By
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
DISCLAIMER] This tutorial was written for informational purposes only, so let's keep it that way! [THE FLASHING RED WARNING NOTE] This tutorial is about editing the registry. Editing the registry is very dangerous: you can break your PC, so please take the time and backup the registry before you even try anything written in this tutorial. I also suggest that you first read the other tutorials about the registry available from BSRF [http://blacksun.box.sk]. [ABOUT THIS TUTORIAL] This tutorial was not written by me entirely, I gathered information form other sources on the web (some time ago) like messageboards, advisories etc. I do not know who the original authors are, but if you read this and feel that you need somecredit for it please drop me a line and I will put your name in here somewhere ;-) A large part of this tutorial originated from a post on Elf Qrin's message board [http://www.elfqrin.com] The reason for this tutorial is that I was looking for something like this and could not get hold of it easy... (That is good enough a reason, ain't it? =) Anyway, here goes, I hope you like it. Send all feedback to PHaRaoH. You can control the way your Win95/98/ME system restricts access to certain areas or features (especially useful on multiuser machines) without having to mess with Poledit.exe (Policy Editor), the default Windows administrative control tool. All you have to do is modify the Registry values listed below. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies Look in the left hand pane for these subkeys: Explorer Now you need to create (or modify if it already exist) the following DWORD values listed further below under the subkeys above. To create a new DWORD value: right-click... New... DWORD... name it to one of the values listed further below. To modify one of these DWORD values: right-click... Modify... check the Decimal box... enter a value of 1 to disable access to a certain feature, or a value of 0 to enable access to a certain feature). These are the valid DWORD values (if not specified otherwise) you can change under the following subkeys: 1. Explorer subkey: Keyname 2. System subkey: Key Name 3. Network subkey: Key Name 4. WinOldApp subkey: Key Name Similar settings for Explorer, Network and System can be also found under these Registry keys: HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies and: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies If there is only one user, the ".Default" key above contains all global system settings. If more than one user, each user has its own subkey here, named after the username(s) found in Control Panel... Users, and the registry settings located under a user's subkey are valid only for that specific user. If you double-click on any of these keys, you'll see 3 subkeys in the left hand pane: Explorer, Network and System. Explorer subkey valid DWORD values (if not specified otherwise) that can be changed (some are valid ONLY for Win98/ME and MS IE 3/4/5/6): Key Name Some of these values are also found under: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Example: Most of the "CURRENT_USER" settings, especially the ones that affect the entire system, change automatically when you modify the similar values under the "LOCAL_MACHINE" registry key (see above). Most of these values affect ONLY Internet Explorerversions 3, 4, 5 and 6, and CAN be changed separately in the "CURRENT_USER" key, without influencing the overall system operation. The MS Internet Explorer 4.0x/5.xx/6.xx restrictions are found under these Registry keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions and: HKEY_USERS\.Default\Software\Policies\Microsoft\Internet Explorer\Restrictions if there is only one user. If more than one user, the ".Default" key above is replaced with each "username" key. All values are in DWORD format. Type in the decimal box for the desired value: 1 to disable or 0 to enable the respective function/key combo: Key Name Internet Explorer Restrictions HKEY_USERS\.Default\Software\Policies\Microsoft\Internet Explorer\Control Panel if there is only one user. If more than one user, the ".Default" key above is replaced with each "username" key. All values are in DWORD format. Type in the Decimal box for the desired value: 1 to disable or 0 to enable the respective tab/setting/button. Key Name Change/Add Restrictions And Features Example: to Save Windows setting add or modify the value name NoSaveSettings to 0, if set to 1 Windows will not save settings. And NoDeletePrinter set to 1 will not allow the user to delete a printer. The same key shows up at: HKEY_USERS\(yourprofilename)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer so change it there also if you are using different profiles. Open RegEdit Key Name POLICY EDITOR INDEX Customize your system with the System Policy Editor The policy editor comes free on the Win9x CD. Here's how to install it: Open the Control Panel and double-click on the Add/Remove Programs icon. Select the Windows Setup tab, then click on the Have Disk button. Click on the Browse button and find the ADMIN\APPTOOLS\POLEDIT folder on your Win9x installation CD. Click on OK twice. Select both System Policy Editor and Group Policies and click on the Install button. 2. Don't want someone else changing your Windows environment? Use the System Policy Editor, located on the Win 95 installation CD-ROM. Don't put the Policy Editor on your own hard drive or you'll make it too easy for others to change your configuration. When you need it, pop in the CD-ROM, select Start... Run, and run the command d:\admin\apptools\poledit\poledit.exe, where d is your CD-ROM drive. 3. Restrictions without running Poledit: If you want to make restrictions to what users can do without having to running Poledit, changes can be made directly to the Registry. This will allow you to make a .reg file with the specific restrictions you want and importing them all at once. Start Regedit
Article pulled from BlackSun Security
View Homepageà
I am not responsible for anything stupid you do with this information (not that you can do anyting stupid with it but you know people...). yada yada yada...
--------------------------------------------------------------------------------
You can either make these changes manually using the Registry Editor (Regedit.exe), or save them in a .REG file for future use (name it for example RESTRICT.REG). Start Regedit and go to:
System
Network
WinOldApp
If they are not present, create them: right-click... New... Key... Name it to one of the values listed above.
Description
ClearRecentDocsOnExit
enable/disable clear of recent documents upon exit
DisableRegistryTools
enable/disable registry editing tools
WARNING: If you disable the Registry Editor, you will NOT be able to modify ANY Registry settings anymore, and the ONLY way to disable system restrictions is to run/merge/register a .REG/.INF/.VBS file!
NoAddPrinter
enable/disable addition of new printers
NoClose
enable/disable system shutdown
NoDeletePrinter
enable/disable existent printers deletion
NoDesktop
enable/disable ALL desktop items and desktop right-click menu
NoDevMgrUpdate
enable/disable Windows 98/ME web update manager
NoDrives [hex]
enable/disable ANY drives in My Computer/Explorer/IE
See "Hide Win9x Drives" for details
NoFind
enable/disable the find/search command
NoInternetIcon
enable/disable the Internet icon on desktop
NoNetHood
enable/disable Network Neighborhood
NoRecentDocsHistory
enable/disable recent documents in the Start Menu (Win98/ME/IE4/IE5/IE6 only)
NoRun
enable/disable the run command
NoSaveSettings
enable/disable save settings upon exit
NoSetFolders
enable/disable folders in Start Menu... Settings
NoSetTaskbar
enable/disable taskbar in Start Menu... Settings
NoSMMyDocs
enable/disable My Documents folder in Start Menu
NoSMMyPictures
enable/disable My Pictures folder in Start Menu
["NoSMMyDocs" and "NoSMMyPictures" courtesy of David Poole]
NoWindowsUpdate
enable/disable the Win98/ME web update
Description
NoAdminPage
enable/disable the remote administration tab
NoConfigPage
enable/disable the hardware profiles tab
NoControlPanel [hex]
enable/disable the control panel
NoDevMgrPage
enable/disable the device manager tab
NoDispAppearancePage
enable/disable the appearance display tab
NoDispBackgroundPage
enable/disable the background display tab
NoDispCPL
enable/disable the display properties applet
NoDispScrSavPage
enable/disable the screensaver display tab
NoDispSettingsPage
enable/disable the settings display tab
NoFileSysPage
enable/disable the file system button
NoPwdPage
enable/disable the password change tab
NoProfilePage
enable/disable the user profiles tab
NoSecCPL
enable/disable the password applet
NoVirtMemPage
enable/disable the virtual memory button
Description
DisablePwdCaching
enable/disable password caching
HideSharePwds [hex]
enable/disable shared passwords
NoEntireNetwork
enable/disable entire network
NoNetSetup
enable/disable the network applet
NoNetSetupIDPage
enable/disable the network identification tab
NoNetSetupSecurityPage
enable/disable the network access tab
NoFileSharing
enable/disable the network file sharing button
MinPwdLen
set the minimum password length (integer number: 0 - 99)
NoPrintSharing
enable/disable the network print sharing button
NoWorkgroupContents
enable/disable network workgroup
Description
Disabled
enable/disable Ms-Dos Prompt
NoRealMode
enable/disable real Ms-Dos mode reboot option (Win95/98 only)
Create (or modify if already present) the following Binary [hex] values listed below under the subkeys above. To create a new Binary value: right-click... New... Binary... Name it to one of the values listed below.
