How to lock-down the registry...

Posted on 2004-04-07
Last Modified: 2008-01-16
Mainly so webpages can't hijack your homepage, disable you from changing your homepage, or disable you from accessing your registry. Would prefer a .vbs solution.
Question by:TheKenman
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2

Author Comment

ID: 10774130
P.S. Registry must still be accessible by adminstrator.
LVL 21

Expert Comment

ID: 10774406
Use a policy:

...and write a script that will enable/disable the policy.
LVL 21

Assisted Solution

gemarti earned 150 total points
ID: 10774483
Okay...the first time I read this I really just looked at the title.

I would suggest that instead of writing a script I would purchase a piece of software that does this for you instead of trying to reinvent the wheel.

BlackICE is a very good application that will monitor your system for any attempted registry changes. You will be notified by a pop-up window when a change to the registry is attempted or if an unknow application trys to start up.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 21

Expert Comment

ID: 10774512
Also, the professional version of AD-AWARE has a program called AD-WATCH. It doesn't stop a change to the registry, but it does tell you exactly where the change occurred.

Ad-aware : 

Author Comment

ID: 10774624
Those are decent suggestions for a home user, but in a corporate setting they are not feasible. Also the reason I would prefer a .vbs- so I can easily mass-deploy the solution.

Thanks though!
LVL 21

Expert Comment

ID: 10774836
Well BlackICE comes in a Corporate level configuration.

The other option is the Policy that I suggested above.

Accepted Solution

Veegertx earned 350 total points
ID: 10775677
Save all below to Enable Disable Homepage Change.vbs

'Enable Disable Homepage Change.vbs
'© Veegertx - 4/7/2004
'This code may be freely distributed/modified
Option Explicit
Dim WSHShell, RegKey, ValueA, Result
On Error Resume Next
Set WSHShell = CreateObject("WScript.Shell")
RegKey = "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\"
ValueA = WSHShell.RegRead (regkey & "HomePage")

If ValueA = 0 Then 'Change Homepage is Enabled.
   Result = MsgBox("Ability to Change Homepage is currently [Enabled]." & _
        vbNewLine & "Would you like to Disable?" & _
        vbNewLine & "Will lock and Gray it out." & _
        vbNewLine & "May need to Log-off for effect.", 36)
   If Result = 6 Then 'clicked yes
      WSHShell.RegWrite regkey & "HomePage", 1
   End If
Else 'Change Homepage is Disabled
   Result = MsgBox("Ability to Change Homepage is currently [Disabled]." & _
        vbNewLine & "Would you like to Enable?", 36)
   If Result = 6 Then 'clicked yes
      WshShell.RegDelete "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage"
      'Delete Key cause it don't exist normally
   End If
End If

Expert Comment

ID: 10795523
Locking down the registry completely can be a daunting task
or MS XP version
Requires setting permissions on the registry key's themselves and can even lock user's out from installing software, depends on how many User's you have on your PC. I studied the above pages some time back and decided against it myself. I just keep mjy virus and firewall updated and have had no problem. I also use the above reg edit to prevent homepage changing. I keep that key in my fav's list in my JUmp2Reg program though just in case.

Bottom of the 1st page is this though;
Also if you have the Windows 2000/XP Resource Kit then you can consider using the SUBINACL command to just replace the EVERYONE group wherever it is found with Authenticated Users.

Author Comment

ID: 10877163
Thanks guys, sorry it took so long to get back to this.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question