cancel
Showing results for 
Search instead for 
Did you mean: 
ttracy
Level 7
Report Inappropriate Content
Message 1 of 2

Blocking the running of the Registry editor regedit.exe

We have the need to block the running of the registry editor.exe (c:\windows\regedit.exe). We need to keep the ability to run it on in the Group Policy (used previously to block it) because of some odd engineering applications needs. Have tried using the built in rule in ENS 10 Called "Disabling the registry editor and task manager" - but can't get it to work and this requires some sub-rules that we are not familiar with. Have searched for documentation, etc and can't find anything.
1 Reply
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Blocking the running of the Registry editor regedit.exe

Hi @ttracy 

Thank you for your post.

I would like to start here by saying we need to block both regedit.exe and regedt32.exe if you prefer users do not use the registry editor.

You can block REGEDIT.exe/REGEDT32.exe from being invoked by anyone(user account) from any location using the executable name and if you wish to be more precise, using the MD5 of the process.

Access protection works on process, hence you can achieve this by creating a rule to block executable REGEDIT.exe and REGEDT32.exe (you will be adding 2 separate entries under executables).

Under User Names: you cna exclude the users as necessary or include them under the block. Remember, When the action is set to block the exclusion will mean that the username mentioned here will be allowed to execute the application even if the other subrules (which will be seen below) are matching.

Now moving on to Subrules:

Here you may have to create a subrule and select the option as "Execute" and under targets, please add "Filepath"  use a wildcard (*).

Now your rule is ready to perform the blocking.

Having detailed the above, I would still strongly recommend using this under "report" and not "block" for observation of the events generated. I did not face nay issues personally while implementing it, however I would not want you to take this risk on your production environment. best practice is to test it out on your test environment and then implement since it is a System file that we are blocking.

I have additionally attached my policy as a sample although this is strictly for use in test environment. Please feel free to reach out to me if you have more queries on the same.

I sincerely hope this helps!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community