System hacks: Do not enter important keys for the registry on the “lock”

By default, there is little protection for registry keys, so many insecure or even malicious software will modify the relevant settings, such as forcibly changing the browser’s homepage, making changes to important system keys, etc. In order to better protect the system, we’d better set protection for some important keys to avoid them being modified at will.

○In-place Setting permission protection for key values

We can set “read-only” permissions to restrict user changes to certain files, and we can also use this method to protect registry keys. For example, many software installations write a self-starting key in [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun], which will start a bunch of unrelated software every time you turn on your computer. Let’s use the permission tool to set “read-only” permission for this key. Note that modifying the registry is risky and may cause damage to the system, so it is recommended to make a backup in advance or create a restore point using System Restore.

Start the Registry Editor as an administrator, expand the above key, right-click the [Run] key and select “Permissions”, in the window that opens click “Advanced → Disable Inheritance → Remove all inherited permissions from this object” in order to remove all user in order to remove all users’ permissions (Figure 1).

sd-zcbs-01

Figure 1 Disable Inheritance

Next, switch to “Owner” and change it to the currently logged-in user. Go back to the “Permissions” window and set only the current user’s “Read” permission for the key value to “Allow” in the “Group or User” list (Figure 2). “(Figure 2), click “OK” to exit.

sd-zcbs-02

Figure 2 Permission setting

In the future, when software tries to create a new key or delete a key in it, the system will pop up the message “Unable to create value: Error writing to registry”, because there is no “write” permission. This allows you to read the data in the key (without affecting the current self-start settings), while preventing the installer from adding new self-start items to it (Figure 3).

sd-zcbs-03

Figure 3 Permission blocking

Using the same method you can set permissions for other keys according to your actual needs, for example [HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerMenuExt] is the content of IE’s right-click menu, you can set it to [MenuExt] no account has write permissions, so that IE right-click will not be randomly added to a variety of menus. In short, just find the key value of the corresponding option, and then protect it by setting permissions.

Tip: If by default the current user does not have “read” permissions for a key, you can also add permissions. Also consider adding a user with high privileges that allows “full control” and use this account to install software that you want to boot up.

o Simple and efficient Use command line to set key permissions

In addition to the above methods, you can also use the “regini.exe” command line that comes with Windows 10 to complete the settings. For example, if you want to perform operations such as cloning or hiding system accounts, you need to expand the [HKEY_LOCAL_MACHINESAMSAMDomainsAccount] key value to modify. However, it is an important system key, and by default the current user does not have the “read” permission of [HKEY_LOCAL_MACHINESAMSAM], so it is impossible to expand the above key to modify it (Figure 4).

sd-zcbs-04

Figure 4 Unable to expand [HKEY_LOCAL_MACHINESAMSAM] due to permission restrictions

At this point we can use the “regini.exe” command line to quickly complete the settings (command format: “regini.exe Specify path to regini.ini file”). First set up the “regini.ini” file, which contains the settings for changing permissions. Start Notepad, type “HKEY_LOCAL_MACHINESAMSAM [1]”, save it as “regini.ini”, and place it in the “F: ” disk for backup. Note that the key SAM and the number [1] in the code are separated by a space, the number “[1]” means that the current system administrator group account (Administrators) is granted “full control” over the key. The number “[1]” means the current system administrator group account (Administrators) is granted “full control” over the key value; “[2]” means the current system administrator group account is granted “read-only” permission. Other permissions can be seen by typing “regini /?” in the command prompt window (Figure 5). (Figure 5).

sd-zcbs-05

Figure 5 View permission code

Next, type “regini f:regini.ini” in the Command Prompt window, and then return to the Registry Editor window and press F5 to refresh. Open the above key again and you will see that Administrators already has “full control” over it (Figure 6).

sd-zcbs-06

Figure 6 View permission changes

If the current account belongs to the Administrators group, we can now expand the above key, view the contents of its subsections and perform the required editing (Figure 7). The other keys are similar, so you can figure it out yourself.

sd-zcbs-07

Figure 7 You can expand subsections after changing permissions

If you find the above operation troublesome, you can also use the Registry Protector tool, which allows you to set registry permissions more quickly through a GUI interface, which is simple and intuitive to operate, and you can undo the permissions changes at any time.

Leave a Comment