Block a registry key to prevent rewriting or deleting accidentally or intentionally using the command line
I need to block this key to prevent deletion or modification by malware.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe
What command line can help me to do this?
As per the answers in the link in your question, the easiest way to do this is to remove the Edit permissions from SYSTEM and the Administrators groups and the key should then effectively be read only.
You can do this from the command line with regini
by following the procedure below.
Warning:
-
I would be very tempted to back up your whole system before making such changes (you may feel comfortable just backing up the registry - see below).
-
The instructions below contain steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly.
-
For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.
-
For more information see How to back up and restore the registry in Windows
-
Create a file (for example
block.txt
) with the following contents:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe [2 19]
-
Execute the
block.txt
script using the following command, run from an elevated (Administrator)cmd
shell:regini block.txt
Notes:
-
The
regini
command must be run from an elevated (Administrator)cmd
shell, otherwise it will fail (an no error will be displayed). -
The permission entry is set to
[2 19]
which is Administrators Read Access and SYSTEM Read Access. -
You need to think carefully whether other user groups also require read access.
Using a permission entry of
[2 8 19]
will in addition also allow standard users (and administrator accounts with filtered user token) read access for the key. -
You may need to change the permissions of the parent key to prevent sub-keys being deleted (I haven't verified this).
Further Reading
- An A-Z Index of the Windows CMD command line - An excellent reference for all things Windows cmd line related.
- regini - Change Registry Permissions.
- How to: Use a Script to Change Registry Permissions from the Command Line
Related videos on Youtube
Comments
-
BrianC over 1 year
I see the post in superuser and I have a similar case, but with a small difference.
I created a reg key.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe"
And the content target: /windows/system32/wscript.exe
And I need to block this key permanently (or any other key that I want to create), to prevent accidental or intentional deletion or modification of any malware
Question:
What command line can help me to do this? (cmd or powershell or both)
-
DavidPostill almost 8 years
-
BrianC almost 8 yearsHi DavidPostill. I read the content of the link, and honestly did not understand (or microsoft not explain well or I'm too stupid). So, I thank you that you put an example according to my case, to select your answer as correct.
-
-
Mokubai almost 8 yearsComments are not for extended discussion; this conversation has been moved to chat.
-
mirh about 7 yearsSystem process (more specifically my sound card driver I believe) still seems to be able to edit "locked" keys. Even when system user has not even read permission.