Abstract
This chapter looks at how you
can use the registry as a preventive measure to keep a user
from experimenting with the Windows NT operating system to
the point of destruction.
INTRODUCTION
The best way to handle troubleshooting is with preventive
actions. One quick way to prevent a user from experimenting
with the operating system to the point of destruction is to
build safeguards against user actions by amending the
registry. In addition, you can use the registry to limit user
access to programs, to operating system functions, and even
to other computers. The registry is a massive database that
controls all of the configuration options and settings for a
computer. Since there's nothing more painful to an
administrator than a user who knows just enough to be
dangerous and has enough confidence and courage to
experiment, using the registry to rein in that user is often
a good idea.
| TIP: It's
best to use the registry for controlling user actions if
there are only a few users upon whom you need to impose
controls. If you want systemwide controls, you should use
the Windows NT Policy Editor (or the Windows 9x Policy
Editor for your Windows 9x workstations). The Policy
Editors are discussed in Chapter 10. |
Windows NT 4 provides two editors for hacking the registry,
Regedit.exe and Regedt32.exe. They differ a bit in appearance
and function, but you can accomplish the registry changes you
need in either editor.
Regedit.exe presents an interface that resembles Explorer.
You can expand or collapse keys by clicking the plus or minus
signs. There are right-click functions and menu commands. I
personally find it easiest to work with Regedit for most
tasks.
On the other hand, Regedt32.exe functions in a manner
reminiscent of the Windows 3.x File Manager. Each root key is
displayed in its own window, and clicking a plus sign next to
a key does nothing; you must double-click the key to expand
it. Also, you have no right-click functions, so you must use
the menu bar to perform any actions.
A QUICK
OVERVIEW OF THE REGISTRY
The Windows NT 4 directory has five root keys:
- HKEY_CLASSES_ROOT
- HKEY_CURRENT_USER
- HKEY_LOCAL_MACHINE
- HKEY_USERS
- HKEY_CURRENT_CONFIG
| NOTE: The
Windows 9x registry has an additional root key,
HKEY_DYN_DATA. |
Each of these keys expands to subkeys, and some expand into
multiple levels of subkeys.
Registry Data Types
Data is registered for the subkeys using a variety of data
types:
- REG_MULTI_SZ, which can contain multiple
values, delimited by the ASCII 0 null character. The data is
usually a string of text, and the null character makes it
easier to read. The information about your system BIOS is an
example of this data type.
- REG_SZ, which contains a single string,
usually in readable form. Program names are an example of
this data type.
- REG_EXPAND_SZ, which contains variable data
that is replaced when the key is accessed by an application.
(It's similar to the % variable used in a DOS batch file).
An example is the notation for the directory you chose for
Windows files when you installed the operating system, which
is %SystemRoot%.
- REG_BINARY, which is the data type for
binary value entries, usually found in entries connected to
your hardware configuration.
- REG_DWORD, which includes 32-bit data (4
bytes long) and can be binary, decimal, or hexadecimal. Most
of the time the data is in hexadecimal form with a prefix of
0x (entries that refer to IRQ settings are an example of
this data type).
Understanding Alias Keys
Having listed the root keys, I'll now amend my statement by
telling you that there are actually only two keys. They are
HKEY_LOCAL_MACHINE and HKEY_USERS. All of the other root keys
in the registry are either aliases for subsets contained in
these two keys or are keys that are created dynamically
during system startup by fetching information from one of the
two real keys. Changes made to an alias key are also made to
the main key (and vice versa).
HKEY_LOCAL_MACHINE contains global information pertaining to
system hardware and applications software settings. The
information and settings apply to all users who log on to the
computer. The root key aliases for HKEY_LOCAL_MACHINE are
- HKEY_CLASSES_ROOT, which is the alias for
HKEY_LOCAL_MACHINE\SOFTWARE\Classes. For both Windows NT 4
and Windows 9x, this is where you find information about
file associations, drag-and-drop, shortcuts, and OLE/COM.
- HKEY_CURRENT_CONFIG, which differs by
operating system. In Windows NT 4 there are two subkeys
below HKEY_CURRENT_CONFIG, and each subkey is an alias for a
subset of HKEY_LOCAL_MACHINE. The subkey \Software is an
alias for
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00n\Hardware\Profiles\000n\Software
(the n represents a hardware profile, and data is found in
the subkeys if hardware profiles have been enabled for the
computer). The subkey \System is an alias for part of
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet. In Windows 95,
this key is the alias for HKEY_LOCAL_MACHINE\Config\000n.
- HKEY_DYN_DATA, found only in Windows 9x,
derives its data from a number of different locations in the
HKEY_LOCAL_MACHINE\Config Manager subkey. Its PerfStats
subkey is derived from performance information reported by
the local system. Both are dynamically created at boot time.
The first-level subkeys of HKEY_LOCAL_MACHINE for Windows NT
are
- HARDWARE, which contains detailed
information about the hardware configuration of the system
and any locally attached devices.
