Windows 9x/Me Security and System Restrictions

May 10 2014 05:21 PM | Stephen in Legacy Security Articles

- - - - - Tags: windows security networking
By jacorex@hotmail.com
Article pulled from BlackSun Security
View Homepageà
DISCLAIMER]
This tutorial was written for informational purposes only, so let's keep it that way!
I am not responsible for anything stupid you do with this information (not that you can do anyting stupid with it but you know people...). yada yada yada...

[THE FLASHING RED WARNING NOTE]
This tutorial is about editing the registry. Editing the registry is very dangerous: you can break your PC, so please take the time and backup the registry before you even try anything written in this tutorial. I also suggest that you first read the other tutorials about the registry available from BSRF [[url="""]http://blacksun.box.sk].[/url]
[ABOUT THIS TUTORIAL]
This tutorial was not written by me entirely, I gathered information form other sources on the web (some time ago) like messageboards, advisories etc. I do not know who the original authors are, but if you read this and feel that you need somecredit for it please drop me a line and I will put your name in here somewhere ;-)
A large part of this tutorial originated from a post on Elf Qrin's message board [[url="""]http://www.elfqrin.com][/url]
The reason for this tutorial is that I was looking for something like this and could not get hold of it easy... (That is good enough a reason, ain't it? =)
Anyway, here goes, I hope you like it. Send all feedback to PHaRaoH.

--------------------------------------------------------------------------------
You can control the way your Win95/98/ME system restricts access to certain areas or features (especially useful on multiuser machines) without having to mess with Poledit.exe (Policy Editor), the default Windows administrative control tool.
All you have to do is modify the Registry values listed below.
You can either make these changes manually using the Registry Editor (Regedit.exe), or save them in a .REG file for future use (name it for example RESTRICT.REG). Start Regedit and go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
Look in the left hand pane for these subkeys:
Explorer
System
Network
WinOldApp
If they are not present, create them: right-click... New... Key... Name it to one of the values listed above.
Now you need to create (or modify if it already exist) the following DWORD values listed further below under the subkeys above. To create a new DWORD value: right-click... New... DWORD... name it to one of the values listed further below. To modify one of these DWORD values: right-click... Modify... check the Decimal box... enter a value of 1 to disable access to a certain feature, or a value of 0 to enable access to a certain feature). These are the valid DWORD values (if not specified otherwise) you can change under the following subkeys:
1. Explorer subkey:
Keyname
Description

ClearRecentDocsOnExit
enable/disable clear of recent documents upon exit

DisableRegistryTools
enable/disable registry editing tools
WARNING: If you disable the Registry Editor, you will NOT be able to modify ANY Registry settings anymore, and the ONLY way to disable system restrictions is to run/merge/register a .REG/.INF/.VBS file!

NoAddPrinter
enable/disable addition of new printers

NoClose
enable/disable system shutdown

NoDeletePrinter
enable/disable existent printers deletion

NoDesktop
enable/disable ALL desktop items and desktop right-click menu

NoDevMgrUpdate
enable/disable Windows 98/ME web update manager

NoDrives [hex]
enable/disable ANY drives in My Computer/Explorer/IE
See "Hide Win9x Drives" for details

NoFind
enable/disable the find/search command

NoInternetIcon
enable/disable the Internet icon on desktop

NoNetHood
enable/disable Network Neighborhood

NoRecentDocsHistory
enable/disable recent documents in the Start Menu (Win98/ME/IE4/IE5/IE6 only)

NoRun
enable/disable the run command

NoSaveSettings
enable/disable save settings upon exit

NoSetFolders
enable/disable folders in Start Menu... Settings

NoSetTaskbar
enable/disable taskbar in Start Menu... Settings

NoSMMyDocs
enable/disable My Documents folder in Start Menu

NoSMMyPictures
enable/disable My Pictures folder in Start Menu
["NoSMMyDocs" and "NoSMMyPictures" courtesy of David Poole]

NoWindowsUpdate
enable/disable the Win98/ME web update
2. System subkey:
Key Name
Description

