Good afternoon!. Last time we talked about the wonderful utility Remote Desktop Connection Manager, which should be in the toolkit of any system administrator; in the future I plan to make a separate article about this kind of toolkit. Today I want to show you another life hack that will help you get out of a number of unpleasant situations in your practice, and we’ll talk about about the remote windows registry and connecting to it u.
Why you may need to remotely connect to the Windows registry of another computer
Before I show how our task is implemented, I would like to highlight in what situations this knowledge may be useful to you. Earlier I told you how to launch the registry in Windows, I told you that all the settings in graphical form that you see and make actually change the registry keys in background, so the registry is the Windows management system.
Recently I told you a situation that I needed to remotely enable the Remote Desktop service on one Windows Server 2019 server so that I could connect to it via RDP, and thanks to changing the keys via remote connection to the server registry (Network registry), the task was completed in a couple of minutes. You may also have situations:
- You need to see if there is the right key registry after applying the group policy you did
- Add permissions for a specific group, such as making them administrators or allowing them to connect through Windows Assistant
- Disable firewall
- Delete a bad registry key
- Much more, almost any change in settings, the main thing is to know where to look
Algorithm for connecting to the remote Windows registry
Let's assume that I have a domain controller in my Active Directory domain from which I will try to connect the RDCB01 server to the registry, where I will look at the registry keys and correct anything. What we do is press the WIN+R key combination at the same time.
A Run window will open where you have to enter regedit.
As a result, the Windows Local Registry Editor window will open.
Now, in order for us to connect to the registry of another computer or server, you need to select the menu file, where you need to find the item ""
In the "Enter names of selected objects" field, specify the DNS name of your remote server, in my example this is a server with Windows Server 2019 under the name RDCB01 and click check names, if everything is fine, then an underscore will appear under the name, which means that a server with such name. Click ok and try to connect the Windows network registry.
At the time of connection, if there are network problems or a firewall on the remote server side, then you may see this warning:
Can't connect to the server. Make sure that your computer is connected to the network, that remote control is enabled, and that The Remote Registry Service is running on both computers
If you know for sure that the remote computer should respond to network packets PING , then let's try to check its availability, to do this, open the command line and enter:
ping rdcb01 (Your server name)
If you see that "Request timed out", then this means that the server is not available, provided that as I said PING packets are not lost firewall. If you see a TTL response time, this means that the server is accessible over the network and you can interact with it to enable the required service remotely
As the error above told us, the remote registry service must be running on both computers. At the command line you can check the status of this service by entering:
sc query RemoteRegistry
As we see in my example, its status is STOPPED
The same can be viewed via PowerShell
Get-Service RemoteRegistry | FL
Let's launch the remote registry service locally.
Get-Service RemoteRegistry | Start-Service
You can also immediately check the availability of the service on the remote computer:
Get-Service -Name "RemoteRegistry" -ComputerName rdcb01
If your request is blocked by a firewall on the other side, then you will see a message like this, but don’t rush to get upset, you can either disable it locally, or if you have administrative rights to remote system, then we will do it remotely, more on that below.
Now let's try to start this service on the remote server RDCB01, to do this, open the Run window and enter the command services.msc in it and press Enter, the service snap-in will open.
Click on services and from the context menu select "Connect to another computer"
Specify the computer name and click "OK".
If the firewall is not blocking the connection, then you will see the operation completed successfully; if it does, you will see the error:
The service control manager database on the server could not be opened. Error 1722: The RPC server is unavailable
There are several reasons for the error "1722: The RPC Server is unavailable":
- Two services are not running on the remote computer" DCOM server process launcher module" And " Remote Procedure Call (RPC)". I would like to note that these services start automatically when the system starts
- Your firewall is blocking you from allowing remote control of the service. This set consists of three services b:
- Remote Service Control (RPC-EPMAP)
- Remote Service Control (Named Pipes)
- Remote Service Control (RPC)
Let us enable these rules remotely, I remind you that for this you have must have local administrator rights on the remote computer, it is clear that you can enable them locally, but the machine may be in another city or country. Mark Russinovich and his set of sysinternals utilities come to our aid once again. From this set we will need the PSTools utility; it will allow us to remotely start the service and, if necessary, add a rule to the firewall.
download PSTools from the Microsoft website https://technet.microsoft.com/ru-ru/sysinternals/pstools.aspx?f=255&MSPPError=-2147217396
Download this archive with utilities, unpack it to the location you need. Now hold down the Shift key and click right click mouse over the folder with utilities and from the context menu select "Open command window".
Enter this command:
PsExec.exe \\IP address or DNS name of the computer -u domain\login -p password cmd
My example: PsExec.exe \\rdbc01 -u root\Administrator -p password cmd
I observe a successful connection to the command line on the remote computer RDCB01, where the PsExec.exe service is now running. Now I can do everything I need on the remote system.
You can temporarily disable the firewall on the remote computer to configure services:
netsh advfirewall set allprofiles state off
then turn back netsh advfirewall set allprofiles state on (Be sure to turn it on after settings)
It will be like this:
Next, I advise you to enable the “Remote service control” rule set on the firewall in the “Allowing interaction with applications or components in the firewall” section, this will make it possible to cling to the “Services” snap-in on another computer
Working with the Windows registry is not too difficult, especially if it is your own registry and you need to make changes or fix problems for the currently registered user. However, sometimes you are not the only one using your computer and you need to make changes in all accounts. Moreover, you cannot rely on other users; you need to quickly fix the problem.
Don’t worry, it’s quite possible to work with registry files in another PC user account from the administrator account, which will save you time, frustration and the need to save text and text containing all the necessary changes. configuration files, not to mention transferring these files from one account to another.
We have previously seen how important the registry is in Windows and how changes in it affect the operation of the PC. Within the enterprise, system administrators for configuration, deployment, application management and installation custom settings personal computers often use group policies.
Regedit.exe
The RegEdit tool has already been described in a previous article, so let's focus on how to use this built-in tool to edit the registry on another computer. If you're testing a specific scenario, you can always export a copy of your registry so you can import it later if necessary.
Open a Command Prompt window (as administrator) by searching the Start menu, or by pressing Windows+X in Windows 8 or 8.1, and enter the following command:
C:\mkdir c:\Temp
Regedit.exe /e c:\temp\yourname.reg
To load another registry branch into the current one, follow these steps:
- Log in to your computer as an administrator.
- Agree to the User Account Control (UAC) warning.
- Select the HKEY_LOCAL_MACHINE branch.
- From the File menu, select Load Registry Hive.
- Find required file registry node and click OK.
- Give a friendly name to the registry file you are loading.
After you have viewed or changed the registry settings, unload this file by selecting Unload Registry Hive from the File menu.
If you want to connect to a registry that belongs to a different user account, run regedit.exe as before, then from the profile of the user you want to access, open NTuser.dat. ntuser.dat (or NTUSER.MAN) files in Windows Vista are located in the Documents and Settings folder, in Windows 7 or later, in the user folder. Essentially you will download another user's registry host file onto your PC.
- Log in as an administrator.
- On the start screen, type RegEdit and press Enter.
- Select the HKEY_USERS branch.
- From the File menu, select Load Hive.
- Navigate to the profile folder and select ntuser.dat.
- When prompted for a key name, enter the username as a reference label.
- RegEdit will import the user's registry data.
- Once you have reviewed or made changes, highlight the hive and from the File menu select the Unload Hive option.
To load the same hive in RegEdit, at an elevated command prompt, or in the PowerShell administrative console, enter the following command, followed by the account name of the hive being loaded:
reg.exe load HKLM\User "c:\users\User\ntuser.dat"
Attention. With RegEdit you can only access another user's HKEY_USERS and HKEY_LOCAL_MACHINE hives.
By default, the system hides NTuser files, so to show hidden system files You will have to change the folder properties settings in the file explorer.
If you don't have third-party tools and want to compare the two registries, in the PowerShell administrative console, use the following command to launch another instance of RegEdit:
Regedit.exe –m
If you don't have RegEdit running, you will receive an error message. After running two instances of RegEdit, if you are using Windows 7 or later OS, you can use Windows feature Snap.