- SAM, which holds information related to the
Security Accounts Manager.
- SECURITY, which is tied to application
security information.
- SOFTWARE, which contains information about
installed applications.
- SYSTEM, which contains detailed information
about the Current Control Set as well as previously
configured Control Sets.
The first-level subkeys of HKEY_LOCAL_MACHINE for Windows 9x
are
- Config, which stores configuration
information for system hardware profiles.
- Enum, which enumerates the information found
in the Windows 95 Device Manager (in the System applet in
Control Panel). There is a separate entry for each class of
hardware and an entry for each specific piece of hardware.
- Hardware, which contains serial port and
floating-point hardware information.
- Network, which contains the network logon
configuration information (network type and the default user
name).
- Security, which contains information about
network security and remote-access devices.
- Software, which contains information about
installed applications. This ranges from default window
locations to file associations to the keystrokes that fire
the laser guns in your favorite game.
- System, which contains the Current Control
Set configuration information.
HKEY_USERS has two subkeys. One is the \.Default subkey (for
the default user configuration), and the other is identified
only by a security ID code (SID) for the currently logged-on
user. In a Windows 95 computer, the registry might have only
a \.Default subkey if specific user profiles have not been
established. If specific users exist, the subkey for the
current user displays the name of the current user; it is not
encrypted like the security ID key in Windows NT 4. There is
one root key alias for HKEY_USERS:
- HKEY_CURRENT_USER is the information from
HKEY_USERS\Whatever user you logged in as. This applies to
both Windows 9x and Windows NT 4. (In Windows 9x, if the
system logon screen is canceled or nonexistent,
HKEY_CURRENT_USER uses the \.Default key).
The second-level subkeys of HKEY_USERS for Windows NT are
- Default, which contains the default user
configuration information.
- SID, which contains the configuration for
that specific user.
Both keys contain the following subkeys:
- AppEvents, which contains information about
the sounds that Windows NT makes when an event occurs, as
well as information about desktop themes.
- Console, which contains the current
configuration for the appearance of the MS-DOS Command
Prompt window.
- Control Panel, which contains configuration
data for some of the Control Panel applets and also tracks
information about screen savers and sounds.
- Environment, which contains system
environment variables.
- Keyboard Layout, which contains information
about the current keyboard layout and any other stored
keyboard layouts.
- Software, which contains information about
the software configuration for the current user. It does not
have information about applications installed in the Common
Groups section of the Programs menu.
- UNICODE Program Groups, which stores current
user UNICODE information. Windows NT 4 doesn't really use
this key.
The first two next-level subkeys of HKEY_USERS for Windows 9x
(there may be more depending upon your system configuration)
are
- .Default, which contains the default user
configuration information.
- USERNAME (substitute the current user name),
which contains configuration information for the current
user.
Both keys contain the following subkeys:
- AppEvents, which contains information about
the sounds that Windows 9x makes when an event occurs, in
addition to configuration information for the desktop
themes.
- Control Panel, which contains the settings
for some of the Control Panel applets. (These are the same
settings you found in Win.ini in Windows 3.x).
- InstallLocationsMRU, which is the Most
Recently Used list for application installation programs.
- Keyboard layout, which identifies the
keyboard layout that is specified in the Current Control
Set.
- Network, which contains subkeys that
identify the current network connections, persistent network
connections, and a most recently used list of network
connections.
- RemoteAccess, which contains configuration
information for installed Dial-Up Networking connections.
- Software, which contains the software
configuration settings for the current user.
Using the Registry Safely
The registry is powerful and dangerous. Teeny little changes
can render a system unbootable. Thus, there are three
important rules you must follow when you decide to hack the
registry.
- Back up the registry before you start.
- Make only one change at a time
- Always obey rule number 1.
You don't have to use your tape backup program to back up the
registry; you can do it from the registry editor. In fact, to
save time and disk space, you can back up only the key you're
going to be hacking.
Backing Up in Regedit
- Select the root key you're going to be working in.
- Choose Registry, Export Registry File. Then choose
(or create) a directory in which to store the registry file.
- Name the file (the system will add the extension
.reg).
- To restore the key, choose Registry, Import
Registry File. Choose the file you previously saved.
Backing Up in Regedt32
- Select the window for the root key you're going to
be working in.
- Choose Registry, Save Key. Then choose (or create)
a directory to store the registry file.
- Name the file and add an extension that will remind
you that this is a registry dump (.reg is probably the best
choice).
- To restore the key, choose Registry, Restore.
Choose the file you previously saved.
CHANGING THE
START MENU
You can change the Start menu on both Windows NT 4 and
Windows 9x computers, eliminating items you don't want users
to access. For example, you may decide you don't want certain
users to have access to the Printers folder, eliminating any
chance of accidental deletion or reconfiguration of a
printer. Or you may want to remove the Run item from the
Start menu, to prevent users from running software that's not
on the Programs menu.
