SolutionBase: Disabling Windows XP's Remote Registry service

Windows XP's Remote Registry service gives you the ability to modify computer settings without being physically present at the machine. It can also be a security threat. Here's how you disable the Remote Registry service--and the consequences of doing so.

If you've done much work supporting Windows XP, or any other version of Windows that has been released in the last ten years, then you are no doubt familiar with the Windows registry. As I'm sure you already know, Â the registry is the heart and sole of the Windows operating system. Almost any aspect of Windows behavior can be controlled through the registry. If you know what you are doing, you can use the registry to make Windows do all sorts of wonderful things.

On the flip side though, if you don't know what you are doing (or if you have malicious intent), you can destroy Windows by modifying the registry incorrectly. In fact, almost every article that you will ever see which involves editing the Windows registry has some kind of standard disclaimer telling you that you can destroy Windows and / or your applications by modifying Windows incorrectly and that you should make a full system backup before you so much as touch the registry.

The point is that the registry can be modified for both good and evil purposes. With that in mind, how would you feel if I told you that Windows XP contains a service that allows the Windows registry to be edited remotely, without the knowledge of the person who is using the computer that's being modified? Would it make you feel any better if I told you that this service is enabled by default? I didn't think so. If you don't like the idea of anybody with a little know how being able to tamper with your Windows registry, then you might consider disabling the remote registry service.

Author's Note

Before you stop reading this article and go running off in a panic to disable the Remote Registry service though, you should know that there are some consequences to disabling the service.

Since there are both advantages and disadvantages to disabling the Remote Registry service, I'm not going to tell you to disable it, but I'm not going to tell you not to disable it either. You need to make up your own mind as to what is appropriate in your organization. To help you decide, I am going to show you how the remote registry service works, how to enable or disable the service, and what the consequences are of disabling the Remote Registry service.

Using the Remote Registry service

As I have already explained, the whole point of the Remote Registry service is that it allows you to make modifications to the registry on a remote machine. One minor detail that might make you feel a little bit better though is that in Windows XP, not just anyone can modify a remote computer's registry. In order to make registry modifications to a remote machine, the person who is making those modifications must be a member of the local administrators group on the remote machine.

To access a remote machine's registry, you must begin by opening the Registry Editor on your own computer. Once the Registry Editor is open, select the Connect Network Registry command from the Registry Editor's File menu. When you do, you will see the Select Computer dialog box appear. Enter the name of the computer that you want to connect to and click OK. When you do the remote computer's registry will open within the Registry Editor.

You have to be at least a little bit careful when you are editing a remote computer's registry. You might have noticed that when you edit your own computer's registry, the top node displayed within the Registry Editor is My Computer. Beneath My Computer, you find HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, etc. When you open a remote computer's registry, the My Computer node still exists, and its contents still refer to your local computer. The remote computer's registry is beneath an entirely different node which bares the remote computer's name.

For example, of you open the registry of a remote computer named COMPUTER1, then the registry editor will contain a My Computer node for the local machine's registry, and a COMPUTER1 node for the remote machine's registry. It is absolutely crucial that you edit the correct registry.

Enabling or disabling the Remote Registry service

Now that I have shown you how to work with the registry on a remote system, I want to show you how you can disable the Remote Registry Service. To disable the Remote Registry Service, you must do the work from the computer whose registry you do not want to be remotely edited.

Begin the process by opening that machine's Control Panel and selecting the Administrative Tools icon. When the Administrative Tools window opens, double-click the Services icon to open the Service Control Manager.

The Service Control Manager displays a list of all of the services that are running on the machine. Scroll through the list of services until you locate the Remote Registry Service. Right click on the Remote Registry Service and select the Properties command from the resulting shortcut menu. You will now see the Remote Registry Properties sheet. At this point, click the Stop button to shut down the service. You must now use the Startup Type drop down list to set the startup type to Disabled. Click OK and the Remote Registry Service is disabled and nobody will be able to remotely modify that machine's registry.

If you later decide that you need to re-enable the Remote Registry Service then you can do so by opening the Service Control Manager, right clicking on the Remote Registry Service, and selecting the Properties command from the resulting shortcut menu. Now, just set the Startup type to Automatic and click OK. Right click on the Remote Registry Service one more time and select the Start command from the shortcut menu. The Remote Registry Service is now up and running.

One side note that I want to mention is that the Remote Registry Service is dependant on the Remote Procedure Call (RPC) service. If the Remote Procedure Call Service is not started, you will not be able to start the Remote Registry Service.

The consequences of disabling the Remote Registry service

At the beginning of this article, I mentioned that there were some consequences to disabling the Remote Registry Service. Ninety nine percent of the time, disabling the remote registry service won't cause any problems for you. There are a few applications out there that depend on it though.

Another consequence of disabling the Remote Registry Service on a machine is that you lose some of your ability to remotely manage the machine. Imagine for a moment that your company informs you that they are opening up a branch office in the middle of nowhere, near some place called Hogs Holler, Kentucky. Fortunately for you, you don't actually have to visit Hogs Holler. You simply preconfigure all of the machines and let the FedEx guy worry about finding the place.

You setup the machines in your office, and since you are a security conscious administrator, you disable the Remote Registry Service. You pack the machines up and ship them off to the country. The administrator in Hogs Holler receives the machines, plugs them up to the newly constructed network, and everything appears to work fine. After a couple of weeks though, someone from the branch office calls you and tells you that they are having a weird problem. You try to connect to the remote machines using Remote Assistance, but you suddenly realize that you forgot to enable Remote Assistance on those machines. No problem, there is a registry tweak that you can use to turn on Remote Assistance remotely. Wait a minute. You disabled Remote Registry, so you can't even use the tweak. It looks like you are going to be taking the next Hillbilly Air flight to Hogs Holler.

OK, that's kind of a silly example, but the point is that if you do forget to enable remote assistance on a machine, you could normally use the Remote Registry service to enable Remote Assistance via a registry tweak. If you have disabled the Remote Registry service though, then you have basically locked yourself out of that machine unless you physically travel to the machine.