If you are not yet familiar with the snap feature, use the following keyboard shortcuts:
Windows + Left Arrow to snap the window to the left side or Windows + Right Arrow to snap to the right.
Attention. The regedit.exe -m command will work on Windows XP and later operating systems, and requires at least one instance of RegEdit running.
Remote administration
To activate remote administration on a PC, you need to go through several steps. The first is to open the Group Policy Editor (gpedit.msc in the search box or start screen) and go to Computer Configuration ➤ Administrative Templates ➤ Network ➤ Network connections➤ Firewall, then, depending on how you will connect and manage your PC, select either a domain profile or a standard profile.
Then you need to add permission to Windows firewall: Allow incoming exceptions for remote control. When you do this, you will be informed that you now have access to additional remote computer administration tools, such as Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI).
You will also need to open TCP ports 135 and 445 in the firewall. To do this, in the open firewall, click on the link “ Additional settings", or open Administrative Tools from the Control Panel, where you will see Windows Firewall in the list.
In the advanced firewall settings, click on the “Rules for incoming connections” link in the left panel, then “New rule” in the right panel. You can now create a new inbound rule that allows access to ports 135 and 445.
And the last step of setting up remote administration is activating the remote PC registry service. The Remote Registry Service is located on the panel Windows Services, as an alternative - services.msc in the search field or on the start screen.
To activate the service, right-click and in the appeared context menu select Properties. By default, the service is disabled, but in the dialog box that appears, you can enable and start it.
Attention. To enable and start the Remote Registry service from the command line, enter: sc start RemoteRegistry. And also you can customize it automatic start when the computer boots: sc config RemoteRegistry start = auto.
Connecting to a remote registry
Before attempting to retrieve information from another computer, first ensure that the Remote Registry Service is up and running.
If the remote registry service is up and running on your local or remote PC, you can try to connect to RegEdit over the network:
- Log in as administrator.
- Type regedit on the start screen and press Enter.
- Agree to the User Account Control warning.
- Click the file and select Network Registry Connection.
- Enter the name of the computer you want to connect to. And also, you can click the “Advanced” button and the “Find” button to get a list of all computers available on the network.
- Click OK.
- Now you will see a list of PCs and two new branches will appear in regedit: HKLU and HKU.
- After viewing or making changes, select the computer icon and select “Disable Network Registry” from the File menu.
If you prefer to use command line, not tools with graphical interface, to enable and start the remote registry service, enter the following commands respectively:
sc config remoteregistry start=demand
net start remoteregistry
Using Group Policy Preferences
Enterprise administrators may maintain thousands of computers and servers in their organizations. A manual change Setting up each PC is very time consuming and error prone. Group Policy is a characteristic feature of popular Microsoft Active Directory Directory (AD DS) services, allowing centralized management of resources such as user accounts, groups, computers and servers.
Group Policy Preferences (GPPS) was introduced in Windows XP. They allowed the administrator to more easily and quickly deploy and change registry settings across multiple computers and servers in an organization. Registry settings are just one of the types of settings available to an administrator. Let's try to get some insight into using GPPS to deploy and modify registry settings in your environment.
If you are logged into your computer's domain and have an account with administrative rights, you can use Remote Server Administration Tools (rsat) to manage AD DS from your computer. Alternatively, you can open a console connection to the server (if possible) using Remote Desktop Protocol (RDP) and run AD DS tools interactively.
Attention. You can download the version you need from the Microsoft website. For different versions of Windows there are different versions RSAT, so find the one you need.
Now, using your PC or server, you can view group policies and learn how they can be used to manage registry settings across the enterprise:
- Using a PC with RSAT or RDP Server Console installed, open the Group Policy Management Console (gpmc).
- Right-click on Group Policy Objects (gpos) and select New, then name it something like ModifySoftware.
- Right-click the ModifySoftware object and select Modify.
- Additional computer configurations ➤ Settings ➤ Windows settings, double-click the registry icon.