NoAdminPage
enable/disable the remote administration tab

NoConfigPage
enable/disable the hardware profiles tab

NoControlPanel [hex]
enable/disable the control panel

NoDevMgrPage
enable/disable the device manager tab

NoDispAppearancePage
enable/disable the appearance display tab

NoDispBackgroundPage
enable/disable the background display tab

NoDispCPL
enable/disable the display properties applet

NoDispScrSavPage
enable/disable the screensaver display tab

NoDispSettingsPage
enable/disable the settings display tab

NoFileSysPage
enable/disable the file system button

NoPwdPage
enable/disable the password change tab

NoProfilePage
enable/disable the user profiles tab

NoSecCPL
enable/disable the password applet

NoVirtMemPage
enable/disable the virtual memory button
3. Network subkey:
Key Name
Description

DisablePwdCaching
enable/disable password caching

HideSharePwds [hex]
enable/disable shared passwords

NoEntireNetwork
enable/disable entire network

NoNetSetup
enable/disable the network applet

NoNetSetupIDPage
enable/disable the network identification tab

NoNetSetupSecurityPage
enable/disable the network access tab

NoFileSharing
enable/disable the network file sharing button

MinPwdLen
set the minimum password length (integer number: 0 - 99)

NoPrintSharing
enable/disable the network print sharing button

NoWorkgroupContents
enable/disable network workgroup
4. WinOldApp subkey:
Key Name
Description

Disabled
enable/disable Ms-Dos Prompt

NoRealMode
enable/disable real Ms-Dos mode reboot option (Win95/98 only)
Similar settings for Explorer, Network and System can be also found under these Registry keys:
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies
and:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
If there is only one user, the ".Default" key above contains all global system settings. If more than one user, each user has its own subkey here, named after the username(s) found in Control Panel... Users, and the registry settings located under a user's subkey are valid only for that specific user. If you double-click on any of these keys, you'll see 3 subkeys in the left hand pane: Explorer, Network and System.
Create (or modify if already present) the following Binary [hex] values listed below under the subkeys above. To create a new Binary value: right-click... New... Binary... Name it to one of the values listed below.
To modify one of these Binary [hex] values: double-click on it... give it a value of 01 00 00 00 to disable access to a certain system feature, or a value of 00 00 00 00 to enable access to a certain system feature. Don't type the spaces, they will be inserted automatically.
Explorer subkey valid DWORD values (if not specified otherwise) that can be changed (some are valid ONLY for Win98/ME and MS IE 3/4/5/6):
Key Name
Description

CDRAutoRun [hex]
enable/disable CD-R/CD-RW/DVD-R/DVD-RW drive(s) autoRun
NOTE: This setting needs specific CDR(W)/DVDR(W) software installed, like Roxio (Adaptec) Easy CD Creator, DirectCD, CDCopier etc.

ClassicShell [hex]
enable/disable the active desktop shell

ClearRecentDocsOnExit
clear/don't clear recent docsuments upon exit

EditLevel
edit security level (integer number: 0 - 4)

EnforceShellExtensionSecurity
self explanatory :)

LinkResolveIgnoreLinkInfo
display/don't display link info

NoActiveDesktop
enable/disable active desktop

NoActiveDesktopChanges
enable/disable changes to active desktop

NoAddPrinter
enable/disable addition of new printers

NoChangeStartMenu
enable/disable changes to the Start Menu

NoClose
enable/disable closing IE GUI

NoDeletePrinter
enable/disable existent printers deletion

NoDeskTop
enable/disable ALL desktop items and desktop right-click menu

NoDevMgrUpdate
enable/disable the Win98/ME web update manager

NoDrives [hex]
enable/disable ALL drives in My Computer/Explorer/IE
See "Hide Win9x Drives" for details.