In order to eliminate or change items on the Start menu, you
have to add a new data item to the registry. That data item
is actually a negative (such as NoRun for eliminating the Run
command), and you invoke it with a data value that is the
binary equivalent of "Yes," which is a 1. If you want to
return the access to the user, you don't have to delete the
subkey; just change the data value to 0.
There are two approaches you can choose from if you want to
make changes to the Start menu.
You can work at the target computer, logged in as the user
you want to restrict. Depending on the permissions and
restrictions you've already established, you may have to open
User Manager and give appropriate rights to manipulate the
registry as this user. Don't forget to return to User Manager
to put things back after you finish your work at the target
workstation. If you choose to work at the target computer,
you can use either registry editor.
The other approach is to connect to the target computer from
another computer (the server or your own workstation). If you
choose this method, the target computer must be logged on to
the network, with the user you want to restrict logged on.
For remote editing of this particular section of the
registry, you must use Regedt32.exe. From the menu bar,
choose Registry, Select Computer, and select the target
machine from the Select Computer dialog box:
Now follow these steps to reconfigure the Start menu:
- In the appropriate registry editor, go to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
- In Regedit, right-click in the right pane of the
Regedit window and choose New, DWORD Value. When the new
item appears in the right pane, enter the name for the new
data item that you want to add to this computer (the details
for items are described next). Then double-click the entry
to bring up the Edit DWORD Value dialog box, and enter the
value 1 to turn on the restriction.
In Regedt32 choose Edit, Add Value from the menu bar, and
fill in the Add Value dialog box with the appropriate name
(described next). From the drop-down list for Value Type,
choose REG_DWORD. Choose OK (or press Enter) to display the
DWORD Editor dialog box, and then enter the value for this
restriction (1 to turn on the restriction).
Here are the specific values you enter for making changes to
the Start menu. Remember that in each case, a value of 1
imposes the restriction, and a value of 0 gives the Start
menu option back to the user:
- NoClose, which disables the Shut Down
command on the Start menu. (However, the user can still use
the Shut Down command in the Logon dialog box).
- NoCommonGroups, which eliminates the menu
choices in the common programs group section of the Start
menu. Since administrative tools are usually included in
this group, there is often good reason to restrict the user
in this way.
- NoRun, which removes the Run command.
- NoSetFolders, which eliminates the choices
for the Control Panel and the Printers folder from the
Settings menu item. They are also eliminated from My
Computer and Explorer.
- NoSetTaskbar, which eliminates the Taskbar
menu choice in the Settings menu item. The user will also be
prevented from right-clicking on the taskbar to set
properties (an error message appears when the user attempts
this maneuver).
- NoFind, which prevents users from using the
Find command on the Start menu. It also prevents the F3 key
from being used on the desktop to find files, and the Find
command disappears from the Tools menu in Explorer.
- RestrictRun, which prevents the user from
running any application beyond those listed in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun.
You must create RestrictRun as a new subkey and enter data
values (strings) that list the applications you want the
user to be able to run.
Beware of
More Strange Things
One of the more interesting side effects I've found to
making these particular changes is that occasionally, after
you make changes to restrict the Start menu through the
local registry, the next time you want to use that registry
subkey
(HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer),
it's missing. You can see it if you look at the registry
with Regedt32.exe from a connected computer; it's just not
displayed on the local registry with Regedit.exe.
I've discovered an undocumented fix for this undocumented,
intermittent problem: Move to the root key
(HKEY_CURRENT_USER) and press F3 to search (or choose Edit,
Find from the menu bar, or press Ctrl-F). Then search for
anything that you know is in the missing subkey (such as
NoFind or NoClose or whatever you added). The search is
successful and the subkey is back. Picture me shrugging my
shoulders. |
Incidentally, when you enter these new restrictive data
items, they are also written to the subkey
\HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Program
Manager\
Restrictions. In fact, they may be written to additional
subkeys (the registry is full of duplications), but this is
the only one I've noticed. .
|
|
|
LIMITING ACCESS TO OTHER
COMPUTERS
While the peer-to-peer aspects
of a Windows NT network can be advantageous (the "point,
click, and install" access to printers is such a pleasure
compared to setting up shared printers in NetWare, for
instance), they also mean that users can get to other
computers and wreak havoc. Most of the time this isn't
intentional (it isn't the norm to find destructive hackers
working in front of your corporate workstations). I have,
however, seen users expand Explorer and then lose track of
where they are as they scroll through Explorer. They
sometimes don't realize they're looking at a remote computer
below the Network Neighborhood container, so they start
deleting folders and files because they think they're looking
at their own local drives.
