How to lock-down the registry...

Mainly so webpages can't hijack your homepage, disable you from changing your homepage, or disable you from accessing your registry. Would prefer a .vbs solution.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

VeegertxConnect With a Mentor Commented:
Save all below to Enable Disable Homepage Change.vbs

'Enable Disable Homepage Change.vbs
'© Veegertx - 4/7/2004
'This code may be freely distributed/modified
Option Explicit
Dim WSHShell, RegKey, ValueA, Result
On Error Resume Next
Set WSHShell = CreateObject("WScript.Shell")
RegKey = "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\"
ValueA = WSHShell.RegRead (regkey & "HomePage")

If ValueA = 0 Then 'Change Homepage is Enabled.
   Result = MsgBox("Ability to Change Homepage is currently [Enabled]." & _
        vbNewLine & "Would you like to Disable?" & _
        vbNewLine & "Will lock and Gray it out." & _
        vbNewLine & "May need to Log-off for effect.", 36)
   If Result = 6 Then 'clicked yes
      WSHShell.RegWrite regkey & "HomePage", 1
   End If
Else 'Change Homepage is Disabled
   Result = MsgBox("Ability to Change Homepage is currently [Disabled]." & _
        vbNewLine & "Would you like to Enable?", 36)
   If Result = 6 Then 'clicked yes
      WshShell.RegDelete "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage"
      'Delete Key cause it don't exist normally
   End If
End If
TheKenmanAuthor Commented:
P.S. Registry must still be accessible by adminstrator.
Use a policy:

...and write a script that will enable/disable the policy.
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

gemartiConnect With a Mentor Commented:
Okay...the first time I read this I really just looked at the title.

I would suggest that instead of writing a script I would purchase a piece of software that does this for you instead of trying to reinvent the wheel.

BlackICE is a very good application that will monitor your system for any attempted registry changes. You will be notified by a pop-up window when a change to the registry is attempted or if an unknow application trys to start up.
Also, the professional version of AD-AWARE has a program called AD-WATCH. It doesn't stop a change to the registry, but it does tell you exactly where the change occurred.

Ad-aware : 
TheKenmanAuthor Commented:
Those are decent suggestions for a home user, but in a corporate setting they are not feasible. Also the reason I would prefer a .vbs- so I can easily mass-deploy the solution.

Thanks though!
Well BlackICE comes in a Corporate level configuration.

The other option is the Policy that I suggested above.
Locking down the registry completely can be a daunting task
or MS XP version
Requires setting permissions on the registry key's themselves and can even lock user's out from installing software, depends on how many User's you have on your PC. I studied the above pages some time back and decided against it myself. I just keep mjy virus and firewall updated and have had no problem. I also use the above reg edit to prevent homepage changing. I keep that key in my fav's list in my JUmp2Reg program though just in case.

Bottom of the 1st page is this though;
Also if you have the Windows 2000/XP Resource Kit then you can consider using the SUBINACL command to just replace the EVERYONE group wherever it is found with Authenticated Users.
TheKenmanAuthor Commented:
Thanks guys, sorry it took so long to get back to this.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.