NoDriveTypeAutoRun [hex]
enable/disable the cd-rom autorun command

NoEditMenu
edit/don't edit the Start Menu

NoFavoritesMenu
enable/disable favorites folder display

NoFileMenu
enable/disable Explorer/IE file menu

NoFind
enable/disable the find command

NoFolderOptions
show/don't show Folder Options menu in explorer

NoHelp
show/don't show Help menu

NoInternetIcon
show/don't show the Internet icon on desktop

NoLogOff
show/don't show the Logoff menu in the Start menu

NoNetConnectDisconnect
enable/disable dial-up networking connect/disconnect

NoNetHood
enable/disable network neighborhood

NoRecentDocsHistory
enable/disable recent documents in Start Menu (Win98/ME/IE4/IE5/IE6 ONLY)

NoRecentDocsMenu
show/don't show the recent documents menu in the Start menu

NoRun
enable/disable the run command

NoSaveSettings [hex]
enable/disable save settings upon exit

NoSetActiveDesktop
enable/disable active desktop

NoSetFolders
enable/disable folder settings

NoSetTaskbar
enable/disable taskbar settings

NoStartBanner [hex]
enable/disable the splash screen upon IE start

NoStartMenuSubFolders
show/don't show subfolders in the Start Menu

NoTrayContextMenu
show/don't show context menu for tray items

NoViewContextMenu
show/don't show context menu

NoWindowsUpdate
enable/disable Win98/ME web update

NoWinKeys
enable/disable Win9x keys on 104+ keyboards

RestrictRun
enable/disable the run menu
Some of these values are also found under:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Example:
NoControlPanel [hex] = enable/disable Control Panel
Most of the "CURRENT_USER" settings, especially the ones that affect the entire system, change automatically when you modify the similar values under the "LOCAL_MACHINE" registry key (see above). Most of these values affect ONLY Internet Explorerversions 3, 4, 5 and 6, and CAN be changed separately in the "CURRENT_USER" key, without influencing the overall system operation.
ANY changes to these settings under ANY of these Registry keys require a Windows restart to take effect.
The MS Internet Explorer 4.0x/5.xx/6.xx restrictions are found under these Registry keys:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions
and:
HKEY_USERS\.Default\Software\Policies\Microsoft\Internet Explorer\Restrictions
if there is only one user. If more than one user, the ".Default" key above is replaced with each "username" key. All values are in DWORD format. Type in the decimal box for the desired value: 1 to disable or 0 to enable the respective function/key combo:
Key Name
Description

NoFileOpen
enable/disable open command in File menu, Ctrl+O and Ctrl+L

NoFileNew
enable/disable Ctrl+N for creating a new window

NoBrowserSaveAs
enable/disable the save and save as in the file menu

NoBrowserOptions
enable/disable the Internet options/properties in the view menu

NoFavorites
enable/disable the favorites menu, adding to, organizing favorites

NoSelectDownloadDir
enable/disable the save as dialog box upon file download

NoBrowserContextMenu
enable/disable html context menu

NoBrowserClose
enable/disable the close menu and alt+F4 keys to close a window

NoFindFiles
enable/disable the find menu and the F3 key

NoTheaterMode
enable/disable fullscreen (kiosk mode) and the F11 key
Internet Explorer Restrictions
The Internet Properties restrictions for MS Internet Explorer 4.0x/5.xx/6.xx (also found as a Control Panel applet) are located under this Registry key:
HKEY_USERS\.Default\Software\Policies\Microsoft\Internet Explorer\Control Panel
if there is only one user. If more than one user, the ".Default" key above is replaced with each "username" key. All values are in DWORD format. Type in the Decimal box for the desired value: 1 to disable or 0 to enable the respective tab/setting/button.
Changing ANY of these settings does NOT require restarting Windows:
Key Name
Description

Accessibility
enable/disable accessibility settings

Advanced
enable/disable advanced settings

AdvancedTab
enable/disable the advanced tab

Autoconfig
enable/disable autoconfig settings

Cache
enable/disable cache settings

CalendarContact
enable/disable contact settings

Check_If_Default
enable/disable check if IE default browser setting

Connection Settings
enable/disable connection settings

Certificates
enable/disable certificates settings

CertifPers
enable/disable personal certificates settings

CertifSite
enable/disable certificates publishers settings

Colors
enable/disable color settings

Connection Wizard
self explanatory =)

