Remote registry access (Windows)

Module: Startup Files

Supported Platforms: Windows 2000, Windows 2003, Windows 2008, Windows Vista, Windows XP

This check reports accounts that can access the registry remotely. Any user with Read or Write access to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg key has remote access to the registry. After a user has established a remote connection to the registry, only the security on individual keys restricts the user's access, regardless of what permissions the user is granted on the Winreg key. Use the name list to specify accounts that are to be included or excluded for this check.

The following table lists the error message for the check.

Table: Error message for Remote registry access

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: ESM_RMTREGISTRY_PERMISSIONS

Category: System Information

  • Windows 2000 (105841)

  • Windows 2003 (205841)

  • Windows 2008 (248841)

  • Windows Vista (228841)

  • Windows XP (200841)

Title: Users/groups found with remote registry permissions

Description:The account can remotely read or modify registry contents. If the access is not authorized, revoke all permissions for this account from the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg registry key. If the access is authorized, update the name list. Limit remote registry access to trusted accounts only.

Severity: red-4

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]