For the most part, you'll want users to be able to reach
remote computers. It's a handy way to keep documents
together, so that a project leader can have a shared folder
on a local drive, and all the other employees who are working
on the project can fetch and deliver documents by accessing
that folder. In fact, under those circumstances, it's very
efficient for all concerned to be able to open a locally
installed word processor or spreadsheet program and load a
document from that shared folder for editing.
If the number of users who should not be able to see one or
more connected computers is small, it's easier to build the
blockade wall from the affected users' machines than it is to
create complicated permissions on the other computers. And
the blockade wall can be erected in the registry of the users
you want to restrict.
There are several methods for restricting access to connected
drives via the registry. However, users can still reach any
connected computer by using the Find command, so this system
works only if you remove the Find command from the Start menu
(see the preceding section).
Remove the Network
Neighborhood Desktop Folder
The quickest way to eliminate any method of accessing a
connected computer is to take away the Network Neighborhood
folder. To do so, follow these steps:
- Use the instructions in the previous section to
open the local registry or access it from another computer.
- In either registry editor, go to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
- Add a new item named NoNetHood (it's a REG_DWORD
data type).
- Set the data value to 1.
The Network Neighborhood icon is now removed from the desktop
for this user.
Remove Icons from Network
Neighborhood
If you have workgroups as well as domains in your system, the
icons in Network Neighborhood reflect those distinctions.
In the key HKEY_CURRENT_USER\Software\Microsoft\Windows you
can also enter the following, setting a value of 1 to enforce
the policy:
- NoEntireNetwork, which eliminates the icon
named Entire Network in Network Neighborhood, limiting the
icons to the local workgroup or domain.
- NoWorkgroupContents, which eliminates those
icons that display the computers in the local workgroup.
Again, users who know how to do it can still access these
computers with the Find command if it's available.
| WARNING:
Some users also may know that you can reach any computer by
using the Run command and entering the UNC for any existing
computer or share in the Run text box. This action opens a
window for the computer or share, regardless of the state
of Network Neighborhood |
CUSTOMIZING
DESKTOP CONFIGURATIONS
You can control the way a user desktop looks and behaves, and
then, if you wish, lock in your settings by preventing
further changes. Of course, you could use mandatory profiles
for all the users who need this type of control, but those
profiles involve more than just desktop settings. If your
goal is to stop responding to calls for help about lost
shortcuts or to avoid letting a user create so many desktop
shortcuts that his eyes glaze when he looks at the desktop,
or if you think it's wise to remove the desktop icons that
give users entry into configuration processes, just customize
the desktop for the users who seem to need these limitations.
Configure the Desktop
Appearance
The basic appearance of the desktop can be configured through
the Display applet in Control Panel or by directly
manipulating the registry. The applet is safer than hacking
the registry, of course, but as an administrator you should
know where in the registry you can find this information.
In Windows NT 4, the desktop settings for the current user
are found in the subkey HKEY_CURRENT_USER\Control
Panel\Desktop. A subkey named WindowMetrics holds information
about the settings for some of the desktop basics. (In
Windows 9x, the settings are found in the same key, but fewer
items are controlled in this key because many of the settings
are contained in the WindowMetrics subkey.)
Incidentally, if you want to change the default settings so
that they're applied to users who will be logging on to this
computer for the first time, use HKEY_USERS\DEFAULT\Control
Panel\Desktop.
Require a Secured Screen
Saver
You can force the use of a password-protected screen saver
and set its timing by following these steps:
- Open a registry editor and go to
HKEY_CURRENT_USER\Control Panel\Desktop. Move to the section
where the screen saver data items are.
- Select the data item ScreenSaveActive and change
the data to 1.
- Select the data item ScreenSaverIsSecure and change
the data to 1.
- Select the data item SCRNSAVE.EXE and change the
data to the filename of the screen saver you want to use.
- Select the data item ScreenSaveTimeOut and change
the data to reflect the number of seconds you want to elapse
before the screen saver kicks in.
The next time the user logs on, these settings are in effect.
After the elapsed time expires, the screen saver launches.
When a mouse click or a key press removes the screen saver, a
message displays telling the user the following:
- The computer has been locked.
- The computer can be unlocked only by <name of
logged-on user> or an administrator.
- Press Ctrl-Alt-Del to unlock the computer.
When the user presses Ctrl-Alt-Del, the logon screen is
presented. When the user enters the password, the computer is
unlocked.
Of course, the user can change everything you did by opening
the Display Properties dialog box and changing the
configuration for the screen saver. To prevent this, you can
remove the Screen Saver tab from the Properties dialog box.
See the section "Restricting System Features" later in this
chapter.
Allow Users to Manually
Launch a Screen Saver
If you do insist on password-protected screen savers, there
is frequently a lapse in security because users leave the
computer before the screen saver has kicked in. It's pretty
difficult to enforce a policy that demands that users sit in
front of their machines until they're secure, and it's
incredibly annoying to try to cut down the risk by
configuring the screen saver to kick in quickly. The solution
is to give users a way to bring the screen saver up at will.