To modify one of these Binary [hex] values: double-click on it... give it a value of 01 00 00 00 to disable access to a certain system feature, or a value of 00 00 00 00 to enable access to a certain system feature. Don't type the spaces, they will be inserted automatically.
Description
CDRAutoRun [hex]
enable/disable CD-R/CD-RW/DVD-R/DVD-RW drive(s) autoRun
NOTE: This setting needs specific CDR(W)/DVDR(W) software installed, like Roxio (Adaptec) Easy CD Creator, DirectCD, CDCopier etc.
ClassicShell [hex]
enable/disable the active desktop shell
ClearRecentDocsOnExit
clear/don't clear recent docsuments upon exit
EditLevel
edit security level (integer number: 0 - 4)
EnforceShellExtensionSecurity
self explanatory :)
LinkResolveIgnoreLinkInfo
display/don't display link info
NoActiveDesktop
enable/disable active desktop
NoActiveDesktopChanges
enable/disable changes to active desktop
NoAddPrinter
enable/disable addition of new printers
NoChangeStartMenu
enable/disable changes to the Start Menu
NoClose
enable/disable closing IE GUI
NoDeletePrinter
enable/disable existent printers deletion
NoDeskTop
enable/disable ALL desktop items and desktop right-click menu
NoDevMgrUpdate
enable/disable the Win98/ME web update manager
NoDrives [hex]
enable/disable ALL drives in My Computer/Explorer/IE
See "Hide Win9x Drives" for details.
NoDriveTypeAutoRun [hex]
enable/disable the cd-rom autorun command
NoEditMenu
edit/don't edit the Start Menu
NoFavoritesMenu
enable/disable favorites folder display
NoFileMenu
enable/disable Explorer/IE file menu
NoFind
enable/disable the find command
NoFolderOptions
show/don't show Folder Options menu in explorer
NoHelp
show/don't show Help menu
NoInternetIcon
show/don't show the Internet icon on desktop
NoLogOff
show/don't show the Logoff menu in the Start menu
NoNetConnectDisconnect
enable/disable dial-up networking connect/disconnect
NoNetHood
enable/disable network neighborhood
NoRecentDocsHistory
enable/disable recent documents in Start Menu (Win98/ME/IE4/IE5/IE6 ONLY)
NoRecentDocsMenu
show/don't show the recent documents menu in the Start menu
NoRun
enable/disable the run command
NoSaveSettings [hex]
enable/disable save settings upon exit
NoSetActiveDesktop
enable/disable active desktop
NoSetFolders
enable/disable folder settings
NoSetTaskbar
enable/disable taskbar settings
NoStartBanner [hex]
enable/disable the splash screen upon IE start
NoStartMenuSubFolders
show/don't show subfolders in the Start Menu
NoTrayContextMenu
show/don't show context menu for tray items
NoViewContextMenu
show/don't show context menu
NoWindowsUpdate
enable/disable Win98/ME web update
NoWinKeys
enable/disable Win9x keys on 104+ keyboards
RestrictRun
enable/disable the run menu
NoControlPanel [hex] = enable/disable Control Panel
ANY changes to these settings under ANY of these Registry keys require a Windows restart to take effect.
