Vista - Normal accounts & reg edit

Hey all,

I was wondering with all this security that is being talked about, can
anyone tell me if a normal account could type in regedit or regedit32 from a
run line without it prompting to enter the admin password?

If this comes up, maybe, that should be a needed security feature..

Yes, but of course you will only be able to modify your own HKCU hive (and
virtualized Class IDs)
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"Jason" <dsljay@hotmail.com> a écrit dans le message de news:
uj7ryzaWGHA.4972@TK2MSFTNGP02.phx.gbl...
| Hey all,
|
| I was wondering with all this security that is being talked about, can
| anyone tell me if a normal account could type in regedit or regedit32 from
a
| run line without it prompting to enter the admin password?
|
| If this comes up, maybe, that should be a needed security feature..
|
|

Try this, Click Start > All Programs > Accessories > right click Command
Prompt > Run As Administrator > Allow > and type in regedit, you should have
full access to make changes to the registry.
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Jason" <dsljay@hotmail.com> wrote in message
news:uj7ryzaWGHA.4972@TK2MSFTNGP02.phx.gbl...
> Hey all,
>
> I was wondering with all this security that is being talked about, can
> anyone tell me if a normal account could type in regedit or regedit32 from
> a run line without it prompting to enter the admin password?
>
> If this comes up, maybe, that should be a needed security feature..
>

Thanks for the info. However, my concern is having normal users in the
registry editors. IMO, normal users have no reason to be going into the
registry. If an administrator wishes to have access to it, it should prompt
for the Admin password like it does to run MSConfig.

"Andre Da Costa [Extended64]" <andred25@hotmail.com> wrote in message
news:%232Vzp2bWGHA.3328@TK2MSFTNGP02.phx.gbl...
> Try this, Click Start > All Programs > Accessories > right click Command
> Prompt > Run As Administrator > Allow > and type in regedit, you should
> have full access to make changes to the registry.
> --
> Andre
> Extended64 | http://www.extended64.com
> Blog | http://www.extended64.com/blogs/andre
> http://spaces.msn.com/members/adacosta
> FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
>
> "Jason" <dsljay@hotmail.com> wrote in message
> news:uj7ryzaWGHA.4972@TK2MSFTNGP02.phx.gbl...
>> Hey all,
>>
>> I was wondering with all this security that is being talked about, can
>> anyone tell me if a normal account could type in regedit or regedit32
>> from a run line without it prompting to enter the admin password?
>>
>> If this comes up, maybe, that should be a needed security feature..
>>
>
>

Well, this in a protected space, its not access to the entire system really.
I am also sure there are Group Policy Edition settings to further restrict
Standard users from accessing the registry.
--
--
Andre
Windows Connected | http://www.windowsconnected.com
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta

"Jason" <dsljay@hotmail.com> wrote in message
news:eSJhpgeWGHA.4580@TK2MSFTNGP04.phx.gbl...
> Thanks for the info. However, my concern is having normal users in the
> registry editors. IMO, normal users have no reason to be going into the
> registry. If an administrator wishes to have access to it, it should
> prompt for the Admin password like it does to run MSConfig.
>
> "Andre Da Costa [Extended64]" <andred25@hotmail.com> wrote in message
> news:%232Vzp2bWGHA.3328@TK2MSFTNGP02.phx.gbl...
>> Try this, Click Start > All Programs > Accessories > right click Command
>> Prompt > Run As Administrator > Allow > and type in regedit, you should
>> have full access to make changes to the registry.
>> --
>> Andre
>> Extended64 | http://www.extended64.com
>> Blog | http://www.extended64.com/blogs/andre
>> http://spaces.msn.com/members/adacosta
>> FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
>>
>> "Jason" <dsljay@hotmail.com> wrote in message
>> news:uj7ryzaWGHA.4972@TK2MSFTNGP02.phx.gbl...
>>> Hey all,
>>>
>>> I was wondering with all this security that is being talked about, can
>>> anyone tell me if a normal account could type in regedit or regedit32
>>> from a run line without it prompting to enter the admin password?
>>>
>>> If this comes up, maybe, that should be a needed security feature..
>>>
>>
>>
>
>

"Jason" <dsljay@hotmail.com> wrote:

> Thanks for the info. However, my concern is having normal users in the
> registry editors. IMO, normal users have no reason to be going into the
> registry. If an administrator wishes to have access to it, it should prompt
> for the Admin password like it does to run MSConfig.