To do this, you can create a hot key (Microsoft calls it a
Shortcut Key) that the user can enter from the keyboard to
bring up the screen saver. You can create this on-demand
screen saver by following these steps:
- In Explorer, go to %SystemRoot%\System32 and find
the file for the screen saver you've chosen for the computer
(screen saver filenames start with "ss" and have an
extension of .scr).
- Right-drag the file to the desktop and choose
Create Shortcut(s) Here from the shortcut menu that appears
when you release the mouse button.
- Right-click on the shortcut and choose Properties.
- Move to the Shortcut tab, and click in the text box
for the Shortcut Key (the current entry for this field
should be "none").
- Type the character you want to use as the hot key.
As soon as you enter the character, Ctrl + Alt + is appended
to the beginning of the text box, as seen here. You can use
any key except Esc, enter, Tab, PrintScreen, Backspace, or
the spacebar.
- Choose OK to close the Properties dialog box.
| TIP: Don't
try to delete the original entry "none"; you can't.
However, as soon as you enter a character, it replaces that
original entry. If you use Backspace to delete your hot
key, "none" automatically appears again. |
Now, to invoke the screen saver at will, just press Ctrl-Alt
and the character you chose. Or double-click the shortcut. Of
course, there's nothing in the registry or any configuration
applet that makes the user remember to do this—enforcement
is up to you.
Fly the Company Colors on
Desktops
If you wish, you can configure the color scheme you want for
all the desktops and then make that the official desktop by
enforcing its use. There are a couple of ways to do this.
The easiest way is to select the scheme you want and insert
it as the data item in HKEY_
CURRENT_USER\Control Panel\Current. The data item in this
subkey is simply the name of the selected desktop scheme.
To change the scheme, double-click the data item in Regedit
and replace the current data string with the name of the
scheme you want to use for this computer. Don't type the
quotation marks; they're added automatically. In Regedt32,
select the data item and choose Edit, String from the menu
bar. Then replace the existing scheme name with your new
favorite.
You can also force the user to make this choice by removing
all of the other choices from the user's computer. The
desktop schemes are offered in a drop-down list in the
Appearance tab of the Display Properties dialog.
The list (and the specific configuration for each of the
schemes) comes from the registry, and you can delete all of
the choices except the one you want to use. The available
schemes are listed in HKEY_CURRENT_USER\Control
Panel\Appearance\Schemes and also in HKEY_USERS\
DEFAULT\Control Panel\Appearance\Schemes. (The data inside
each scheme object is a long string of binary values.) Just
delete the data objects for all of the schemes except your
official one. Then, when a user looks at the drop-down list
of schemes, there won't be any others to choose.
If you design your own scheme, you'll name it, and the name
will be written back to the registry, along with the
configuration information. To reproduce the scheme on other
computers, it's easiest to send out a memo (e-mail of course)
and give users explicit instructions to create this scheme.
If your network isn't large and/or you don't want users to
perform this task, you can also copy the scheme from your own
workstation to every other workstation. It's easiest to do
this from your own workstation or from a server, using
Regedt32 to call up each computer's registry.
- Open your scheme data object (in the registry of
the computer you used to create it), and select all of the
data. Press Ctrl-C to copy it to the Clipboard.
- Open the registry of the first target computer and
move to HKEY_CURRENT_USER\Control Panel\Appearance\Schemes
(or use the default user if the computer hasn't yet had its
first logon).
- Choose Edit, Add Value from the menu bar, and enter
the name of your scheme as the Value Name.
- Choose REG_BINARY as the Data Type.
- Choose OK to display the Binary Editor, and press
Ctrl-V to paste the data (don't forget to check the Binary
radio button as the Data Format).
- Repeat this for each target computer.
| TIP: You
can also use the Clipboard Viewer accessory application to
save the data you placed on the Clipboard. Then you can use
it at individual computers (fetch it from a connected
computer or put it on a floppy disk). |
Now your scheme is on the drop-down list on the Display
Properties dialog box of each target computer, and the
specific configuration data is in the registry.
MANIPULATING THE DEFAULT DESKTOP ICONS
When you install Windows NT Workstation (or Server for that
matter), several icons are placed on the desktop by default:
My Computer, Network Neighborhood, Recycle Bin, and
Briefcase. Depending on your installation options, you may
also see Inbox and Internet Explorer. Your Windows 9x
workstations probably have the same icons.
To get to the keys for the desktop icons, expand
HKEY_CLASSES_ROOT and find the key CLSID. The keys are listed
alphabetically, and there are two alphabetical lists, one
after the other. The first list is the registered file types,
which is really a list of file extensions (notice the period
in front of each item). Then, when you arrive at the end of
the alphabet for file extensions, there is an alphabetical
listing of subkeys representing file class types. Expand the
key named CLSID and you'll see a large number of keys and
subkeys.
