Distributing registry changes to clients without administrator rights

Posted on 2004-10-11
Last Modified: 2013-12-28
I have changes to 2 registry subkeys that I need to distribute to a number of Windows NT 4.0 clients on my Windows 2003 Server network.

Both changes are to the HKEY_LOCAL_MACHINE subkey but the users do not have local admin rights.

I can write a batch file to do this but it wont work without these rights.
I looked at POLEDIT but it didnt seem to have options for these settings.

Can anyone help....
Question by:STEVEO2
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 57

Accepted Solution

Pete Long earned 125 total points
ID: 12280903
How to distribute a Registry Change

From Windows 2000 Magazine April 2001

You can use one of three methods: imported registration (.reg) files, regini.exe, or group or system policies.

***Option 1: Create or Export Registration Files ***

You can distribute .reg files that users can then import into the registries of target computers. All you need to do is create—or use regedit to export, then edit—the .reg files, then distribute them. (Registration files have one serious shortcoming, however: They can't delete anything in the registry. Format the registration file's contents as follows:

<Blank line>

Is whichever version of regedit.exe you're using. This entry identifies the file as a registration file. Regedit automatically adds this information when you export a .reg file, but you must manually enter the information when you create a .reg file. For Windows 2000, the RegistryEditorVersion is Windows Registry Editor Version 5.00; for NT 4.0, the version is Regedit4.

Blank line
Identifies the beginning of a new registry path. (Each individual key or sub key is a new registry path.) When you export a key, the .reg file displays a blank line before each key or sub key. If you have multiple keys in your .reg file, blank lines can help you examine and troubleshoot the contents. (Microsoft's instructions state that the blank line is necessary. However, when I create .reg files and inadvertently forget the blank lines, the files still merge successfully.)

Is the path to the key that holds the values you're importing. Enclose the path in square brackets, and separate each level of the hierarchy by a backslash—for example, [HKEY_LOCAL_ MACHINE\SOFTWARE\Policies\Microsoft\ Windows\System]. A .reg file can contain multiple registry paths.
When the bottom of the hierarchy that you enter in the path statement doesn't exist in the registry, you're creating a new subkey. Registry files' contents are sent to the registry in the order in which you enter them. Therefore, if you want to create a new key and a subkey below that key, be sure to enter the lines in the proper order. (However, the only reason to create new keys is because you've written software that looks for those keys. Creating new keys isn't a task you perform for system maintenance.)

Is the data item you want to import. When a data item in your file doesn't exist in the registry, the .reg file adds it (with its value). When a data item does exist, the value in your .reg file overwrites the existing value. Quotation marks enclose the name of the data item. An equal sign (=) immediately follows the name of the data item.  

(i.e., the imported item's data type) immediately follows the equal sign, unless the data type is of REG_SZ (REG_SZ types are strings). For all data types other than REG_SZ, a colon immediately follows the data type. Table 1 shows the entries for five common data types. (Nine data types exist, but the types in Table 1 are likely to be the only ones you'll use for system maintenance.) For information about these data types, see the sidebar "Registry Data Types" (see below).

Data Type         Registration File DataType Entry
REG_BINARY        hex

REG_DWORD         dword

REG_EXPAND_SZ     hex(2)

REG_MULTI_SZ      hex(7)

REG_SZ            none

(i.e., the value you want to import) immediately follows the colon and must be in the appropriate format (i.e., string or hexadecimal—use hex format for binary data items). You can enter multiple data-item lines for the same registry path. For example, the data-item lines


reflect the hex entries that these data items require: 00000014 is the hex equivalent of 20, and 0000000f is the hex equivalent of 15. If you're uncomfortable with hex or other nonreadable data, restrict your .reg file creation efforts to items that are neither binary nor hex format.
The registry doesn't have a Boolean data type (although it should, and I can't believe Microsoft hasn't gotten around to this yet). However, Boolean type data is usually a DWORD (4 byte) or String (2 byte) item type in the registry. If you're using your .reg file to change values, check the data item in the registry to make sure you match the data type. You don't need to enter the full string in your .reg file; you can omit leading zeros for all numeric values.

