How to block access to Windows 10's Registry
It can be dangerous to mess with Windows 10's Registry. In this guide, we detail the steps to restrict users from accessing and editing the Registry database.
On Windows 10, the Registry is a critical database that stores low-level settings that are essential for the OS and many applications. Although you can use it to change numerous settings on your computer (such as stopping Windows auto updates and blocking users from changing the desktop wallpaper), it's never wise to edit this database unless you know exactly what you're doing, because a tiny mistake can result in many problems.
While most tech-savvy users are aware of the risks of using the Registry, it might not be so obvious for non-technical users. For example, you could be sharing your device with other users. If they're looking to change certain settings, the instructions they'll find could involve editing the Registry, which may result in errors and other issues on your PC.
If you don't want others to change settings on your Windows 10 device, it's possible to prevent users from opening and editing the Registry in at least two different ways.
In this Windows 10 guide, we'll walk you through the steps to block users from opening and editing the Registry using Group Policy and (ironically) the Registry itself.
- How to prevent users from accessing the Registry using Group Policy
- How to prevent users from accessing the Registry using Registry
How to prevent users from accessing the Registry using Group Policy
The easiest way to block users from opening and editing the Registry on Windows 10 is by using the Local Group Policy editor. However, you can only use this option if you're running Windows 10 Pro, Enterprise, or Education.
To prevent users from launching and editing the Registry using Group Policy, do the following:
- Use the Windows key + R keyboard shortcut to open the Run command.
- Type gpedit.msc and click OK to open the Local Group Policy editor.
- Browse the following path:
User Configuration > Administrative Templates > System
- On the right side, double-click the Prevent access to registry editing tools policy.
- Select the Enabled option.
- Under "Options," select Yes from the drop-down menu if you don't want users to use the Registry while still being able to edit settings silently using the regedit /s switch. Or select No to prevent running the editor at all.
- Click Apply.
- Click OK.
Using the Local Group Policy editor, you only need to enable the option on one account to apply the changes to all users. Once you complete the steps, anyone who signs in to the computer won't be able to use the Registry editor.
When you no longer need this option, you can follow the same steps, but on step No. 5, select the Not Configured option. These changed settings via the Local Group Policy editor should take effect immediately, and you shouldn't need to restart your computer.
How to prevent users from accessing the Registry using Registry
If you're running Windows 10 Home, you won't have access to the Local Group Policy editor, but you can still prevent users from using the editor by modifying the Registry.
Important: While it might be redundant, it should be noted that editing the Registry is risky, and it can cause irreversible damage to your installation if you don't do it correctly. We recommend making a full backup of your computer before proceeding.
Unlike using Group Policy, which blocks the Registry for all users on all accounts at once, if you're using the Registry, you'll need to perform this task on every account in which you don't want users to use the editor.
To prevent users from accessing the editor using the Registry, do the following:
- Open Start.
- Search for regedit, right-click the result, and select Run as administrator. If you're dealing with a standard account, you must enter the credential for your administrator account to continue. Otherwise, you won't be able to make the changes unless you change the account type temporarily to Administrator.
- Browse the following path:
- Right-click the Policies (folder) key, select New and click on Key.
- Name the key System and press Enter.
- Right-click on the right side of "System," select New and click on DWORD (32-bit) Value.
- Name the key DisableRegistryTools and press Enter.
- Double-click the newly created DWORD and change its value from 0 to 1.DisableRegistryTools value options:
- 0 - Registry editor works normally.
- 1 - Registry editor won't open, but it can be started in silent mode using the /s switch while using commands.
- 2 - Registry editor cannot be started normally or silently.
- Click OK.
If you don't have access to Group Policy, it's not recommended to use the value of 2, because it'll be extremely difficult to revert the changes.
After completing the steps, you won't be able to open and modify the Registry in the account to which you applied the restriction.
Repeat the steps described above on every account in which you don't want users to mess with the Registry.
While this option is intended for those who can't access Group Policy, you can also use this option if you want to block the editor for other users while allowing yourself continued access to the Registry.
If you need to revert the changes, you'll need to use alternative steps because, for obvious reasons, you won't be able to open the Registry.
- Open Notepad.
- Copy and paste the following code into the text file:
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"=dword:00000000
- Click the File menu and select Save as.
- Save the file in a location that's easy to find with a descriptive name and using the .reg extension (for example, enableRegsitry.reg).
- Open Start.
- Search for Command Prompt, right-click the result and select Run as administrator.
- Type the following command to navigate to the path of the .reg file you created and press Enter:
- In the command, change C:\Users\Admin for your path to the .reg file.
- Type the following command to enable the Registry and press Enter:
regedit.exe /s enableRegistry.reg
- Close Command Prompt.
These steps will change the DisableRegistryTools DWORD from 1 back to 0. If you didn't get any errors, you should now be able to regain access to the Registry immediately.
Wrapping things up
While you can use these instructions to prevent users from accessing the Registry if you're the tech support person for family and friends, you should also consider applying these changes to their computers to minimize the help they'll need if they mess with the Registry.
Finally, this guide is focused on Windows 10, but you can use the same steps on Windows 8.1 and Windows 7.
More Windows 10 resources
For more help articles, coverage, and answers to common questions about Windows 10, visit the following resources:
- Windows 10 on Windows Central – All you need to know
- Windows 10 help, tips, and tricks
- Windows 10 forums on Windows Central
Windows Central Newsletter
Get the best of Windows Central in your inbox, every day!
Mauro Huculak is technical writer for WindowsCentral.com. His primary focus is to write comprehensive how-tos to help users get the most out of Windows 10 and its many related technologies. He has an IT background with professional certifications from Microsoft, Cisco, and CompTIA, and he's a recognized member of the Microsoft MVP community.
Do these steps keep malware and viruses from editing the registry?
Seems unlikely since they appear to only limit the registry editor tool, not the APIs that act on the registry directly. I doubt it blocks the Trusted Installer, which has a lot of special access, either.
pls, can you guy add the option to save offline to windows central app. plzzzzzz
You could still use reg.exe
Not with the gpo set to block registry access. But a word of warning ⚠: Gpo only affects items it can manage, and that means only w32 shell access ( regedit, reg.exe cli tool). Any 3rd party app without shell hooks will still work, as will scripting in PowerShell or VBscript. The only limitations scripting encounter are permissions related.