New
#21
Standard users don't have full access to regedit.
They can change things in the current user (i.e. their user) hive but not other hives (local machine etc) as they aren't authorized.
Standard users don't have full access to regedit.
They can change things in the current user (i.e. their user) hive but not other hives (local machine etc) as they aren't authorized.
Yes, the changes would (should) only apply to the local account but I'm guessing the OP doesn't want those changed as well.
To prevent unauthorized persons from running certain programs, just change the name of the program.
I've used that many times in the past, even on my Commodore 64. :)
Cheers Mates!
TechnoMage
PS: To change a file's name, you will probably have to "Take Ownership" of that file.
The program "Grant Admin Full Control" will do that for you. It's FREE!
So nobody knows why Windows 10 is allowing for a regular user account to have access to the registry?
I mean, this was not the case in previous Windows OS..access to the registry has always been Admin access ONLY.
According to this article "Running commands like Regedit as a standard user"
Running commands like Regedit as a standard user
it states "I can view and change values under "Current User", but only can view values under "Local Machine" (cannot change)."
--- Although it's for Windows 7, test it out on your Windows 10.
--- Look for values in hives other than Local Machine and see if that statement is true.
--- Determine whether or not viewing and changing values are only possible under Current User.
BTW, Ix07 & sygnus21 have mentioned those items (maybe also others on previous pages but I don't know how to go back to double-check while posting this information).
--- So hopefully a standard user really is has limited capabilities
--- If you do evaluate what that article points out, please let us know what you find out.
EDIT: I just created a local account and the statement "it states "I can view and change values under "Current User", but only can view values under "Local Machine" (cannot change)." appears to be true. I really didn't want to make changes since I don't know what I would want to experiment with on what to change.
--- However, the ability to change values under "Current User" makes sense
--- Delving into Local Machine brought "xxx cannot be opened" which amounts to being unable to make changes.
Checking the remaining hives, it appears to be able to modify some of the folder contents but I wasn't about to play with any of them.
--- If you find something in the remaining hives to modify an entry your way: please let us know how it goes.
Last edited by MeAndMyComputer; 13 Jul 2017 at 20:17.
Although this is an old post, there is a definite need for this solution in regards to Parental Controls.
I should point out that although a Standard User can open the Registry Editor by default, they DO NOT have full access. They can make changes that they normally could using the GUI. For example, try accessing the HKEY_LOCAL_MACHINE and you'll find yourself being denied access.
Aside from setting up my eldest sons profile as a Standard User and setting up the Family Group in order to leverage the limited parental controls Microsoft currently is capable of for Windows 10, I disabled the Registry Editor as well to thwart any attempts to bypass my restrictions. https://account.microsoft.com/family/about
How to disable the Registry Editor in Windows 10?
Assuming you have an Admin account or the built-in Administrator enabled and password protected [highly recommended]...
The easiest way is using the Local Group Policy Editor.
- Sign in using the Standard Account you wish to restrict
- Press the Windows logo key (or click the Start button) and type gpedit.msc
- Right-click on gpedit.msc and select Run as administrator
- Enter your Admin credentials when prompted
- Navigate to and select Local Computer Policy > User Configuration > Administrative Templates > System
- in the right pane, double-click on Prevent access to registry editing tools
- Click the Enabled radio button
- Verify under Options that the drop-down has Yes selected and then click OK
- Press the Windows logo key (or click the Start button) and type reg
- Click Registry Editor from the search results and you should be presented with a message indicating the "Registry editing has been disabled by your administrator".
- Now you can close the Local Group Policy Editor and log off of the Standard User account.
When you need to manage the Registry under the Standard User account, you need only run it as an administrator like you would anything else.
Keep an eye out for any related issues that might occur under normal User related usage. If you identify that the User cannot make User related changes, this may be due to this policy restriction. It's a good idea to test it out by making some simple changes like display settings, folder viewing options and so forth.
Last edited by zero269; 01 May 2020 at 19:58. Reason: Spelling, grammar and added content...
zero,
All discussion is worthwhile but -
Your procedure only applies to Windows 10 Pro
No, enabling the BuiltIn Admin account is not highly recommended but should only be done when necessary and never when connected to the internet.
No, password protecting, or making any other changes to, the BuiltIn Admin account is not highly recommended
Denis
Last edited by Try3; 02 May 2020 at 07:42.
Disabling regedit is easy.
Delete the regedit.exe file.
Keep a copy of regedit on your keychain thumb drive.
You have it, but other users don't.
Users smart enough to have their own copy on a thumb drive can evade this scheme ... but they'd evade the other suggestions too. So?