64 | http://www.extended64.com Blog | http://www.extended64.com/blogs/andre http://spaces.msn.com/members/adacosta
"Jason" wrote in message

Thanks for the info. However, my concern is having normal users in the registry editors. IMO, normal users have no reason to be going into the registry. If an administrator wishes to have access to it, it should prompt for the Admin password like it does to run MSConfig.
"Andre Da Costa [Extended64]" wrote in message Try this, Click Start > All Programs > Accessories > right click Command Prompt > Run As Administrator > Allow > and type in regedit, you should have full access to make changes to the registry. -- Andre Extended64 | http://www.extended64.com Blog | http://www.extended64.com/blogs/andre http://spaces.msn.com/members/adacosta FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
"Jason" wrote in message Hey all,
I was wondering with all this security that is being talked about, can anyone tell me if a normal account could type in regedit or regedit32 from a run line without it prompting to enter the admin password?
If this comes up, maybe, that should be a needed security feature..

"Jason" wrote:

Thanks for the info. However, my concern is having normal users in the registry editors. IMO, normal users have no reason to be going into the registry. If an administrator wishes to have access to it, it should prompt for the Admin password like it does to run MSConfig.

The ability to disable the running of REGEDIT already exists as a Windows policy. (“Prevent Access to Registry Editing Tools”, http://support.microsoft.com/kb/831787/) The users do have rights to modify their own profile's area of the registry, whether we as administrators feel like we make it easy on them to do so or not.
So I wouldn't get too bent over whether REGEDIT.EXE will prompt normal users for the Administrator password (even if the user just wants to edit something the user actually has rights to edit). I think the existing "DisableRegistryTools" probably goes as far as anything should in providing a false sense of security that users can't get into registry trouble without REGEDIT.
Alan Adams

In article , "Jason" wrote:

Thanks for the info. However, my concern is having normal users in the registry editors. IMO, normal users have no reason to be going into the registry. If an administrator wishes to have access to it, it should prompt for the Admin password like it does to run MSConfig.

As has already been pointed out by others, you can certainly deploy a policy that prevents your users from having access to the registry editing tools, but the users do actually have a need to access their own registry hives, so you need to leave the registry ACLs on their own HKCU hive open to them.
And if they're allowed to change registry settings through other programs, are you really achieving much by preventing them from directly editing the registry? I can think of a couple of benefits of disabling their access to regedit:
1. Stops people from downloading and installing .REG files that might otherwise cause damage. Of course, that means that it also prevents them from downloading and installing .REG files that come as part of their local installation of a program... 2. Stops users from tinkering with things they do not understand. But then, they'll tinker with other things they do not understand, anyway, so perhaps you just have to come up with creative ways of persuading them to hold out their hands for you to slap every time they do this.
Alun. ~~~~
[Please don't email posters, if a Usenet response is appropriate.] -- Texas Imperial Software | Find us at http://www.wftpd.com or email 23921 57th Ave SE | alun@wftpd.com. Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

All good, and valid, comments so far. I might add that we should not judge the advisability of limited accounts having access to reg editing based on how per-user settings are (partially, limply - at least by the third-party ISV community) used today. Imagine if the HKCU were very actively used for app (and OS) per-user perference/history/etc persistence.
Roger
"Jason" wrote in message

Thanks for the info. However, my concern is having normal users in the registry editors. IMO, normal users have no reason to be going into the registry. If an administrator wishes to have access to it, it should prompt for the Admin password like it does to run MSConfig.
"Andre Da Costa [Extended64]" wrote in message Try this, Click Start > All Programs > Accessories > right click Command Prompt > Run As Administrator > Allow > and type in regedit, you should have full access to make changes to the registry. -- Andre Extended64 | http://www.extended64.com Blog | http://www.extended64.com/blogs/andre http://spaces.msn.com/members/adacosta FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
"Jason" wrote in message Hey all,
I was wondering with all this security that is being talked about, can anyone tell me if a normal account could type in regedit or regedit32 from a run line without it prompting to enter the admin password?
If this comes up, maybe, that should be a needed security feature..