How to Disable Network Access to Windows Registry

Anup ThapaBy
network access to windows registry

Remoting into a PC has a number of benefits, with the main ones being remote resource access and management. Generally speaking, this is a very convenient feature, but there will be times when you’ll want to limit access to certain resources, such as with the Windows Registry.

The registry stores settings for various Windows components and applications. Incorrectly editing the entries here can cause a number of problems, from application errors to system crashes and BSODs. 

As such, it’s best to revoke registry editing privileges on remotely accessible accounts. We’ve detailed the steps to do precisely this in this article.

How to Disable Remote Access?

Remote registry access in Windows is generally managed through a couple of ways; the Services utility and the Registry Editor. We recommend first preventing registry access with these methods. Here are the steps for this:

  1. Press Win + R, type services.msc, and press Enter.
  2. Scroll down and double-click on the Remote Registry service.
    remote-registry-service
  3. Stop the service if it is running, change the Startup type to Disabled, and press Enter.
    disable-remote-registry-service

You can also do the same thing via the Registry Editor. Once you’ve backed up the registry, you can follow the steps listed below for this method:

  1. Press Win + R, type regedit, and press Enter.
  2. Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
    remote-registry-regedit
  3. Double-click on the Start value.
  4. Set the value data to 4 and press OK to disable the Remote Registry service.
    disable-remote-registry-regedit

After performing either of these methods, make sure to actually test if the registry is no longer remotely accessible. If the steps worked, then you’re good to go. But if the registry is still accessible, please check the next section.

Disabling Remote Registry with System Policies

This workaround is slightly lengthier, but it works, so bear with us. First, we’ll temporarily give a standard account admin privileges. Then, we’ll use the Group Policy Management Console to disable Registry Editing on this account. Finally, we’ll add this account to the Remote Desktop Users group and revoke admin privileges. Here are the full steps for this:

  1. First, log on to your usual admin account.
  2. Press Win + R, type lusrmgr.msc, and press Enter.
  3. In the Users section, locate the standard account you’re going to use and double-click it.
    local-users-and-groups
  4. In the Member Of tab, click on Add > Advanced > Find Now.
    add-user-account-to-group
  5. Select Administrators from the search results and press Ok > Ok > Ok to save the changes and close all the tabs.
    find-administrators-group
  6. Repeat Steps 3 – 5 but select Remote Desktop Users this time to add the standard account to this group.
    user-groups-member-of
  7. Now log in to the standard account.
  8. Press Win + R, type gpedit.msc, and press Enter.
  9. From the left pane, navigate to User Configuration > Administrative Templates > System.
    prevent-access-to-registry-editing-tools
  10. Double-click on the Prevent access to registry editing tools policy.
  11. Select Enabled and press Ok to apply the changes.
    enable-registry-access-policy
  12. Now, press Win + R, type secpol.msc, and press Enter.
  13. Navigate to Local Policies > User Rights Assignment.
    allow-log-on-through-remote-desktop-services
  14. Double-click on the Allow log on through Remote Desktop Services policy.
  15. Ensure the Remote Desktop Users group is present here. If it’s not, press Add user or group and select Advanced > Find now to add it here.
    remote-desktop-users-group
  16. Now, double-click the Deny access to this computer from the network and Deny log on through Remote Desktop Services policies.
    deny-log-on-through-remote-desktop-services
  17. Ensure the Remote Desktop Users group is not listed here. If it is, select it and press Remove.
  18. Finally, log back into your admin account from Step 1.
  19. Press Win + R, type lusrmgr.msc, and press Enter.
  20. Double-click the standard account’s entry.
  21. In the Member Of tab, select Administrators and press Remove > Ok.
    remove-admin-privileges-user-account

Now that the admin privileges have been revoked, registry editing will be disabled on it. Only an administrator can re-enable it via the Group Policy Management Console. As long as non-admin users remote into this account, they won’t be able to edit the registry over the network.

Anup Thapa primarily covers Windows systems, networking, and computer hardware at TechNewsToday. Anup has been writing professionally for almost 5 years, and tinkering with PCs for much longer. His love for all things tech started when he got his first PC over 15 years ago. It was a Pentium IV system running Windows XP on a single 256 MB stick. He spent his formative years glued to this PC, troubleshooting any hardware or software problems he encountered by himself. Professionally, Anup has had brief forays into a variety of fields from coding and hardware installation to writing. In doing so, he's worked with people of different backgrounds and skill levels, from average joes to industry leaders and experts. This has given him not just a versatile skill set, but also a unique perspective for writing that enables him to concisely communicate complex information and solve his reader's problems efficiently. You can reach out to him at anup@technewstoday.com.

Related Posts

Add A Comment

Leave A Reply