Locking and Restricting the Registry in Windows XP Part II

Revised and expanded version
This article applies to: Windows 2000/XP/Server 2003

Topics on this page:
[3] Regedit disabled: Solutions (continued from Part I)

[3.4] Xteq X-Setup
[3.5] System Restore
[3.6] Full Backup Restore
[3.7] VBScript: Doug Knox; My own version
[3.8] Installing INF file ***NEW***
[3.9] Third party registry editing tools
[3.10] Other Methods:

[4] Don't forget about viruses
[5] Exe and other files not running after viral or Trojan infection: corrupt shell\open\command registry keys
[6] Operation cancelled due to Restrictions ***NEW***
Reference

3. Regedit disabled: Solutions (continued from Part I)

3.4. Xteq X-Setup

Download and run Xteq X-Setup, go to Security, Disabled Features, Regedit.exe Enabled. Tick the box Allow starting of RegEdit.EXE on the right and click Apply Changes (Fig. 1). Xteq System XSetup: allow regedit.exe

Fig. 1. Xteq Systems X-Setup Registry Option

3.5. System Restore

System Restore (the whole system partition or system state) if you have restore points before it happened (kb 309340). Restoring the registry by booting in the Last Known Good Configuration would not work as it only restores the HKLM\System\CurrentControlSet key only (see: How to Restore the Registry).

3.6. Full backup restore

Restore from a full backup (using Automatic System Recovery (ASR) in Windows XP Professional or NTBackup only in Windows XP Home edition) or an image like Symantec Ghost if you have one made before the problem occurred.

3.7. VBScript

3.7.1.1. VBS from Doug Knox

Doug Knox has a VBS to lock and unlock the registry (it toggles between the two settings 0 and 1 but does not delete the policy key and if the key is absent it creates it). Hence I don't like it!

3.7.1.2. My own VBS

My version is simpler and it doesn't toggle (download here, unzip and run it; accept the warning from your anti-virus tool).
If your registry has a key value of 1 the script gives you the reading first and then rewrites it to 0. If it has a key value of 0 it does the same thus making no change and does not set it to 1. If the key is absent the script returns an error. In that case the problem lies elsewhere.

3.8. Installing INF file

Using the INF file is another way to edit the registry; it's not as powerful as VBS but for this purpose of deleting the culprit registry key it will do the job just fine. It is a text file and when written in a standard form, will use Windows' rundll32.exe to execute the Application Programming Interface (API) in Setupapi.dll in the background. A simple INF file is given below: copy the content in Notepad and save as unlock.inf. Right click it and choose Install.

[Version]

Signature="$CHICAGO$"



[DefaultInstall]

DelReg=Del.Settings



[Del.Settings]

HKCU,"Software\Microsoft\Windows\CurrentVersion\

Policies\System","DisableRegistryTools"

3.9. Third party registry editing tools

Other third party registry editors such as Lavasoft's RegHance can bypass the policy and therefore can open up the registry and import the unlock.reg file. I've not tried this but it is quite unnecessary when other simpler methods are available. I only include it here for the record. This is also a warning that administrators setting a restriction policy should not have a false sense of security.
If all the above and following methods fail to solve the problem, then it is likely to be a more widespread problem and you should remove all viruses and Trojans and do a repair installation with the Windows XP CD (KB 315341).

3.10. Other Methods

These include: Console Registry Tools (reg.exe), remote registry editing (on a network) and JScript (KB 322756).
The REG DELETE command to unlock the registry can be found in my Console Registry Tools article. It works in Windows XP Home Edition as it doesn't require the Group Policy Editor.

4. Don't forget about viruses

Of course it would be prudent to scan and remove all the viruses. If there is virus infection then system restore may not get rid of it and you should not use it. After the clean up, check that the registry key is reset to 0 (fig. 2) or the DisableRegistryTools value name is absent altogether.
Regedit DisableRegistryTools (0)

Fig. 2. Regedit DisableRegistryTools key

5. Exe and other files not running after viral or Trojan infection: corrupt shell\open\command registry keys

This can happen after viral infection and may affect other exe files. Try running the exe file from within a batch file first or rename it to reg.com in a command. The shell\open\command registry keys are corrupt and needs to be restored.
If you can run regedit then restore this key (Fig. 3):

HKEY_CLASSES_ROOT\exefile\shell\open\command
Default
REG_SZ:"%1 "%*

(In the above key there is a space after 1 and the value data includes the " and * symbols.)

Fig. 3. Regedit HKCR exefile key

If other files such as *.bat, *.chm, *.cmd, *.ini, *.reg, *.scr and *.txt are not running, do the same for their keys but go to batfile (or chmfile and so on) in the registry instead.
***NEW***Symantec now has a tool to reset this (created 7 May 2004) which you can find here but I've not personally tested it (further information can be found in the Reference).
If you cannot run regedit then try the methods in the above section to fix it first. If all the above methods fail to solve the problem, then clean up all viruses and do a repair installation with the Windows XP CD (KB 315341).

6. Operations cancelled due to Restrictions

As briefly introduced in part I, this is another way to prevent regedit from opening by way of programme restriction. This can be done readily via a policy setting in Group Policy or Local Computer Policy, both accessed via the Group Policy Editor. It is also exploited by some viruses or scripts. This method can also be applied to other exe programs. Note that this only restricts programmes from being started in Windows Explorer and not by other means such as the command prompt unless the cmd.exe too is restricted.
Start, Run, gpedit.msc, go to:
User Configuration\Administrative Templates\System: Don't run specified Windows applications (fig. 4).

Fig. 4. Don't run specified Windows applications.

Double Click on this setting to open the Properties box. Click on Show... button (fig. 5).

Fig. 5. Don't run specified Windows applications Properties.

Reset this to allow regedit by choosing Not Configured or remove regedit.exe from the List of disallowed applications in Show Contents box. If there are others you wish to leave behind; you cannot set Enabled with no entries (fig. 6).

Fig. 6. List of disallowed applications: regedit.exe

If you have Windows XP Home edition, try to run regedit.com in Safe Mode if needed and check the corresponding registry entry:

HKCU\software\Microsoft\windows\
CurrentVersion\Policies\Explorer
disallowrun
REG_SZ: "regedit.exe"

Delete the disallowrun subkey. If regedit.com cannot be run, use HijackThis to delete the key.

Reference:

VBS

article on VBS

Go to TOP

Copyright © 2003-2005 by Kilian. All my articles including graphics are provided "as is" without warranties of any kind. I hereby disclaim all warranties with regard to the information provided. In no event shall I be liable for any damage of any kind whatsoever resulting from the information. The articles are provided in good faith and after some degree of verification but they may contain technical or typographical errors. Links to other web resources may be changed at any time and are beyond the control of the author. Articles may be added, removed, edited or improved at any time. No support is provided by the author. All the products mentioned are trademarks of their respective companies.

DISCLAIMER: Edit the registry at your own risk. If possible use the Group Policy Editor. There is no undo in regedit. If you are inexperienced with regedit, when possible back up the whole registry or the key you are about to change first before modifying or deleting the key. Do not modify more than one key/name/value at a time. Re-logon or reboot and see what happens first.

Last updated 22 Mar 2005