A Word
About Class Identifiers (CLSIDs)
Every type of object that exists in the Windows universe
has a unique class identifier (CLSID), and all of the
information about handling the object is found in the
subkeys under HKEY_CLASSES_ROOT\CLSID. For instance, the
CLSID subkey for a file type holds information about the
file type's OLE class, along with the location of the file
that is used for the implementation of OLE for that file
type.
The CLSID key itself isn't English, and it isn't readable
by human beings. It's a 16-byte number that is formatted as
32 hexadecimal digits. It's also called a Globally Unique
Identifier (GUID), a definition that is literal, because
each object has the same GUID on every PC in the world (you
can think of it as being an object type's social security
number).
If you write software and want to introduce a new object
type, you have to create a GUID for it. The Microsoft SDK
has a program that takes care of this for you
(Uuuidegen.exe). The way GUID creation works is that the
first 8 digits are generated at random. The next 4 digits
reflect the current date and time on the computer being
used to generate the GUID. The last 20 digits are generated
using information from the hardware setup of the computer
being used to generate the GUID. It would be beyond eerie
coincidence if two GUIDs ended up the same, and the odds
are so far against it that we can pretty much relax and
assume that we won't see duplicates. |
Finding the Desktop Icons
The CLSIDs for the default objects you'll find on desktops
are
- Control Panel
{21EC2020-3AEA-1069-A2DD-08002B30309D}
- Dial-Up Networking
{992CFFA0-F557-101A-88EC-00DD010CCC48}
- Inbox {00020D75-0000-0000-C000-000000000046}
- My Computer {20D04FE0-3AEA-1069-A2D8-08002B30309D}
- Network Neighborhood
{208D2C60-3AEA-1069-A2D7-08002B30309D)
- Printers {2227A280-3AEA-1069-A2DE-08002B30309D}
- Recycle Bin {645FF040-5081-101B-9F08-00AA002F954E}
- Briefcase {85BBD920-42A0-1069-A2E4-08002B30309D}
- The Internet {FBF23B42-E3F0-101B-8488-00AA003E56F8}
- Microsoft Network
{00028B00-0000-0000-C000-000000000046}
Renaming Desktop Objects
Once you can find the default desktop objects, you can
manipulate them. For example, if you want to change the name
of the Recycle Bin (you might want to call it a trash can if
you're not as concerned about being as environmentally
correct as Windows is, or perhaps you want the text under the
icon to say "dump your trash here"), double-click the data
value entry in the right pane and replace the existing name
with your own title.
Changing the Icons for
Desktop Objects
Expand the CLSID and check out the data in the DefaultIcon
subkey. The data item is a path to the object's icon, where
- %SystemRoot% is the name of the directory in which
your Windows operating system software resides.
- System32 is the subdirectory that holds the .dll
file for this object's icon.
- Shell32.dll is the name of the .dll file that
contains the icon
- 31 is the icon number within the .dll file (it's
the 32nd icon in this file, because computers start counting
with zero).
If you want to change the icon to another icon within this
.dll file, change the icon number to the appropriate one.
If you want to change the icon to an icon within a different
file, change the path statement (and don't forget to enter
the icon number).
There are several .dll files in Windows NT that have system
icons, but there's no system application to peek inside them.
There are, however, some shareware programs that can display
the icons in order, so that you can intelligently change them
in the registry. See Appendix C for information about
available applications.
|
|
|
Meanwhile, for fast reference, here
are the icon numbers for %SystemRoot%\System32\shell32.dll:
0 Unassigned file types
1 Document
2 Window
3 Closed folder
4 Open folder
5 5 1/4-inch disk
6 3 1/2-inch disk
7 Removable drive
8 Hard drive
9 Network drive
10 Network drive (disconnected)
11 CD-ROM drive
12 RAM chip
13 Globe
14 Network cable connection
15 Network computer
16 Printer
17 Networked computers
18 Networked computers
19 Small folder and window
20 Small open folder with paper
21 Gears
22 Find file
23 Help
24 Window and hourglass cursor
25 Monitor
26 External removable disk drive
27 Monitor
28 Shared folder
29 Shortcut arrow
30 Larger shortcut arrow
31 Empty Recycle Bin
32 Full Recycle Bin
33 Dial-Up Networking folder
34 Desktop
35 Control Panel folder
36 Start menu folder
37 Printers folder
38 Fonts folder
39 Windows flag
40 CD (music)
41 Green tree
42 Multiple documents
43 Find file
44 Find on networked computer
45 Monitor on computer case
46 Control Panel folder
47 Printers folder
48 Printer image on paper pad
49 Network printer
50 Print to file (3 1/2-inch
disk)
51 Alternate full Recycle Bin
52 Alternate full Recycle Bin
53 Alternate full Recycle Bin
54 Document to document
55 Documents going folder to
folder
56 Pen writing a label for
folder
57 Computer, gears, and open
folder
58 Configuration file
59 Text file
60 Window with gears
61 Gears image on paper
62 Font file
63 TrueType font file
64 Window with larger hourglass
cursor
65 Are you sure you want to
delete these files?
