Share via

Protecting registry on Windows (8,10,11)

Anonymous
2025-06-12T12:49:00+00:00

Hello. I have recently been looking for tools that allow you to actually have control over your Windows computer by only allowing certain executables to modify certain registry items that you set to be protected, for example prevent even an elevated executable from modifying the EnableLUA registry value, which is responsible for disabling or enabling the UAC prompts, there are other registry items corresponding to the UAC prompts configuration, - but are there any tools to protect specific registry items from being modified using a kernel-mode driver or something like that which overrides elevated programs too? Windows doesn't have any kind of permission system for normal executables, just most UWP apps, but even UWP apps can be elevated, then they can take over control.

Are there any tools for protecting the registry?

Are there any native ways to get at least SOME control over the registry, even if an elevated process is trying to change items?

For example, as I know, the Windows security application has a kernel-mode driver that is enabled when the Tampering protection is on, it will always/on every reboot reset Windows defender registry items to values that real-time protection is turned on, and prevents third-party elevated processes from modifying the antimalware registry settings too.

Thanks.

Windows for home | Windows 11 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

  1. Anonymous
    2025-06-13T16:38:53+00:00

    Thanks for the update, Aron. Well, Windows doesn’t have a built-in way to protect specific registry keys from admins or elevated processes. Even if you set permissions or lock it with TrustedInstaller, anyone with SYSTEM access can take ownership and change it.

    If you really want to block registry changes, even from admin accounts, you’d need to write a kernel-mode driver using the CmRegisterCallback API. That lets you intercept and deny registry access at a low level.

    To do that, you'd need:

    ⇢ A signed driver (required on 64-bit Windows)

    ⇢ Secure Boot, VBS, and HVCI enabled to prevent tampering

    ⇢ Extra logic to stop someone from just unloading or deleting your driver

    There’s no out-of-the-box tool for this. Some enterprise tools like Broadcom ControlMinder do it, but they’re overkill for personal use. Way overkill.

    So unless you’re building your own driver and locking down the boot process, there’s no real way to fully protect a registry key from local admin changes. Windows just wasn’t designed for that.

    1 person found this answer helpful.
    0 comments

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-06-13T20:43:30+00:00

    Though registry protection is something that Microsoft has worked towards over time as they tighten and limit access to various portions of the operating system with newer versions, as already mentioned that's not something that's directly supported within the 'Classic' version of Windows as Microsoft calls it.

    However, as Microsoft was preparing for the major redesign of Windows 10, they initially created a stripped-down version that contained only the most important portions of the operating system that would need to exist in order for it to work on any system. This later came to be known as Windows Core OS (WCOS), which was at the time used to create the much more lean and secure version called S Mode, which differentiates it from the legacy 'Classic' Mode I mentioned above that many consumers still prefer because that still runs many old legacy applications that even the current Windows 11 S Mode won't.

    What Is Windows 10 or Windows 11 in S Mode?

    Turns out that one of the key security items that stripping down Windows removed was the ability to run the RegEdit.exe app, while external Exe files aren't even allowed to load on the system by normal means, precluding the ability to either modify the registry or download 3rd-party tools that might execute to do that, or for that matter, any executable malware at all. In fact, the only way to install apps is via the Microsoft Store, so that allows Microsoft to vet the developers and test the apps before they're released to the world, listening the possibility they might contain malicious code.

    That article mentions a few other things that S Mode won't allow in the paragraph below, most of which are more commonly used by developers rather than your typical consumer or business user, which are the relatively dangerous apps and tools that are what truly put Windows at risk from malicious actors.

    "Windows 10 in S Mode can't use command-line shells like PowerShell, Command Prompt, or Bash, either. Various other developer tools are also off limits. You don't have direct access to the Windows Registry via the Registry Editor, either."

    Based on what you've learned in this thread, you should easily see why the optional S Mode that must be initially installed on a device by the manufacturer and can't be reinstalled if its ever exited in favor of the legacy 'Classic' version instead.

    As a past network administrator and security professional, I personally chose a Microsoft Surface Go tablet that runs Windows 10 in S Mode that I'm using to type this post, precisely because I knew there was no better way to secure my device than to remove all of that extraneous, insecure garbage I really didn't need for the simple and lightweight tablet I wanted for basic apps like the Edge browser and a tiny handful of others needed for travel.

    I never worry about malware and in fact the version of Windows Defender the device contains is so simple it doesn't even include the ability to manually scan, since there's really almost nothing that needs to be scanned, because legacy Win32 apps can't be downloaded or run, though as I understand it, Windows 11 may allow some of the more modern versions of these apps to install from the Microsoft Store only.

    Rob

    0 comments
  2. Anonymous
    2025-06-13T17:11:28+00:00

    Oh, alright thanks. That's very unfortunate though.

    0 comments
  3. Anonymous
    2025-06-13T14:11:07+00:00

    Hello, I have a personal laptop, I have full access to it and my main account is administrator, I am looking to only protect my machine, I am not part of some kind of business.

    And could you give a briefer explanation of how the registry works? Are there any solutions like having a kernel-mode driver to block certain registry changes and be configuable securely?

    Also, sorry for the late response.

    0 comments
  4. Anonymous
    2025-06-12T13:24:07+00:00

    Hello, thank you for reaching out to the Microsoft Community. I'm here to help with your questions or issues.

    That's a very interesting question. The thing is, Windows already controls changes to certain registry areas using kernel-mode filters (like WdFilter.sys for Defender), but there’s no built-in way to lock any registry value completely, even from SYSTEM or admin-level processes.

    Are you trying to protect registry keys on your personal machine or want this deployed across multiple endpoints (like in enterprise)?

    What’s your current privilege model, for example, are users running as standard accounts, or do they already have local admin/SYSTEM access?

    0 comments