****A Registration File Drawback ****

Registration (.reg) files can't delete anything in the registry

****Here's an Example*****

Windows Registry Editor Version 5.00


****Option 2: Get More Editing Power with Regini.exe*****
If scripts are your favourite tools for configuration and setup tasks, you can use regini.exe to apply your scripting skills to registry edits. Regini provides more power than .reg files can muster, including the ability to delete subkeys and data items and to set permissions on registry keys. You can find Regini in the Microsoft Windows 2000 Server Resource Kit and the Microsoft Windows NT Server 4.0 Resource Kit. (I've successfully used the Windows 2000 version of regini.exe on NT machines, and vice versa.) The resource kits also contain full documentation (i.e., regini.doc) for this nifty utility. Regini uses the following syntax:

regini <ScriptFileName>

where ScriptFileName is the path to a script file you've written to perform a specific registry edit. You can use Uniform Naming Convention (UNC) in the path statement if the script is on a network share.

To distribute registry changes that use Regini, you must make the program available to each target computer (assuming that you haven't installed the resource kits across your enterprise). You can use a batch file to map Regini's UNC path and then run the program. For example, if Regini resides on a network share named ResKit on a server named Tools1, you can create the following batch file:

Net use x: \\tools1\reskit
x:\ regini <ScriptFileName>
Net use x: /delete

Regini Features
Regini gives you several options for data manipulation. For example, DELETE is a regini.exe keyword that requires only the name of the data item. To remove a data item, enter the following syntax as the second (i.e., data item) line of your script:

DataItemName = DELETE

Putting It All Together
As an example of a complete command, review the following script. This command changes computer settings so that the most recent user's name doesn't appear in the Logon dialog box.

DontDisplayLastUserName = REG_DWORD 1

*****Option 3: Use Policies *****

You can also distribute registry changes by creating system policies that manipulate the registries of target users. The process you use varies between Windows 2000 (which uses the Microsoft Management Console—MMC—GPE snap-in) and earlier versions of Windows (which use SPE), but in either case, you can build administration (.adm) files to send registry changes to selected computers.

The easiest way to create an .adm file is to use an existing .adm template as a starting point. Templates are text files, and you can open them in Notepad or any text editor. Before you do anything with existing templates, back up the originals. When you modify a template, save the new version with a new filename, even if you've backed up the original. And you must test your new .adm files in a lab environment before you unleash your creation on the enterprise. (See Reader to Reader, ".adm Files and the Headaches They Can Cause," October 1999, for a description of the consequences you might face if you ignore this advice.)

Of course, to implement a registry change through an .adm template, you need to know which registry key to target. The resource kits' registry documentation is rather sparse. To learn my way around the registry, I used a lab environment to plunge in and make system changes with existing policies and Control Panel applets. I used Sysinternals' regmon.exe (available from ) to track the resulting registry changes. Eventually, I learned quite a bit about the registry's organization and registry entries' data types.

Where are the Administrative Templates (ADM) located?


HOW TO: Add, Modify, or Delete Registry Subkeys and Values by Using a Registration Entries (.reg) File

Distributing Registry Changes

Specify a Script to Run on Startup Shutdown Logon Logoff

LVL 10

Assisted Solution

Longbow earned 125 total points
ID: 12285451
You can use the Pstools Suite from
Create a login script with the next syntax :
Psexec.exe -u Administrator -p Password "regedit" /s c:\folder\file.reg

The registry keys will be imported in the user registry with the rights
 for the Administrator permissions, in this case.

Type psexec /? for more options.
LVL 85

Expert Comment

ID: 12296580
An .adm file for the use with poledit is (probably) easily created; what exactly are the keys you want to change, which data should they have, which types are the values?

Expert Comment

ID: 12316900
Below is an adm i created to change requested registry keys.

Hopefully you can see what is going on. If not post the Reg keys that you need to change and one of us will create an adm for you to import to AD.


|-------------------------------------------------ADM BELOW---------------------------------------------------|

CATEGORY !!SystemCat

      CATEGORY !!USBServicesCat

            POLICY !!USBMassStorage

                  KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
                  #if version >= 4
                        SUPPORTED !!SUPPORTED_Windows2000

                  #if version >= 3
                        EXPLAIN !!USBStorageCfg_Help

                  VALUENAME "Start"
                        VALUEOFF NUMERIC 3
                        VALUEON NUMERIC 4

            END POLICY
USBMassStorage="Disable Access to USB Storage Devices"
SUPPORTED_Windows2000="Windows .NET Server family, 2000, XP"
PowerCfg_Help=" Disables the Power Config"
USBStorageCfg_Help="Setting this policy to Enabled stops USB Storage Devices from loading"
|-------------------------------------------------ADM END---------------------------------------------------|

Featured Post

Enroll in July's Course of the Month

July's Course of the Month is now available! Enroll to learn HTML5 and prepare for certification. It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article summaries thoughts and ideas from two years of sustained use. It provides good reasoning to make the jump to Windows 10.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question