66 Tape backup (hard drive, tape
cassette, 3 1/2-inch disk)
67 CD in drive
68 Defrag
69 Printer
70 Network printer
71 Print to file
| NOTE: The
other subkeys under the Recycle Bin and all the other
desktop icons contain data the operating system uses to
handle the object; there is nothing you can safely
manipulate in those subkeys. |
PREVENT
USER CHANGES
After you've standardized the configuration of the
workstation to match the official company design, you can
make sure it stays that way. If you lock the configuration,
users can't make any changes. Actually, that's technically
not true—they can make all the changes they wish, but the
next time they log on, everything is back the way you want it
because the changes weren't saved.
This is another restriction setting for which you enter the
"negative" item and set the data to 1 for Yes and 0 for No:
- Go to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
- Add a new DWORD data item and name it
NoSaveSettings.
- Enter the data, using a 1 to invoke this
restriction (you can change the data to 0 if you decide you
want to allow changes).
RESTRICTING
SYSTEM FEATURES
There are a number of system features you can remove so that
users cannot reconfigure a system or make system changes that
shouldn't be made. To establish these limits, you have to
create a new subkey in the registry and then add the data
items that match the desired restrictions. Follow these
instructions to accomplish this:
- In a registry editor, go to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies.
You are adding a new subkey under this subkey, so make sure
you've selected the Policies subkey.
- In Regedt32 choose Edit, Add Key from the menu bar
to bring up the Add Key dialog. Name the key System,
and enter REG_DWORD as the class.
- In Regedit right-click on a blank spot in the right
pane and choose New, Key to create a new icon in the left
pane. The new key is named New Key #1 and the name is
highlighted, indicating that it is in edit mode. Enter System
to replace this default name.
- To add value items to this new subkey in Regedt32,
select the subkey and choose Edit, Add Value from the menu
bar. When the Add Value dialog box appears, enter the name
and data type of the new value item (see the details that
follow about the restrictions you can impose).
- To add value items to the new subkey in Regedit,
select the subkey and right-click in the right pane. Choose
New, REG_DWORD. Then change the default name that appears to
the name of the new value item you want to enter (see the
details below about the restrictions you can impose).
You now have a new registry subkey named
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System,
and you can enter data items in this subkey to impose user
restrictions. For each restriction you want to impose, enter
the value item name and then enter data for each value item,
using a data value of 1 to impose the restriction (if you
want to lift the restriction, you can change the data value
to 0). Here are the data items you can enter to impose
restrictions:
- DisableTaskManager, which prevents the user
from launching Task Manager (neither the taskbar right-click
access nor Taskmgr.exe program file access will work).
- NoDispCPL, which prevents the user from
getting to the Display Properties dialog box.
- NoDispAppearancePage, which removes the
Appearance tab from the Display Properties dialog box so
that the user cannot change the colors or color scheme of
the desktop.
- NoDispBackgroundPage, which removes the
Background tab from the Display Properties dialog box,
preventing the user from changing wallpaper and background
patterns.
- NoDispScrSavPage, which removes the Screen
Saver tab from the Display Properties dialog box, preventing
the user from making changes to screen saver settings.
- NoDispSettingsPage, which removes the
Settings tab and Plus tab from the Display Properties dialog
box, preventing the user from making changes to those
configuration items.
There are some additional restrictions you can impose on
users by working in the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
Add these data items, giving each a data value of 1:
- NoNetConnectDisconnect, which removes access
to the Map Network Drive and Disconnect Network Drive
options in Explorer.
- NoTrayContextMenu, which prevents menus from
displaying after a right-click on the taskbar, Start button,
clock, or application buttons. (This restriction works only
if you've installed SP2 or later service packs.)
- RestrictRun, which prevents the user from
running any application beyond those listed in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun.
You must create this new \RestrictRun subkey and enter data
values (strings) that list the applications you want the
user to be able to run (enter the full path).
SECURING
THE REGISTRY
Every administrator can identify at least one user who knows
enough to be dangerous and has the courage to experiment.
It's important to secure the registry of each user who fits
this description. If the computer is running NTFS, you can
set permissions to do this, and, in fact, you can set
permissions on the registry editors and also on the hive
files in the user's profile folder. However, most NT 4
workstations use FAT, not NTFS, so you'll have to come up
with an alternate plan.
Change the Registry ACL
Windows NT keeps an Access Control List (ACL) for the
registry, which is a database that maintains information
about permissions for accessing the keys in the registry. Use
the power of the ACL with Regedt32 by following these steps:
- Select the key for which you want to impose
permissions (and therefore restrictions).
-
| TIP: You
can make changes to the ACL at any key in the registry;
you do not have to work solely with the top keys. |
- Choose Security, Permissions from the menu bar to
display the Registry Key Permissions dialog.
