Hi @Former Member 

Thank you for your post.

I would like to start here by saying we need to block both regedit.exe and regedt32.exe if you prefer users do not use the registry editor.

You can block REGEDIT.exe/REGEDT32.exe from being invoked by anyone(user account) from any location using the executable name and if you wish to be more precise, using the MD5 of the process.

Access protection works on process, hence you can achieve this by creating a rule to block executable REGEDIT.exe and REGEDT32.exe (you will be adding 2 separate entries under executables).

Under User Names: you cna exclude the users as necessary or include them under the block. Remember, When the action is set to block the exclusion will mean that the username mentioned here will be allowed to execute the application even if the other subrules (which will be seen below) are matching.

Now moving on to Subrules:

Here you may have to create a subrule and select the option as "Execute" and under targets, please add "Filepath"  use a wildcard (*).

Now your rule is ready to perform the blocking.

Having detailed the above, I would still strongly recommend using this under "report" and not "block" for observation of the events generated. I did not face nay issues personally while implementing it, however I would not want you to take this risk on your production environment. best practice is to test it out on your test environment and then implement since it is a System file that we are blocking.

I have additionally attached my policy as a sample although this is strictly for use in test environment. Please feel free to reach out to me if you have more queries on the same.

I sincerely hope this helps!