- Right-click on the registry and select New.
There are three registry key options to choose from.
New option - Description
Registry Item- allows you to create one registry element.
Collection Item (collection of elements)- creates and organizes registry items in a folder. Useful if you need to add a group of registry items.
Registry Wizard- the master, as a reference, must use the local registry or a connection to a remote computer. Allows you to create one or more entries.
- Select Registry Wizard.
- Go to Right place and configure the necessary keys and values for import into GPP.
- Click the "Done" button.
- Expand the registry entries and view them.
- By default the action is set to update.
There are four action options to choose from.
Available actions - Description
Create- Creates a registry element. Existing element is ignored
Update (default)- If the element already exists, it will be updated. If the element does not exist, it will be created
Replace- Deletes an existing element and creates a new one
Delete- Removes an element.
- Once you have checked the options, click OK.
- To connect, associate the GPO with a subkey.
- Close your console.
Note. When you run Group Policy on local computer, you are using preference-free Local Group Policy. Group policies can be managed on systems with GPP client extensions. These extensions must be downloaded separately for Windows XP and Windows Server 2003, but are available as a built-in feature on client computers running Windows control Vista Service Pack 1 (or later) with RSAT or Windows Server 2008 (or later).
Registry comparison
As we already mentioned, almost everything that is installed or configured on a Windows PC is stored in the registry. At standard installation software you will be surprised at the scale of transactions taking place in the registry. Often tens of thousands of registry keys are added or changed during even a relatively small software installation. If you compare your computer's registry before and after one of these events, you will see all the changes made to the registry.
To effectively compare registry snapshots before and after events, it is convenient to use special utilities. Another technique is to compare the registers of one machine and another reference one. Some registry comparison tools are given below.
File Compare (fc.exe) - included in Windows XP
InstallWatch Pro - installwatch-pro.en.lo4d.com/
Process Monitor - technet.microsoft.com/sysinternals/bb896645.aspx
(Windows Sysinternals)
Regshot - aplusfreeware.com/categories/util/registry.html
Tiny Watcher - kubicle.dcmembers.com/watcher/
Total Commander - ghisler.com/
What Changed - majorgeeks.com/files/details/what_changed.html
WinDiff - grigsoft.com/download-windiff.htm
WinMerge - winmerge.org
If you have worked for a long time with Windows XP, or any other Windows version released over the past 10 years, then you are undoubtedly familiar with the Windows Registry and you know that the Registry is the heart of the Windows OS. Almost any aspect Windows operation can be controlled through the registry. If you know what you're doing, you can make Windows do amazing things.
On the other hand, if you don't know what you're doing (or are doing it with malicious intent), then you can ruin Windows by incorrectly modifying the registry. In almost every article about changing the Windows registry, you can find a note saying that you can break Windows and/or applications if you make the wrong changes, and that you need to do the full backup copy system before changing the registry.
The fact is that the registry can be changed not only with positive intentions. Windows XP has a service that allows you to remotely change the Windows registry, without the knowledge of the user of the PC on which the changes are made. What will you say if you find out that this service is enabled by default? If you do not want anyone to have access to the registry of your Windows OS, then the Remote Registry service should be disabled.
Note: Before you rush to disable the Remote Registry service, you need to find out what consequences this will lead to.
Since there are both advantages and disadvantages of disabling this service, ultimately it will be up to you to decide whether to do it or not. Decide what you need at work or at home. To help you with this, we will explain how it works Remote registry, how to enable or disable this service, and what consequences will occur when disabling the service.
Working with the Remote Registry
As mentioned earlier, Remote Registry allows you to make registry changes on a remote machine. A small detail that may reassure you a little - anyone cannot change the Windows XP registry remotely. To have the right to modify the registry remotely, the user must be a member of the Administrators group on the remote machine.
To access the registry of a remote machine, you must first open the Registry Editor on your PC. After opening the Registry Editor, select File – Connect network registry. The Select: Computer dialog box will then appear. Enter the name of the computer you want to connect to and click OK. After this, the registry remote computer will open in the Registry Editor.
