"Prevent Access to Registry Editing Tools" policy changes in Windows XP and in Windows Server 2003 (831787)


The information in this article applies to:

  • Microsoft Windows XP Professional
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

You cannot run Registry Editor in silent mode on a Microsoft Windows XP Professional-based or a Microsoft Windows Server 2003-based computer when you have the Prevent Access to Registry Editing Tools policy applied. However, you can run Registry Editor in silent mode on a Microsoft Windows 2000-based computer or on a Microsoft Windows NT 4.0-based computer when this same policy is applied. Therefore, you may experience backward compatibility issues in a mixed Windows environment.

CAUSE

This behavior occurs because Windows XP and Windows Server 2003 process the Prevent Access to Registry Editing Tools policy differently than Windows NT 4.0 and Windows 2000. Windows XP uses additional security measures to prevent the use of Registry Editor in silent mode when the Prevent Access to Registry Editing Tools policy is applied.

MORE INFORMATION

In Windows NT 4.0 and in Windows 2000, if you disable the use of registry tools through the Prevent Access to Registry Editing Tools policy, you cannot start Registry Editor. However, you can still use Registry Editor in silent mode by using the /s switch. For example, in Windows NT 4.0 and in Windows 2000, if you type regedit /s filename.reg at the command prompt, you can import the filename.reg registry file into the registry, even though the Prevent Access to Registry Editing Tools policy is in effect.

In Windows XP Professional and in Windows Server 2003, if you disable the use of registry tools by using the Prevent Access to Registry Editing Tools policy, you cannot use Registry Editor in silent mode.

RESOLUTION

Windows XP service pack information

To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Windows XP hotfix information

A supported feature that modifies the product's default behavior is now available from Microsoft, but it is only intended to modify the behavior that this article describes. Apply it only to systems that specifically need it. This feature may receive additional testing. Therefore, if your system is not severely affected by the lack of this feature, Microsoft recommends that you wait for the next Microsoft Windows XP service pack that contains this feature.

To obtain this feature immediately, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS



The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
Date        Time    Version             Size   File name
-----------------------------------------------------------
14-Nov-2003 02:38   5.1.2600.1320    134,144   Regedit.exe 
08-Nov-2003 02:26                  1,517,066   System.adm

Windows Server 2003 service pack information

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003

Windows Server 2003 hotfix information

A supported feature that modifies the product's default behavior is now available from Microsoft, but it is only intended to modify the behavior that this article describes. Apply it only to systems that specifically require it. This feature may receive additional testing. Therefore, if the system is not severely affected by the lack of this feature, we recommend that you wait for the next Microsoft Windows Server 2003 that contains this feature.

To obtain this feature immediately, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support



The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows 2003 Server, Itanium-based versions

Date         Time   Version            Size    File name
   --------------------------------------------------------------
   08-Oct-2004  17:47  5.2.3790.221      349,184  Regedit.exe      IA-64
   29-Sep-2004  22:04                  1,513,002  System.adm
   08-Oct-2004  17:55  5.2.3790.221      138,752  Wregedit.exe     x86

Windows 2003 Server, x86-based version

Date         Time   Version            Size    File name
   --------------------------------------------------------------
   08-Oct-2004  17:55  5.2.3790.221      138,752  Regedit.exe      
   29-Sep-2004  22:20                  1,513,002  System.adm

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Feature information

A new feature is available to change the way that Microsoft Windows XP and Microsoft Windows Server 2003 uses the Prevent Access to Registry Editing Tools policy. With this feature, you can configure a registry setting so that you can use one of the following configurations:
  • Registry Editor can be started either in interactive mode or in silent mode.
  • Registry Editor can be started only in silent mode (regedit /s). This is the default behavior in Windows 2000 and in Windows NT 4.0 when the Prevent Access to Registry Editing Tools policy is applied.
  • Registry Editor cannot be started at all. This is the default behavior in Windows XP when the Prevent Access to Registry Editing Tools policy is applied.
When you install this update, an updated "System.adm" Group Policy file permits you to use Group Policy to configure these options. To do this, follow these steps:
  1. Click Start, click Run, type gpedit.msc in the Open box, and then click OK.
  2. Expand User Configuration, Administrative Templates, and System, and then click Prevent access to registry editing tools.
  3. Click to select one of the following options:
    • Not Configured
    • Enabled
    • Disabled
  4. If you clicked Enabled, click Yes or No in the Disable regedit from running silently? box to specify if Registry Editor can be started in silent mode (regedit /s).
When you use Group Policy to configure these options, you create a DisableRegistryTools DWORD entry in the following registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

To manually configure the registry setting after you install this update, follow these steps.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following subkey in the registry:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools



    Note If the DisableRegistryTools entry does not exist, you must create the entry. To do this, follow these steps:
    1. Locate and then click the following subkey in the registry:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

    2. On the Edit menu, point to New, and then click Key.
    3. Type System for the name of the key, and then press ENTER.
    4. Click the following subkey in the registry:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

    5. On the Edit menu, point to New, and then click DWORD Value.
    6. Type DisableRegistryTools for the name of the DWORD Value, and then press ENTER.
  3. Right-click DisableRegistryTools, and then click Modify.
  4. In the Value data box, type the setting that you want to use from the following table:
    Setting Description
    0 Registry Editor can be started either in interactive mode or in silent mode.
    1 Registry Editor can only be started in silent mode (regedit /s). This is the default behavior in Windows 2000 and in Windows NT 4.0 when the Prevent Access to Registry Editing Tools policy is applied.
    2 Registry Editor cannot be started at all. This is the default behavior in Windows XP and Windows Server 2003 when the Prevent Access to Registry Editing Tools policy is applied.
  5. Click OK, and then quit Registry Editor.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Microsoft Windows XP Service Pack 2.

MORE INFORMATION

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Modification Type:MinorLast Reviewed:10/28/2005
Keywords:kbHotfixServer kbQFE kbWinXPsp2fix kbQFE kbWinXPpreSP2fix kbfix kbbug KB831787 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.