Playing in the Windows Registry

The Windows Registry is a fun place to work when you know what you're doing. While very powerful, most people will never see or use the Registry because it's a complicated piece buried deep in the operating system. Furthermore, I have yet to find very good documentation about Windows registry other than forums online, which makes leveraging it difficult.

Now, while I'm no expert on the Registry, I've been playing at it for several years doing everything from disabling UAC to adding extra right-click menu items. One of the first things you learn about the Registry is to backup your existing registry. While I don't remember ever needing to rebuild my registry after a change, the idea is you have the option if you do make some spectacular mistake. I can't say I've ever done. There are probably many ways to back up the Registry, but I find the easiest is just exporting the root level to a file somewhere else on the system or external device. This method, however, will only help if you can still modify the registry after the edits, which brings us to this post.

Recently I found myself making modifications to Registry in order to prevent edits by users. This was in response to finding a number of security settings that prevented my user from doing certain things. Yet since I could still access and modify the Registry these settings were rather meaningless from a security standpoint, so I started poking to see if there was an easy way to secure the Registry from alteration, even from admins. Lo and behold there is...which effectively locked me out. While I succeeded in making my system more consistent with the existing security configs, I promptly decided I wanted back in the Registry to do more testing.

Here was my situation:

1. My user that modified the registry was a domain user with Admin rights on the local Windows 10 machine
2. Domain group security settings were in play since this was a corp laptop, so there was only so much I could do in making changes.

The command I used to get myself locked out was this:

 
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /t Reg_dword /v DisableRegistryTools /f /d 1
		

This command locks down any modifications to Registry by all but local admins. While my user was in the local admin group, I domain account. Perhaps it's part of the GPOs, but this made my user incapable of reversing the command.

The issue stumped me for a bit but I finally found a work around to allow my domain account Registry edit permissions again. Since I was an admin on the machine (just not local), I created a secondary local admin account besides the defaults, which had been locked down. Using this new local admin account, I managed to rerun the command above except with a 0 to switch off the DisableRegistryTools bit. From Cmd.exe I was then able to run the regedit and got access, however only as that local user. My domain account was still locked out of the Registry.

This got me thinking the issue might tied to individual accounts having their own view of the Registry. More digging indicated this was the case. So how could I modify my domain user 'view' of the Registry while logged in as another user? Turns out there is an easy method for this exact problem...simply load the user into Registry, make your edits to their profile, then unload them and test.

Here's what I mean:


reg load HKU\DOMAINUSER C:\users\DOMAINUSER\NTUSER.DAT
		

Once the domain user profile was loaded, I drilled into ...\CurrentVersion\Policies\System\ of my domain user and found the DisableRegistryTools bit was still set to '1'.

Success! Changing this to '0' fixed my problem. After logging out and logging back in as my domain admin, I could once again make changes to the registry.

This exercise taught me two major things about Windows Registry:

1. Assigning domain accounts to administrator groups on a system does not always give all the permissions of a local admin.

2. By default, the Registry will run as whoever is using it. However specific profile changes can be made to other users simply by loading their user account.


References:
http://www.adminarsenal.com/admin-arsenal-blog/modifying-the-registry-of-another-user/
http://www.howtogeek.com/howto/16909/how-to-disable-access-to-the-registry-in-windows-7/