You should at least be careful when making changes to the remote machine's registry. Please note that when making changes to your registry, the first line of the Registry Editor is called My Computer, below are HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, etc. When you open the registry of a remote computer, the My Computer entry remains, and its contents apply to your local computer. The registry of the remote computer is located below and is called the remote PC. It is important not to confuse and correct the required registry.
Enabling/disabling the Remote Registry service
Now that we have an idea of working with the Remote Registry, let's try to disable this service. Disabling the Remote Registry must be done directly on the computer where you want to disable remote access.
First, open Control Panel, and select the Administrative Tools icon, then click on the Services icon.
The Service Control Manager that opens will show a list of all available services. Scroll through the list and find the Remote Registry service. Right-click on the Remote Registry line, then select Properties from the menu. In the window that appears, click the Stop button to stop the service. Now set the Startup Type drop-down menu to Disabled. Click OK, now the Remote Registry service is disabled, and no one will be able to remotely change the registry of your system.
If you later need to re-enable this service, open the Service Control Manager again, right-click on the Remote Registry line, then select Properties from the menu. Set the Startup Type drop-down menu to Auto, click Apply, then click Start and OK. The Remote Registry service is running again.
Please note that the Remote Registry service depends on the Remote Procedure Call (RPC) service and if it is not enabled, you will not be able to enable the Remote Registry.
Consequences of shutdown
At the beginning of the article, the consequences of disabling the service were mentioned. In 99% of all cases, disabling the Remote Registry will not cause any problems. There are very few applications that depend on this service.
You should also remember that after disabling the Remote Registry service, you will lose the ability to remotely control the machine. Sometimes you have to configure computers located at very distant distances (another city, another country). You need to be aware that you will not be able to access such a computer unless, of course, you personally go to where it is located.
How to deny access to the registry?
Hello, today we will talk about next setting operating system windows, which will not allow users who have access to our computer and laptop , change our .
There is no need to explain what a registry is. Even small changes to the registry can cause enormous harm to the system. But even small and correct steps taken by household members and colleagues cause certain inconveniences. Renaming shortcuts, creating folders, missing menu items and others external changes Not everyone likes it... Let's try the systems.
STRAIGHTAWAY
We will work with administrator rights.
If you have administrator rights on your computer, it is not difficult to deny access to the registry. For this (and not only for this) there is an editor utility group policies. You can also deny access to the registry by adjusting the registry itself.
How to deny access to the registry? We work at GPEDIT.
To get to the utility, type the command in the windows search bar gpedit.msc.
Choose the following path:
User Configuration – Administrative Templates – System. On the right side of the program window, find
Double-click on the setting and set the checkbox to Turn on.
Now, whenever you try to launch the Registry Editor, absolutely all users of the system, including you, will see this window:
You already guessed how to get everything back. Follow the path you know and undo the changes you just made.
How to deny access to the registry? We work in REGEDIT and CMD
You can deny access to the registry using the registry itself. Run the editor as administrator. Well, let's look for this parameter:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Didn't find it? Do not despair. Let's create it. This can be done again right here in the Registry Editor or via command console. Let's go the hard way - the result will be the same: a parameter will be created in the registry DisableRegistryTools with meaning 1 .
To deny access to the registry through the console, run it via cmd:
Now slowly enter the following command:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
If the command was entered correctly, a message will appear in the window after a second Operation completed. Reboot.
When you try to launch the editor, you will again see a window with a message stating that the editor is prohibited from running by the administrator. Even as an administrator, all attempts to make changes to the registry structure from the console will end with this message:
To activate access to the registry, you need to:
- Open command console (cmd from admin)
- Enter the command:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
Oh yes... Editing is prohibited... Let's re-run the group policy editing utility via gpedit . msc .
Follow the path indicated at the beginning of the article User Configuration - Administrative Templates - System to find Deny access to registry editing tools. Double-click the item and select Disable. You can edit the registry again. The parameter you created DisableRegistryTools will disappear from the registry.