The ability to disable the running of REGEDIT already exists as a
Windows policy. (“Prevent Access to Registry Editing Tools”,
http://support.microsoft.com/kb/831787/) The users do have rights to
modify their own profile's area of the registry, whether we as
administrators feel like we make it easy on them to do so or not.

So I wouldn't get too bent over whether REGEDIT.EXE will prompt normal
users for the Administrator password (even if the user just wants to
edit something the user actually has rights to edit). I think the
existing "DisableRegistryTools" probably goes as far as anything
should in providing a false sense of security that users can't get
into registry trouble without REGEDIT.

Alan Adams

In article <eSJhpgeWGHA.4580@TK2MSFTNGP04.phx.gbl>, "Jason"
<dsljay@hotmail.com> wrote:
>Thanks for the info. However, my concern is having normal users in the
>registry editors. IMO, normal users have no reason to be going into the
>registry. If an administrator wishes to have access to it, it should prompt
>for the Admin password like it does to run MSConfig.

As has already been pointed out by others, you can certainly deploy a policy
that prevents your users from having access to the registry editing tools, but
the users do actually have a need to access their own registry hives, so you
need to leave the registry ACLs on their own HKCU hive open to them.

And if they're allowed to change registry settings through other programs, are
you really achieving much by preventing them from directly editing the
registry? I can think of a couple of benefits of disabling their access to
regedit:

1. Stops people from downloading and installing .REG files that might
otherwise cause damage. Of course, that means that it also prevents them from
downloading and installing .REG files that come as part of their local
installation of a program...
2. Stops users from tinkering with things they do not understand. But then,
they'll tinker with other things they do not understand, anyway, so perhaps
you just have to come up with creative ways of persuading them to hold out
their hands for you to slap every time they do this.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

All good, and valid, comments so far.
I might add that we should not judge the advisability of limited
accounts having access to reg editing based on how per-user
settings are (partially, limply - at least by the third-party ISV
community) used today. Imagine if the HKCU were very actively
used for app (and OS) per-user perference/history/etc persistence.

Roger

"Jason" <dsljay@hotmail.com> wrote in message
news:eSJhpgeWGHA.4580@TK2MSFTNGP04.phx.gbl...
> Thanks for the info. However, my concern is having normal users in the
> registry editors. IMO, normal users have no reason to be going into the
> registry. If an administrator wishes to have access to it, it should
> prompt for the Admin password like it does to run MSConfig.
>
> "Andre Da Costa [Extended64]" <andred25@hotmail.com> wrote in message
> news:%232Vzp2bWGHA.3328@TK2MSFTNGP02.phx.gbl...
>> Try this, Click Start > All Programs > Accessories > right click Command
>> Prompt > Run As Administrator > Allow > and type in regedit, you should
>> have full access to make changes to the registry.
>> --
>> Andre
>> Extended64 | http://www.extended64.com
>> Blog | http://www.extended64.com/blogs/andre
>> http://spaces.msn.com/members/adacosta
>> FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
>>
>> "Jason" <dsljay@hotmail.com> wrote in message
>> news:uj7ryzaWGHA.4972@TK2MSFTNGP02.phx.gbl...
>>> Hey all,
>>>
>>> I was wondering with all this security that is being talked about, can
>>> anyone tell me if a normal account could type in regedit or regedit32
>>> from a run line without it prompting to enter the admin password?
>>>
>>> If this comes up, maybe, that should be a needed security feature..
>>>
>>
>>
>
>