Announcement

Collapse
No announcement yet.

Enabling Registry editing

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Enabling Registry editing

    Hello All:

    I have run into a problem editing the registry. Whenever I attempt to run regedit, I am told that registry editing has been disabled by the administrator. I am the administrator and I did not intentionally disable that feature. Can someone please advise me how to enable registry editing as the administrator.

    Thank in advance for all responses to this question.

  • #2
    Re: Enabling Registry editing

    If you run gpedit.msc you should find an entry under User Config > Admin Templates > System

    Look for the entry "Prevent access to registry editing tools" and make it "Not configured".

    Sometimes viruses can also block registry editing. If the above does not work, or does not persist through a reboot, do a virus scan with up to date AV software.
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

    Comment


    • #3
      Re: Enabling Registry editing

      Hi PaulH:

      Thanks for the response. I looked at that entry, it is set at not configured. Furthermore, I have Symantec Endpoint Protection installed and the system is checked for viruses continuously. Any other suggestions?
      Last edited by astone; 29th January 2009, 14:35.

      Comment


      • #4
        Re: Enabling Registry editing

        Hi again:

        I took a shot at disabling it and I was able to get into the registry. Thanks again for your help.

        Comment


        • #5
          Re: Enabling Registry editing

          That leaves your machine without AV though.
          Aside from completely replacing Symantec AV how about checking for a Teefer2 driver on the NIC and just disabling that part of the AV?
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment


          • #6
            Re: Enabling Registry editing

            Originally posted by AndyJG247 View Post
            That leaves your machine without AV though.
            Aside from completely replacing Symantec AV how about checking for a Teefer2 driver on the NIC and just disabling that part of the AV?
            AndyJG247, I think he meant disabling the Gp setting if I am not mistaken and not the AV!

            Ta
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment


            • #7
              Re: Enabling Registry editing

              AH, ok cheers
              cheers
              Andy

              Please read this before you post:


              Quis custodiet ipsos custodes?

              Comment


              • #8
                Re: Enabling Registry editing

                Its possible that it was 'enabled' in the past, then set to 'not configured' sometime later.
                If this takes the same method as server 2003 gpo's then having is set as 'not configured' would effectively mean nothing has changed, so it would still adopt the last setting, i.e 'enabled'. Thus 'disabling' it would then actively change the setting.

                Does this make sense? Took me ages to get my head around it in server 2003 GPMC.

                Comment


                • #9
                  Re: Enabling Registry editing

                  Originally posted by k.jacko View Post
                  Its possible that it was 'enabled' in the past, then set to 'not configured' sometime later.
                  If this takes the same method as server 2003 gpo's then having is set as 'not configured' would effectively mean nothing has changed, so it would still adopt the last setting, i.e 'enabled'. Thus 'disabling' it would then actively change the setting.

                  Does this make sense? Took me ages to get my head around it in server 2003 GPMC.
                  This explanation is party correct.

                  The problem of registry tattooing done by policies was a big problem in NT4 domains. The registry values that were set by the policy remained tattooed into the registry until you explicitly removed them, either by setting the policy to the opposite value or manually going in and deleting the registry values.

                  With the introduction of GPOs four new registry subkeys (named 'Policies') were allocated to resolve the tattooing problem;

                  - HKEY_LOCAL_MACHINE\Software\Policies
                  - HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Policies
                  - HKEY_CURRENT_USER\Software\Policies
                  - HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Policies

                  GPO Policies that make use of the registry are using one of the above registry keys to set the policy.
                  Registry values that are controlled by Group Policy but do not fall under one of these 4 keys should be referred as Preferences.


                  When the GPO 'Disable Registry Editing Tools' is configured - the item DisableRegistryTools will be added to HKCU\SOFTWARE\Microsoft\ Windows\CurrentVersion\Policies after a policies update on the computer. And sets eighter the value 1 (enabled) or 0 (disabled) to the Item.
                  Next, a reboot is required for this change in the registry to take effect.

                  When the policy later on is set to 'Not configured' again or if the GPO falls out of scope of the computer or user, the Item will be automatically removed from the registry after a policy update - and will be back in its default setting.

                  Mostlikely what was the case here is that after the first reboot the policies just were updated, so it needs a second reboot for the change to take effect.

                  Or,, there was something wrong,
                  astone confirmed that the policy was 'Not configured' locally - The item however could have been configured by an AD GPO. And removed from that GPO later on then for some reason the change is not applied. In that case there was actually a tatooing of the registry and you explicitly have so reverse the policy.


                  \Rems
                  Last edited by Rems; 30th January 2009, 14:55.

                  This posting is provided "AS IS" with no warranties, and confers no rights.

                  __________________

                  ** Remember to give credit where credit's due **
                  and leave Reputation Points for meaningful posts

                  Comment


                  • #10
                    Re: Enabling Registry editing

                    Originally posted by AndyJG247 View Post
                    That leaves your machine without AV though.
                    Aside from completely replacing Symantec AV how about checking for a Teefer2 driver on the NIC and just disabling that part of the AV?
                    Hi Andy:

                    I didn't disable Symantec, I disabled permitting access to registy editing tools. Symantec is still running. I thought I should clarify that after seeing your post.
                    Last edited by astone; 30th January 2009, 19:26.

                    Comment

                    Working...
                    X