ConnectionsTab
enable/disable connections tab

Connwiz Admin Lock
enable/disable connection wizard administrative lockout

ContentTab
enable/disable content tab

Fonts
enable/disable fonts settings

FormSuggest
enable/disable forms suggest setting

FormSuggest Passwords
enable/disable passwords suggest setting

GeneralTab
enable/disable General tab

History
enable/disable history settings

HomePage
enable/disable homepage settings

Languages
enable/disable Languages settings

Links
enable/disable links settings

Messaging
enable/disable MS messaging settings

Profiles
enable/disable profiles settings

ProgramsTab
enable/disable programs tab

Proxy
enable/disable proxy server settings

Ratings
enable/disable ratings settings

ResetWebSettings
enable/disable Reset web settings

SecAddSites
enable/disable Security Add sites settings

SecChangeSettings
enable/disable security changes

SecurityTab
enable/disable security tab

Settings
enable/disable settings boxes

Wallet
enable/disable MS wallet settings (MS IE 5.xx and newer ONLY)
Change/Add Restrictions And Features
If you want to make restrictions to what users can do or use on there computer without having to run poledit.exe, you can edit the registry. You can add and delete Windows features by editing the registry. In this key the value 0 is ON and the value 1 is Off.
Example: to Save Windows setting add or modify the value name NoSaveSettings to 0, if set to 1 Windows will not save settings. And NoDeletePrinter set to 1 will not allow the user to delete a printer.
The same key shows up at:
HKEY_USERS\(yourprofilename)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
so change it there also if you are using different profiles.
Open RegEdit
Go to HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Policies
Go to the Explorer Key (Additional keys that can be created under Policies are System, Explorer, Network and WinOldApp)
You can then add DWORD or binary values set to 1 in the appropriate keys for ON and 0 for off.
The following keys are valid:
Key Name
Description

NoDeletePrinter
disables deletion of printers

NoAddPrinter
disables addition of printers

NoRun
disables run command

NoSetFolders
removes folders from settings on Start menu

NoSetTaskbar
removes taskbar from settings on Start menu

NoFind
removes the find command

NoDrives
hides drives in My Computer

NoNetHood
hides the network neighborhood

NoDesktop
hides all icons on the desktop

NoClose
disables shutdown

NoSaveSettings
don't save settings on exit

DisableRegistryTools
disable registry editing tools

NoRecentDocsMenu
hides the documents shortcut at the Start button

NoRecentDocsHistory
clears history of documents

NoFileMenu
hides the file menu in explorer

NoActiveDesktop
no active desktop

NoActiveDesktopChanges
no changes allowed to active desktop

NoInternetIcon
no internet explorer icon on the desktop

NoFavoritesMenu
hides the favorite menu

NoChangeStartMenu
disables changes to the Start memu

NoFolderOptions
hides the folder options in the explorer

ClearRecentDocsOnExit
empty the recent documents folder on reboot

NoLogoff
hides the log off option in the Start menu

RestrictRun
disables all exe programs exept for those listed in the RestrictRun subkey
POLICY EDITOR
Tips/Info
INDEX
Customize your system with the System Policy Editor
Don't want someone else changing your Windows?
Restrictions without running Poledit
Poledit Tips
1. Power users: Customize your system with the System Policy Editor
The policy editor comes free on the Win9x CD. Here's how to install it: Open the Control Panel and double-click on the Add/Remove Programs icon. Select the Windows Setup tab, then click on the Have Disk button. Click on the Browse button and find the ADMIN\APPTOOLS\POLEDIT folder on your Win9x installation CD. Click on OK twice. Select both System Policy Editor and Group Policies and click on the Install button.
2. Don't want someone else changing your Windows environment?
Use the System Policy Editor, located on the Win 95 installation CD-ROM. Don't put the Policy Editor on your own hard drive or you'll make it too easy for others to change your configuration. When you need it, pop in the CD-ROM, select Start... Run, and run the command d:\admin\apptools\poledit\poledit.exe, where d is your CD-ROM drive.
3. Restrictions without running Poledit:
If you want to make restrictions to what users can do without having to running Poledit, changes can be made directly to the Registry.
This will allow you to make a .reg file with the specific restrictions you want and importing them all at once.
Start Regedit
Go to HKEY_Current_User\Software\Microsoft\CurrentVersion\Policies


0 Comments