Preventing users from writing to the registry on client computers

You can protect a specific registry key by preventing the user from accessing or from modifying any registry keys or values in the registry. You can allow users to view the registry key, but not rename or modify the registry key.
To test the functionality, do the following:
  • Add a test registry key.
  • Add a rule to read but not write to the registry key.
  • Try to add a new value to the registry key.
  1. To prevent users from writing to the registry on client computers
  2. To add a test registry key, on the client computer, open the Registry Editor by opening a command line, then by typing
    regedit
    .
  3. In the Registry Editor, expand HKEY_LOCAL_MACHINE\Software, and then create a new registry key called test.
  4. To prevent users from writing to the registry on client computers, open an Application Control policy, and on the
    Application Control
    pane, click
    Add
    .
  5. In the
    Application Control Rule Set
    , under the
    Rules
    list, click
    Add > Add Rule
    .
  6. On the
    Properties
    tab, in the
    Rule name
    text box, type
    HKLM_write_not_allowed_from_regedit
    .
  7. To the right of
    Apply this rule to the following processes
    , click
    Add
    .
  8. In the
    Add Process Definition
    dialog box, under
    Process name to match
    , type
    regedit.exe
    , and then click
    OK
    .
  9. In the
    Application Control Rule Set
    dialog box, under the
    Rules
    list, click
    Add > Add Condition > Registry Access Attempts
    .
  10. On the
    Properties
    tab, in the
    Description
    text box, type
    registry access
    .
  11. To the right of
    Apply this rule to the following processes
    , click
    Add
    .
  12. In the
    Add Registry Key Definition
    dialog box, in the
    Registry key
    text box, type
    HKEY_LOCAL_MACHINE\software\test
    , and then click
    OK
    .
  13. In the
    Application Control Rule Set
    dialog box, on the
    Actions
    tab, in the
    Read Attempt
    group box, click
    Allow access
    ,
    Enable logging
    , and
    Notify user
    .
  14. Under
    Notify user
    , type
    reading is allowed
    .
  15. In the
    Create, Delete, or Write Attempt
    group box, click
    Block access
    ,
    Enable logging
    , and
    Notify user
    .
  16. Under
    Notify user
    , type
    writing is blocked
    .
  17. Click
    OK
    twice, and assign the policy to a group.
    Test the rule.
  18. To test a rule that blocks you from writing to the registry, after you have applied the policy, on the client computer, in the Registry Editor, expand HKEY_LOCAL_MACHINE\Software.
  19. Click the registry key that you created earlier, called test.
  20. Right-click the test key, click
    New
    , and then click
    String Value
    .
    You should not be able to add a new value to the test registry key.