Blocking the running of the Registry editor regedit.exe
We have the need to block the running of the registry editor.exe (c:\windows\regedit.exe). We need to keep the ability to run it on in the Group Policy (used previously to block it) because of some odd engineering applications needs. Have tried using the built in rule in ENS 10 Called "Disabling the registry editor and task manager" - but can't get it to work and this requires some sub-rules that we are not familiar with. Have searched for documentation, etc and can't find anything.
I would like to start here by saying we need to block both regedit.exe and regedt32.exe if you prefer users do not use the registry editor.
You can block REGEDIT.exe/REGEDT32.exe from being invoked by anyone(user account) from any location using the executable name and if you wish to be more precise, using the MD5 of the process.
Access protection works on process, hence you can achieve this by creating a rule to block executableREGEDIT.exe and REGEDT32.exe (you will be adding 2 separate entries under executables).
Under User Names: you cna exclude the users as necessary or include them under the block. Remember, When the action is set to block the exclusion will mean that the username mentioned here will be allowed to execute the application even if the other subrules (which will be seen below) are matching.
Now moving on to Subrules:
Here you may have to create a subrule and select the option as "Execute" and under targets, please add "Filepath" use a wildcard (*).
Now your rule is ready to perform the blocking.
Having detailed the above, I would still strongly recommend using this under "report" and not "block" for observation of the events generated. I did not face nay issues personally while implementing it, however I would not want you to take this risk on your production environment. best practice is to test it out on your test environment and then implement since it is a System file that we are blocking.
I have additionally attached my policy as a sample although this is strictly for use in test environment. Please feel free to reach out to me if you have more queries on the same.
I sincerely hope this helps!
Was my reply helpful? If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!