none
Prevent Regedit for standard users

    Question

  • I've created a User GPO with the setting  "Prevent Access to registry Editing Tools" Enabled.

    This works and blocks regedit.exe as standard users. When an administrator attempts to use the tool he is allowed.

    The problem is that this only blocks the current logged on user. You can right click regedit.exe and select "run as a different user" then enter the credentials of another standard user account then regedit.exe will launch and that user will be able to edit the registry.

    I have tested this on Windows 7, Windows 10 1511 and 1607. In my production and Lab environments. In my Lab I am running 2012 R2 functional domain level.

    I think this is an issue in windows products and a vulnerability in this GPO setting. Can anyone else replicate this please?


    Blog: http://scriptimus.wordpress.com

    Tuesday, November 29, 2016 11:44 AM

Answers

  • Hi,
     
    Am 29.11.2016 um 12:44 schrieb Andrew Barnes:
    > The problem is that this only blocks the current logged on user. You
    > can right click regedit.exe and select "run as a different user" then
    > enter the credentials of another standard user account then
    > regedit.exe will launch and that user will be able to edit the
    > registry.
     
    Right. Works as designed. Group Policy only apply to an interactive logon.
     
    But editing Registry is not a problem. He can manipulate HKCU, but
    NOT(!) .\POlicies, HKLM or maschine specific places.
    The system is still save and secure, because the user is a user.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by Andrew Barnes Wednesday, December 07, 2016 12:13 PM
    Tuesday, November 29, 2016 4:42 PM

All replies

  • I did the same test and got the behavior you mentioned when UAC was disabled. With it enabled, it worked fine.
    Tuesday, November 29, 2016 1:22 PM
  • In fact, performing more tests, if you test with another user account that has not yet logged into the station, it will actually get because your hive has not yet been altered by the policy.
    Tuesday, November 29, 2016 1:43 PM
  • Hi,
     
    Am 29.11.2016 um 12:44 schrieb Andrew Barnes:
    > The problem is that this only blocks the current logged on user. You
    > can right click regedit.exe and select "run as a different user" then
    > enter the credentials of another standard user account then
    > regedit.exe will launch and that user will be able to edit the
    > registry.
     
    Right. Works as designed. Group Policy only apply to an interactive logon.
     
    But editing Registry is not a problem. He can manipulate HKCU, but
    NOT(!) .\POlicies, HKLM or maschine specific places.
    The system is still save and secure, because the user is a user.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by Andrew Barnes Wednesday, December 07, 2016 12:13 PM
    Tuesday, November 29, 2016 4:42 PM