2
1
Is it possible to prevent a certain program from accessing the Windows registry? I know there are ACLs to lock out a user, but what about per-executable control?
Alexandr Zarubkin
Posted 2016-06-24T16:31:35.080
Reputation: 212
Restricting a program's access to the Windows registry
Answers
3
Sorry, that's not possible, at least not to the extent you seem to want. As mentioned in the comments by Ƭᴇcʜιᴇ007, all of Windows access control is based on users. Every process has a token attached to it, which determines what user it's running as. There is no difference between you performing an action and a program running under your account performing that action, since you do literally everything through one process or another. "Programs don't attack users; users attack users."
Besides, virtually every process accesses the Registry. Even if the program itself doesn't explicitly do any Registry access, an examination with Process Monitor reveals that every GUI app starts with a boatload of Registry reads to figure out how to set up the graphical controls. Run Process Monitor on an app you think doesn't need the Registry; you'll be surprised.
But if you want to block all writes and only writes, there actually is something that may help. Windows has a concept of "integrity levels", a part of UAC. Basically, a program running at a certain integrity level can't write to objects labeled with a higher integrity level. Normal processes and normal files (and Registry keys) have the Medium integrity level, but you can manually launch processes with the Low level. Download the PsExec tool. If you wanted to create a command prompt that can't write to normal places, run this:
psexec -l -i cmd
The -l switch sets Low integrity; the -i switch makes the process interactive. The resulting command prompt can only write to places specifically marked as Low integrity.
C:\Users\Ben>reg add HKCU\Test
ERROR: Access is denied.
That command works in a normal command prompt, but not this kind of locked-down one.
Ben N
Posted 2016-06-24T16:31:35.080
Reputation: 32 973
1
Another solution is to use Sandboxie. This program can execute any process inside sandbox, so that any change to the system made by that process can be undone.
Alexandr Zarubkin
Posted 2016-06-24T16:31:35.080
Reputation: 212
2
Nope, because it's the account that the program's process is running as that writes to the registry on its behalf. Which program is it that's you're trying to block? What registry keys are you trying to stop it writing to? Depending on what part of the registry you're trying to prevent writing to, you could potentially just deny everyone. But to me, this smells like an XY Problem; what's the ACTUAL problem you're trying to solve by blocking the registry writes?
– Ƭᴇcʜιᴇ007 – 2016-06-24T16:38:46.943In linux you can apply Mandatory Access Control mechanisms to apps via systems like SeLinux and AppArmour, but in windows everything is user based. see here for more details: https://msdn.microsoft.com/en-us/library/windows/desktop/bb648648(v=vs.85).aspx
– Frank Thomas – 2016-06-24T17:05:19.087@Ƭᴇcʜιᴇ007 True. There is Mandatory Access Control in Windows too, and Low integrity may be helpful here. – Ben N – 2016-06-25T01:20:50.333