- If you want your permissions to extend to the
subkeys below the selected key, select Replace Permission on
Existing Subkeys.
- To delete a group or a user, select the listing and
choose Remove.
- To change the level of permission, select the
listing and choose a different permission level from the
Type of Access box, which offers these choices:
-
- Full Control, which means the user can read,
change, and delete the key.
- Read, which means the user can view the key.
- Special Access, which lets you specify exactly the
rights you want to give, by making selections in the text
box that lists the available permissions
- To add a group or a user, choose Add, which brings
up the Add Users and Groups dialog.
- Select a list from the List Names From box (in this
case I chose the domain list), and then choose Show Users if
you want to add individual users instead of groups.
- Select the user or group and choose Add (or
double-click on the listing).
- Choose an access level for this user, choosing one
from the Type of Access box.
-
| NOTE: The
Special Access permission level is not available in the
Add Users and Groups dialog box. It can only be assigned
to a user or group that has already been added to the
permissions list. Therefore, for a new user or group,
assign Full Control or Read permission, then select that
user when you are back in the Registry Key Permissions
dialog box and change the access to Special Access. |
- Repeat this until every user or group you want to
give permissions to has been configured. Then choose OK to
return to the Registry Key Permissions dialog box. Choose OK
again to complete this task.
| WARNING:
Do not change the permission level for System, because the
operating system and applications must have full access to
every registry key. |
The Following Permissions Are Available in the
Special Access Dialog Box:
- Query Value: the user can read a value entry.
- Set Value: the user can read and modify a value
entry.
- Create Subkey: the user can create a new subkey.
- Enumerate Subkey: the user can expand and read the
subkeys.
- Notify: the user can audit notification events for
a key.
- Create Link: the user can create a symbolic link
from a key.
- Delete: the user can delete a key.
- Write DAC: the user can modify a key's permissions.
- Write Owner: the user can gain ownership of a key.
- Read Control: the user can read a key's security
information.
If you set Special Access permissions for a user and you want
to make changes, first select that user. The Type of Access
list box displays Special Access. Click the down arrow next
to this box. You should see two instances of Special Access.
One is the selected user's current permissions; the other is
the real Special Access choice (it has an ellipsis after its
name). The real Special Access choice is the one to choose in
order to change the permissions. Afterwards, the
user-specific Special Access listing will be updated to match
your changes.
The Keys You Should Secure
There are some keys that are so important that if a user
inappropriately hacks them he or she could destroy the
system. In order to make your registry secure, make sure that
the group named Everyone has only limited permissions for
these important keys. The maximum level permissions for
ordinary users for these important keys are
- Query Value
- Notify
- Enumerate Subkeys
- Read Control
The keys that are considered important to secure are
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RPC (and all
subkeys)
- Under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion,
these subkeys:
\ProfileList
\AeDebug
\Compatibility
\Drivers
\Embedding
\Fonts
\FontSubstitutes
\GRE_Initialize
\MCI
\MCI
Extensions
\Port
(all subkeys)
\WOW
(and all subkeys)
HKEY_CLASSES_ROOT
(and all subkeys)
Secure a Registry Against
Remote Access
It' possible to edit a registry from another, connected
computer. In fact, for administrators, this is a pretty handy
technique, and throughout this book I've suggested that you
use it.
For certain target computers, however, this might create a
problem. I'm thinking in particular of an administrator's
workstation or a workstation used for special services such
as printing. Procedures are available to prevent unauthorized
users from accessing a computer's registry from a remote
computer.
When a remote user tries to connect to the Windows NT
registry, the operating system performs some tasks:
- It looks for a special subkey named
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg.
- If the \winreg subkey doesn't exist, any user is
permitted to access the registry and manipulate it to the
limits set by the ACL.
- If the \winreg subkey exists, the ACL for that
subkey determines whether the user can access and manipulate
any part of the registry.
This means that if you want to secure your Windows NT
workstation, you have to create the \winreg subkey and then
configure the ACL for it.
| NOTE: It's
only necessary to create the \winreg subkey in Windows NT
Workstation. It is created in NT Server by default (and
administrators have Full Control permissions). |
To create the \winreg subkey and configure permissions for
accessing the registry, open Regedt32 and go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers.
Then follow these steps:
- Select the SecurePipeServers key and choose Edit,
Add Key from the menu bar.
- Name the new key winreg.
- Select the new key and choose Security, Permissions
from the menu bar.
- Configure the permissions for remote users.
Hereafter, only those remote users with appropriate
permissions will be able to access this registry. Oh
yes—make sure you give yourself full permissions.
The power of the registry has the potential to make an
administrator's life easier or harder, depending on how the
registry is manipulated and by whom. Getting used to working
in the registry is a fact of life for administrators.
Securing it against other users is a sanity strategy.
|
|
|
|
|
Windows IT Pro 