Description
NoFileOpen
enable/disable open command in File menu, Ctrl+O and Ctrl+L
NoFileNew
enable/disable Ctrl+N for creating a new window
NoBrowserSaveAs
enable/disable the save and save as in the file menu
NoBrowserOptions
enable/disable the Internet options/properties in the view menu
NoFavorites
enable/disable the favorites menu, adding to, organizing favorites
NoSelectDownloadDir
enable/disable the save as dialog box upon file download
NoBrowserContextMenu
enable/disable html context menu
NoBrowserClose
enable/disable the close menu and alt+F4 keys to close a window
NoFindFiles
enable/disable the find menu and the F3 key
NoTheaterMode
enable/disable fullscreen (kiosk mode) and the F11 key
The Internet Properties restrictions for MS Internet Explorer 4.0x/5.xx/6.xx (also found as a Control Panel applet) are located under this Registry key:
Changing ANY of these settings does NOT require restarting Windows:
Description
Accessibility
enable/disable accessibility settings
Advanced
enable/disable advanced settings
AdvancedTab
enable/disable the advanced tab
Autoconfig
enable/disable autoconfig settings
Cache
enable/disable cache settings
CalendarContact
enable/disable contact settings
Check_If_Default
enable/disable check if IE default browser setting
Connection Settings
enable/disable connection settings
Certificates
enable/disable certificates settings
CertifPers
enable/disable personal certificates settings
CertifSite
enable/disable certificates publishers settings
Colors
enable/disable color settings
Connection Wizard
self explanatory =)
ConnectionsTab
enable/disable connections tab
Connwiz Admin Lock
enable/disable connection wizard administrative lockout
ContentTab
enable/disable content tab
Fonts
enable/disable fonts settings
FormSuggest
enable/disable forms suggest setting
FormSuggest Passwords
enable/disable passwords suggest setting
GeneralTab
enable/disable General tab
History
enable/disable history settings
HomePage
enable/disable homepage settings
Languages
enable/disable Languages settings
Links
enable/disable links settings
Messaging
enable/disable MS messaging settings
Profiles
enable/disable profiles settings
ProgramsTab
enable/disable programs tab
Proxy
enable/disable proxy server settings
Ratings
enable/disable ratings settings
ResetWebSettings
enable/disable Reset web settings
SecAddSites
enable/disable Security Add sites settings
SecChangeSettings
enable/disable security changes
SecurityTab
enable/disable security tab
Settings
enable/disable settings boxes
Wallet
enable/disable MS wallet settings (MS IE 5.xx and newer ONLY)
If you want to make restrictions to what users can do or use on there computer without having to run poledit.exe, you can edit the registry. You can add and delete Windows features by editing the registry. In this key the value 0 is ON and the value 1 is Off.
Go to HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Policies
Go to the Explorer Key (Additional keys that can be created under Policies are System, Explorer, Network and WinOldApp)
You can then add DWORD or binary values set to 1 in the appropriate keys for ON and 0 for off.
The following keys are valid:
Description
NoDeletePrinter
disables deletion of printers
NoAddPrinter
disables addition of printers
NoRun
disables run command
NoSetFolders
removes folders from settings on Start menu
NoSetTaskbar
removes taskbar from settings on Start menu
NoFind
removes the find command
NoDrives
hides drives in My Computer
NoNetHood
hides the network neighborhood
NoDesktop
hides all icons on the desktop
NoClose
disables shutdown
NoSaveSettings
don't save settings on exit
DisableRegistryTools
disable registry editing tools
NoRecentDocsMenu
hides the documents shortcut at the Start button
NoRecentDocsHistory
clears history of documents
NoFileMenu
hides the file menu in explorer
NoActiveDesktop
no active desktop
NoActiveDesktopChanges
no changes allowed to active desktop
NoInternetIcon
no internet explorer icon on the desktop
NoFavoritesMenu
hides the favorite menu
NoChangeStartMenu
disables changes to the Start memu
NoFolderOptions
hides the folder options in the explorer
ClearRecentDocsOnExit
empty the recent documents folder on reboot
NoLogoff
hides the log off option in the Start menu
RestrictRun
disables all exe programs exept for those listed in the RestrictRun subkey
Tips/Info
Don't want someone else changing your Windows?
Restrictions without running Poledit
Poledit Tips
1. Power users: Customize your system with the System Policy Editor
Go to HKEY_Current_User\Software\Microsoft\CurrentVersion\Policies