Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 2

Blocking the running of the Registry editor regedit.exe

We have the need to block the running of the registry editor.exe (c:\windows\regedit.exe). We need to keep the ability to run it on in the Group Policy (used previously to block it) because of some odd engineering applications needs. Have tried using the built in rule in ENS 10 Called "Disabling the registry editor and task manager" - but can't get it to work and this requires some sub-rules that we are not familiar with. Have searched for documentation, etc and can't find anything.
1 Reply
Report Inappropriate Content
Message 2 of 2

Re: Blocking the running of the Registry editor regedit.exe

Hi @Former Member 

Thank you for your post.

I would like to start here by saying we need to block both regedit.exe and regedt32.exe if you prefer users do not use the registry editor.

You can block REGEDIT.exe/REGEDT32.exe from being invoked by anyone(user account) from any location using the executable name and if you wish to be more precise, using the MD5 of the process.

Access protection works on process, hence you can achieve this by creating a rule to block executable REGEDIT.exe and REGEDT32.exe (you will be adding 2 separate entries under executables).

Under User Names: you cna exclude the users as necessary or include them under the block. Remember, When the action is set to block the exclusion will mean that the username mentioned here will be allowed to execute the application even if the other subrules (which will be seen below) are matching.

Now moving on to Subrules:

Here you may have to create a subrule and select the option as "Execute" and under targets, please add "Filepath"  use a wildcard (*).

Now your rule is ready to perform the blocking.

Having detailed the above, I would still strongly recommend using this under "report" and not "block" for observation of the events generated. I did not face nay issues personally while implementing it, however I would not want you to take this risk on your production environment. best practice is to test it out on your test environment and then implement since it is a System file that we are blocking.

I have additionally attached my policy as a sample although this is strictly for use in test environment. Please feel free to reach out to me if you have more queries on the same.

I sincerely hope this helps!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community