Remoting into a PC has a number of benefits, with the main ones being remote resource access and management. Generally speaking, this is a very convenient feature, but there will be times when you’ll want to limit access to certain resources, such as with the Windows Registry.
The registry stores settings for various Windows components and applications. Incorrectly editing the entries here can cause a number of problems, from application errors to system crashes and BSODs.
As such, it’s best to revoke registry editing privileges on remotely accessible accounts. We’ve detailed the steps to do precisely this in this article.
How to Disable Remote Access?
Remote registry access in Windows is generally managed through a couple of ways; the Services utility and the Registry Editor. We recommend first preventing registry access with these methods. Here are the steps for this:
- Press Win + R, type
services.msc
, and press Enter. - Scroll down and double-click on the Remote Registry service.
- Stop the service if it is running, change the Startup type to Disabled, and press Enter.
You can also do the same thing via the Registry Editor. Once you’ve backed up the registry, you can follow the steps listed below for this method:
- Press Win + R, type
regedit
, and press Enter. - Navigate to:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
- Double-click on the Start value.
- Set the value data to 4 and press OK to disable the Remote Registry service.
After performing either of these methods, make sure to actually test if the registry is no longer remotely accessible. If the steps worked, then you’re good to go. But if the registry is still accessible, please check the next section.
Disabling Remote Registry with System Policies
This workaround is slightly lengthier, but it works, so bear with us. First, we’ll temporarily give a standard account admin privileges. Then, we’ll use the Group Policy Management Console to disable Registry Editing on this account. Finally, we’ll add this account to the Remote Desktop Users group and revoke admin privileges. Here are the full steps for this:
- First, log on to your usual admin account.
- Press Win + R, type
lusrmgr.msc
, and press Enter. - In the Users section, locate the standard account you’re going to use and double-click it.
- In the Member Of tab, click on Add > Advanced > Find Now.
- Select Administrators from the search results and press Ok > Ok > Ok to save the changes and close all the tabs.
- Repeat Steps 3 – 5 but select Remote Desktop Users this time to add the standard account to this group.
- Now log in to the standard account.
- Press Win + R, type
gpedit.msc
, and press Enter. - From the left pane, navigate to User Configuration > Administrative Templates > System.
- Double-click on the Prevent access to registry editing tools policy.
- Select Enabled and press Ok to apply the changes.
- Now, press Win + R, type
secpol.msc
, and press Enter. - Navigate to Local Policies > User Rights Assignment.
- Double-click on the Allow log on through Remote Desktop Services policy.
- Ensure the Remote Desktop Users group is present here. If it’s not, press Add user or group and select Advanced > Find now to add it here.
- Now, double-click the Deny access to this computer from the network and Deny log on through Remote Desktop Services policies.
- Ensure the Remote Desktop Users group is not listed here. If it is, select it and press Remove.
- Finally, log back into your admin account from Step 1.
- Press Win + R, type
lusrmgr.msc
, and press Enter. - Double-click the standard account’s entry.
- In the Member Of tab, select Administrators and press Remove > Ok.
Now that the admin privileges have been revoked, registry editing will be disabled on it. Only an administrator can re-enable it via the Group Policy Management Console. As long as non-admin users remote into this account, they won’t be able to edit the registry over the network.