Dana Epp's ramblings at the Sanctuary: Some of my kewl XP Registry Hacks


« Batching the Patching. Good or Bad? \| Main \| What's in my Information Security Toolkit? » September 05, 2003 Some of my kewl XP Registry Hacks When I was talking to Cuv after our squash game last night we got onto the topic of securing the desktop in Windows, especially against user stupidity. As I promised, I am posting some of my kewl registry hacks I have collected over the years to lock down a machine. I would credit the original sources, but its been years and from so many people I don't immediately remember all the sources. But there are TONNES that you can find on google. These are just my favorites. Please use it at your own risk. If you nuke your machine I AM NOT LIABLE! An Intro First off, you must know how to regedit. If you don't, just ignore this post please. Still with me? Kewl. Ok, you don't need an intro then... but I will give you a tip. If you want to change something for a SPECIFIC user, and you are administrator, you will need to get the associated user hive, as HKEY_CURRENT_USER is invalid. You can find the users somewhere in HKEY_USERS. I typically just open the hive and look for the user's name. Works every time. UKey=User Key SKey=System Key So lets get to it! Prevent right click on start button Open [HKEY_CLASSES_ROOT\Directory\shell] then rename it from 'shell' to 'shell.old'. Do the same with the key [HKEY_CLASSES_ROOT\Folder\shell] and rename it to [...\shell.old]. Now when you right click on the start button, you should no longer be given the option to Open, Explore or Find. Hide Control Panel, Printer and Network Settings UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoSetFolders Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled) Remove Common Program Groups from Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoCommonGroups Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled) Remove My Network Places from the Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoStartMenuNetworkPlaces Data Type: REG_DWORD (DWORD Value) Value Data: (0 = show, 1 = remove) Remove My Computer from the Desktop and Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum] Value Name: {20D04FE0-3AEA-1069-A2D8-08002B30309D} Data Type: REG_DWORD (DWORD Value) Value Data: (0 = show, 1 = remove) Remove Favorites from the Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoFavoritesMenu Data Type: REG_DWORD (DWORD Value) Value Data: (0 = show favorites, 1 = no favorites) Remove Recent Documents from the Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoRecentDocsMenu Data Type: REG_DWORD (DWORD Value) Value Data: (0 = display, 1 = remove) Remove Network Connections from the Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoNetworkConnections Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disable restriction, 1 = enable restriction) Remove My Documents from the Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoSMMyDocs Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disable restriction, 1 = enable restriction) Remove My Pictures from the Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoSMMyPictures Data Type: REG_DWORD (DWORD Value) Value Data: (0 = default, 1 = remove folder) Remove My Music from the Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoStartMenuMyMusic Data Type: REG_DWORD (DWORD Value) Value Data: (0 = default, 1 = remove folder) Disable Drag-and-Drop on the Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoChangeStartMenu Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disable restriction, 1 = enable restriction) Remove Run from the Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoRun Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled) Remove Search from the Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoFind Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled) Remove the Help Option from the Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoSMHelp Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disable restriction, 1 = enable restriction) Remove Tray Items from Taskbar UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoTrayItemsDisplay Data Type: REG_DWORD (DWORD Value) Value Data: (0 = default, 1 = enable restriction) Force the Use of the Classic Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoSimpleStartMenu Data Type: REG_DWORD (DWORD Value) Value Data: (1 = force classic menu, 0 = default) Disable the Ability to Right Click on the Desktop UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoViewContextMenu Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled) Specify the Background Image and Wallpaper Style To specify the wallpaper create a new string value called "Wallpaper" and set it to the full path and filename of the image. Additionally, to specify the display style, create a new string value called "WallpaperStyle" and set it to either "0", "1" or "2" according to the list below. 0 - Centered (Default) 1 - Tiled 2 - Stretched UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] Value Name: Wallpaper, WallpaperStyle Data Type: REG_SZ (String Value) Remove File Menu from Explorer UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoFileMenu Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled) Disable Control Panel UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoControlPanel Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disable restriction, 1 = enable restriction) Disable Printers Control Panel Icon UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoPrinters Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled) Disable File and Printer Sharing UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network] Value Name: NoFileSharing, NoPrintSharing Data Type: REG_DWORD (DWORD Value) Value Data: (0 = file sharing, 1 = disabled) Remove "All Programs" Button from the Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoStartMenuMorePrograms Data Type: REG_DWORD (DWORD Value) Value Data: (0 = default, 1 = disable button) Remove Pinned Programs List from the Start Menu UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoStartMenuPinnedList Data Type: REG_DWORD (DWORD Value) Value Data: (0 = default, 1= enable restriction) Disable the Addition of Printers UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value Name: NoAddPrinter Data Type: REG_DWORD (DWORD Value) Value Data: (0 = disabled, 1 = enabled) And my all time favorite: Restrict what apps a user can run! This isn't as good as the mandatory access control system I will be releasing before the end of the year, but its another good layer of defense on your machine. UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Create a new DWORD value and name it 'RestrictRun' set the value to equal '1' for enabled or '0' for disabled. Then define the applications the are allowed to be run at the key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun]. Creating a new string value for each application, named as consecutive numbers. For Example, 1 Notepad.exe 2 Regedit.exe 3 winword.exe Reboot the computer for the changes to take effect. Now, this is not path or MD5 verified, so the theory is someone could alter the name of a malcious code sequence to something approved and bypass this. But.. if you remove access to explorer, they can't even do this. At Arcterex's last LAN party this was what I used when I created the "gamer" account on one of my boxes that Cat5 tried to hack, only giving access to Quake3, Urban Terror, Unreal and RTCW:Enemy Territory. With a combination of that and strict perms for least privilege, I wasn't to worried about people screwing with the box. Of course this isn't going to make you hack proof, but it will limit the destructions users (or students) may do to your machines. Conclusion I conclude you will have a fun time in the registry! More importantly, have fun with the hacks! I hope you like them. If you have any for me, drop me a line. Posted by SilverStr at September 5, 2003 04:26 PM Comments Hi great site and i 'nuked my registry please help i need to know what is contained in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies I deleted it (or a bug or whatever deleted it) as i was trying to remove My computer from my Desktop (looks great but is useless as I now have no access to files from Windows explorer etc (I can still get at them from command prompt, My documents is still okay so i assume it's just the policies Key that needs replacing the start-run command still works to acces files ( if i type in c: d: f: etc I am running WinXP Home SP1 thanks for help Dave Posted by: Dave McMahon at March 28, 2004 03:28 PM The registry hacks aren't bad, but I must say, they're all rather useless? You can change all of those by first putting the start menu in classic mode, and if you want to hide items, right click the task bar, properties, start menu, customize....... Disable right click on the desktop? Wow, suddenly changing the resolution just got made much more difficult... Good hacks, but useless? :) Posted by: Zorlak at August 17, 2004 02:18 AM I'm afraid you're missing the point Zorlak. This is for administrators to impose the restrictions on other users. If you do what you are saying the user can just as easily undo the changes. Ask any sys admin who has secured PCs in a public environment and they will tell you that these registry settings (and many others) are far from useless. Posted by: Greg at September 17, 2004 06:11 PM		My 5 Favorite Books Writing Secure Code Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind My 5 Favorite Papers Smashing the Stack Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides Archives December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 GeoURL

September 05, 2003

Some of my kewl XP Registry Hacks

And my all time favorite: