Network administrators deal with the registry daily when they perform such tasks as changing application settings, tuning system behaviors, and managing user permissions. As a result, being able to access any machine's registry, including remote workstations, is crucial to effectively administer networks.
The registry is a collection of files. When you access the registry, the Win32 software development kit (SDK) and the system-provided registry editors (i.e., regedit and regedt32) work together to expose the registry as one virtual file. Regedit and regedt32 are interactive tools that you can use to access remote registries manually. If you want to access a remote registry programmatically, you need to use a special API that exploits the SDK-level functions for registry network access. Here's how you can access remote registries and manage remote users' access to the local registry in Windows 2000, Windows NT, and Windows 9x systems with regedit, regedt32, and custom tools. (Windows Me doesn't support remote registry access.)
Accessing Remote Registries
In Win2K and NT systems, you can use regedit and regedt32 to view remote registry trees, provided that you have the permissions needed to access those trees. To view remote registries with regedit, select Connect Registry Network on the Registry menu. In the dialog box that appears, enter the name of the network server you want to access in the Computer name field, then click OK. If the connection is successful, regedit refreshes the left pane so that it contains a new root tree at the same level of My Computer. Like the local tree, the remote tree assumes the network server's name and displays the machine's subtrees, keys, and subkeys. In this respect, local and remote trees are rather indistinguishable.
To view remote registries with regedt32, choose Select Computer on the Registry menu. In the Select Computer list that appears, highlight the name of the network computer to which you want to connect, then click OK. If the connection is successful, the multiple-document interface (MDI) windows show the content of the remote registry.
In Win9x systems, you can use regedit or a custom tool to access remote registries. However, you must set up your machines for remote administration. You need to enable the Remote Administration service, then install the Remote Registry service on every Win9x machine (clients and servers) that you want to involve in the remote registry access operation. For detailed information about how to enable the Remote Administration service and install the Remote Registry service, see the Microsoft article "How to Install Remote Administration Services" (http://support.microsoft.com/support/kb/articles/q141/4/60.asp). On the Win95 CD-ROM, the installation files are in the \admin\nettools\remotereg folder. On the Win98 CD-ROM, the files are in the \tools\reskit\netadmin\remotereg folder.
After you set up your Win9x machines, the Remote Administration and Remote Registry services work together to let you access remote registries. In addition, these services let you administer file and print sharing.
Using regedit, regedt32, or any custom tool that you might create, you can access most but not all the first-level subtrees in remote registries in Win2K, NT, and Win9x systems. You can access HKEY_CLASSES_ROOT, HKEY_LOCAL_MACHINE, HKEY_USERS, and HKEY_PERFORMANCE_DATA. (For information about the HKEY_PERFORMANCE_DATA subtree, see the Web-exclusive sidebar "Accessing Performance Data" on the Windows Scripting Solutions Web site at http://www.winscriptingsolutions.com.) You can't access the HKEY_CURRENT_USER subtree directly, but you can access the same information through the applicable user subkey in the HKEY_USERS subtree. As I explained in my April column, HKEY_CURRENT_USER is a virtual subtree that the OS exposes to make registry programming easier. HKEY_CURRENT_USER points to a subkey under HKEY_USERS; the subkey's name is the globally unique ID (GUID) of the currently logged-on user.
Managing Users' Access
In Win2K and NT, you can change remote users' permissions to access another computer's registry. You can secure registries at two levels.
- You can use the registry's optional HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg subkey to control which remote users can connect to a registry. The winreg subkey's ACL determines who can remotely connect. If this subkey doesn't exist, all authenticated remote users can connect to the registry. (In servers running NT 4.0 Service Pack 2—SP2—or earlier, Anonymous remote users can connect to the local registry. SP3 contains a hotfix for this problem. A similar hotfix exists for NT 3.51 servers.) If the winreg subkey exists, the OS pays much more attention to any attempt to remotely access a registry file—users must have at least Read access to the winreg subkey on the target computer.
- If remote users have Read access, the per-user permissions that you set on winreg determine the operations the users can accomplish in the various keys and subkeys. These permissions apply to the registry as a whole and overwrite permissions that someone might set locally on a specific key or subkey. As a result, a certain key might allow Full Control access for all local users but allow only Read access for remote users because the remote users have been given only Read access at the winreg subkey level.
By default, in NT 4.0, members of the Administrators group have Full Control access to the winreg subkey. Members of the Backup Operators group have only Read access. Microsoft changed this default in Win2K so that both groups have Full Control access. To view the permissions set for the winreg subkey, run regedt32 and click Permissions on the Security menu.
The winreg\AllowedPaths subkey specifies portions of the registry that remote users can read regardless of the settings in the winreg subkey's ACL. The AllowedPaths subkey uses REG_MULTI_SZ values to specify which registry entries everyone can read. By default, only Administrators group members can change Read and Write permissions in the AllowedPaths subkey. Any change in the AllowedPaths subkey requires a reboot to take effect. To learn more about how to use this subkey, see the Microsoft article "How to Restrict Access to NT Registry from a Remote Computer" (http://support.microsoft.com/support/kb/articles/q153/1/83.asp).
The Windows Script Host (WSH) programming interface lets you work with the registry but not over a network. The Win32 SDK has a function to connect to a remote registry. However, you can't use this function in WSH. So, if you need to programmatically access a remote registry, you must use Microsoft Visual Basic (VB).
I've written a simple .exe application in VB 6.0 that reads the values of remote and local registry entries in the HKEY_CLASSES_ROOT and HKEY_LOCAL_MACHINE subtrees. Figure 1 shows the Remote Registry Reader's UI. You can find the source code for this VB application in the Code Library on the Windows Scripting Solutions Web site. Because this column is about VBScript rather than VB, I won't go into the details about how I wrote the application. (If you want to find out some of those details, see the included readme.txt file.) Instead, let me explain how you install and use this application.
The Remote Registry Reader works on machines that run Win2K, NT 4.0, or Win9x (provided that you've enabled the Remote Administration service and installed the Remote Registry service). The application will also work on Windows XP machines. To install the Remote Registry Reader, copy the source code on your machine into the desired directory. The machine must have VB 6.0 installed.
To use the Remote Registry Reader, double-click the executable (remreg.exe). Click the desired subtree (HKCR or HKLM) and enter the name of the target machine. In the Key field, enter the path to the desired key or subkey. In the Value field, type the name of the entry for which you want to see the value. After you click Read Data, the application updates the text box with the applicable registry content.
A Choice of Tools
If you have a network that includes remote machines and remote users, knowing how to access the remote machines' registries and manage remote users' access to registries is vital. As I've demonstrated, you can use regedit or regedt32 or a custom tool such as the Remote Registry Reader.