Windows Registry
is a database of various settings and parameters of the operating system, as well as settings of programs installed on the computer. The main tool for viewing and editing registry entries is the built-in Windows utility Regedit– Registry editor. To start it, you need to go to “Start” - “Run” - type the command regedit and click “OK”.
After this, the program window will open: the registry tree is displayed on the left, and the so-called keys are displayed on the right, i.e. Registry settings contained in the selected key. 
By using Regedit you can edit values, import or export registry branches, and search for sections and keys in the registry. But I would like to immediately warn you that the information stored in the registry is very important for the correct operation of Windows. Removing or incorrectly changing the necessary partitions and keys can lead to some programs stopping working and not loading Account user or a complete system crash will occur.
It is also worth noting that the changes you make in the Registry Editor take effect right after you made them– there is no confirmation for saving, as in many applications.
In Windows XP, the registry is stored in many files: these files are located in directories WINDOWS\system32\config And Documents and Settings\Username(Ntuser.dat and Ntuser.dat.log files).
The Windows registry consists of several main sections:
HKEY_CLASSES_ROOT– the section contains information about file type extensions and applications that will open when they are launched.
HKEY_CURRENT_USER– the section stores the settings of the user logged into the system this moment. This is where user folders, screen colors, and control panel settings are stored. This data is called a user profile.
HKEY_LOCAL_MACHINE– this contains information about loading the operating system, information about device drivers and hardware computer. The settings stored here apply to all users of the computer.
HKEY_USERS– the section stores individual profile settings for each user registered in the system. Information about the “default” profile for created new users is also stored here.
HKEY_CURRENT_CONFIG– the section contains all the information about the hardware profile that is used on the local machine during system startup.
Each of the registry keys discussed above contains subkeys that store various system parameters. For example, Windows service settings are stored in the section: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. A start page browser Internet Explorer stored in the Start Page parameter of the section HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main.
Registry settings, like files, store various information. Each parameter has its own attributes: name, data type and variable value. There are registry settings that store text strings like regular ones text files. There are parameters that store binary data, and there are parameters for storing numbers.
Editing the Registry
The main operations that can be performed in the Registry Editor are:
Search registry key, strings, or setting. To do this, select “Edit” – “Find” (“Find Next”) in the menu bar.
Addition registry key or setting. On the left side of the Registry Editor, select the section to which you want to add the subkey. In the “Edit” menu, select “New” - “Section” - enter the name of the new section and press Enter.
To create a new parameter, select one of the parameter types from the Edit menu: String, Binary, DWORD Value, Multistring, or Expandable String Value. Then enter a parameter name and press Enter.
Removal section or parameter. Select the section or parameter to be deleted - in the “Edit” menu, select “Delete” (or press Delete on the keyboard).
Changes in value parameter. Select the option whose value you want to change. From the Edit menu, select the Edit command. In the “Value” field, enter a new value for the parameter and click “OK”.
Renaming registry key or setting. Select the section or setting you want to rename. From the Edit menu, select the Rename command. Type a new name and press Enter.
By the way, root partitions and default settings cannot be renamed. Just like partitions cannot be deleted.
Editing the registry on a remote computer
Utility Regedit allows you to edit the registry not only on this local computer. It can connect to a remote computer and perform various operations on its registry. However, for this it is necessary to fulfill a number of conditions:
— both computers must be connected to the network;
— remote control must be enabled on the computer;
— the “Remote Registry” service must be running on the remote computer;
- you must have Administrator rights on both computers.
For editing the registry on a remote computer You need:
1. Run on your computer Regedit.
2. In the “File” menu, select “Connect network registry”.
3. In the “Connecting a network registry” dialog box, enter the name of the computer whose registry you want to connect and click “OK”.
When accessing the registry of a remote computer, only two keys are displayed: HKEY_USERS and HKEY_LOCAL_MACHINE. Now you can perform various manipulations with the registry of the remote computer, add and delete sections, change parameter values, etc. This way you can almost completely control the remote computer.
When you have done all the necessary actions with the registry of the remote computer, you need to disconnect from it. To do this, in the “File” menu, select “Disable network registry”. In the list of computers, highlight the PC name and click “OK”.