One of the most important components of the Windows operating system is the Registry, yet documentation on it for those who support Windows is sparse. You are expected to know it — and in particular the Regedit.exe tool — for the CompTIA A+ certification exam (220-802) where it falls under two different objectives:

• Given a scenario, use appropriate operating system features and tools.
• Given a scenario, troubleshoot operating system problems with appropriate tools.

In this overview, we’ll look at what it can do and some of the administrative tasks that you can perform with it.

What is the Registry

In older versions of Windows, applications would write values all over the place — in .ini files, in .txt files, and so on. This lack of consistency between configuration files added a lot of ways for problems to occur, including the need for administrators to know the specifics of each application, one program overwriting settings for another, a user accidentally deleting an important file or changing values in it, and so on.

Those problems have all but gone away now that the Windows Registry stores nearly every configuration parameter available. Unfortunately, some problems remain: Its structure is incredibly complex and there’s no “undo” feature or Save button (once you delete something, it’s immediately gone). In other words, be very careful anytime you make any changes to it.

To understand the Registry, think of a giant relational database that can be read from and written to by a plethora of applications. When you want to access it directly, you do so using the Registry Editor (REGEDIT.EXE or REGEDT32.EXE). A short video on how to use this powerful tool can be viewed online.

This tool works on the local Registry of the machine you are sitting at by default, but can also be used to connect to a Remote Registry to allow technical support personnel to access that system’s Registry remotely. The service can be quite useful in some situations, but it can also function as a means for an attacker to get into your system. If you don’t need it, turn it off.

One of the best ways to understand how to use the tool, as well as what it can do, is to use it. There are four common tasks given as examples next. Following that, we will talk about how to go beyond just local settings.

Task One: Create a Message Before Login

One of the least expensive security tools that can be implemented is a sign. Signs can be placed around secure areas telling those who venture by that only authorized access is allowed, that trespassers will be prosecuted, and so on. There is a story told of a couple of magicians who drove across country while on tour. To prevent anyone from breaking into their car, they put a sign on it identifying the car as a transport vehicle for the Center for Disease Control. As the story goes, the ruse worked and no one ever broke into the vehicle.

Within Microsoft Windows, you have the ability to put signs (in the form of onscreen pop-up banners) that appear before the login telling similar information — authorized access only, violators will be prosecuted, and so forth. Such banners convey warnings or regulatory information to the user that they must “accept” in order to use the machine or network.

In Windows, this “banner” is turned on in the Registry through an entry beneath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. You can configure legalnoticecaption as the caption of the “sign” that you want to appear and legalnoticetext as the text that will show up and need to be dismissed before the user can move on. Both are string values accepting any alphanumeric combination.

The Steps

1. Start a command window (CMD).
2. Start the Registry Editor (REGEDIT).
3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows.
4. Choose CurrentVersion\Winlogon.
5. Double-click LegalNoticeCaption.
6. Change the value to Attention.
7. Click OK.
8. Double-click LegalNoticeText.
9. Change the value to Do not log in unless you are an authorized user.
10. Click OK.
11. Exit the Registry Editor.
12. Exit the command window.

Task Two: Change the Registered Organization for Windows

When Windows is installed, there are a few values given that keep popping up time and time again. One of those values is the Registered Organization. Each time you go to install new software, it will default to that. When you create some new documents, the default will be that as one of the properties that goes along with it, and so on. When you need to change that value (getting rid of a PC, hostile takeover of the company by another, etc.), you can do so with one simple change:

The Steps

1. Start a command window (CMD).
2. Start the Registry Editor (REGEDIT).
3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT.
4. Choose CurrentVersion.
5. Double-click RegisteredOwner.
6. Change the value to Dulaney Enterprises.
7. Click OK.
8. Exit the Registry Editor.
9. Exit the command window.

Task Three: Enable Shutdown Without Login

As a system administrator, you must often reboot a workstation. Needing to log in first before having the ability to shut it down takes up unnecessary time that could be better allocated to solving other problems. You can allow a system to be shut down without a user first needing to log in.

The Steps

1. Start a command window (CMD).
2. Start the Registry Editor (REGEDIT).
3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows.
4. Choose CurrentVersion\Winlogon.
5. Double-click on ShutdownWithoutLogon (if it is not there, create it as a DWORD value).
6. Set the value to 1.
7. Click OK.
8. Exit the Registry Editor.
9. Exit the command window.

Task Four: Don’t Display the Last User’s Username

In order to gain access to a workstation, a user must provide two values — a username and its associated password. If you give the username to an unauthorized user who is trying to break in, then all they have to do is guess the password. Therefore, for security reasons, it is never a good idea to display the username of the previous user for someone trying to login. To prevent this, you can create a setting to keep the name of the last user who used a system from displaying it for the next user.

The Steps

1. Start a command window (CMD).
2. Start the Registry Editor (REGEDIT).
3. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows.
4. Choose CurrentVersion\Policies\System.
5. Double-click dontdisplaylastusername (if it is not there, create it as a DWORD value).
6. Set the value to 1.
7. Click OK.
8. Exit the Registry Editor.
9. Exit the command window.

Going Beyond Local Settings

Changes made in the Registry Editor apply to the machine that you are working on (whether it be local or remote). When you want to change settings for more than one machine, the best solution is to use a Group Policy. With a Group Policy, you create restrictions that will apply to workstations when users authenticate. Upon each authentication, those restrictions are then applied as Registry settings, providing an efficient way to manage a large number of computers.

The restrictions you set come from choices within template files and can be as simple as not allowing the user to access the game Solitaire, or as complex removing their ability to access other networks. Security templates are those template files that hold Registry setting choices that relate to security settings.

Not every configuration setting needs to be downloaded through the domain. Every current Microsoft operating system also includes local policies — settings that apply to the workstation when the user has yet to authenticate with the network. The purpose of these policies is to restrict the user locally, just as you would across the network, when they have yet to log into the domain. To see the local polices, choose Start > Run and type secpol.msc.

As a security administrator, you should routinely monitor the settings made throughout your network in local and Group Policies and tweak them as needed.

Summing it Up

The Windows Registry holds the configuration settings for the machine and the user. While it is intended to simplify operations, the lack of good documentation for administrators leaves many underprepared to manage it and lacking adequate knowledge of it for some certification exams. The best way to overcome this is through exposure to it and this article walked through four common administrative tasks that can be done through the Registry Editor.