7 Appendix B: Product Behavior
The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.
Windows NT operating system
Windows 2000 operating system
Windows XP operating system
Windows XP Professional x64 Edition operating system
Windows Server 2003 operating system
Windows Vista operating system
Windows Server 2008 operating system
Windows 7 operating system
Windows Server 2008 R2 operating system
Windows 8 operating system
Windows Server 2012 operating system
Windows 8.1 operating system
Windows Server 2012 R2 operating system
Windows 10 operating system
Windows Server 2016 operating system
Windows Server operating system
Windows Server 2019 operating system
Windows Server 2022 operating system
Windows 11 operating system
Windows Server 2025 operating system
Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.
Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.
<1> Section 2.1.1: The UUID for the Windows registry interface is "338CD001-2244-31F1-AAAA-900038001003".
The version for this interface is "1.0".
<2> Section 2.1.1: Windows Remote Registry Protocol server specifies "ncacn_np" as the RPC protocol to the RPC implementation [MS-RPCE].
<3> Section 2.1.2: Windows Remote Registry Protocol clients use one of the following RPC protocol sequences in the following order. The protocol sequence used depends on the configuration and implementation of the server.
ncacn_np
ncacn_spx
ncacn_ip_tcp
ncacn_nb_nb
ncacn_nb_tcp
ncacn_nb_ipx
By default, Windows 7 and later and Windows Server 2008 and later, with [MSFT-CVE-2024-43532], will only attempt to use the ncacn_np RPC protocol sequence.
Windows 7 and later and Windows Server 2008 and later, with [MSFT-CVE-2024-43532], will read a DWORD value “TransportFallbackPolicy” from the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoteRegistryClient”.
The value is set to one of the following:
0 – NONE – The remote registry client may try each of the protocol sequences listed above in that order.
1 – DEFAULT – The remote registry client will try to use ncacn_np but may fall back on other transports if the caller specifically requests that behavior.
2 – STRICT – The remote registry client will only try to use ncacn_np.
If the value does not exist or is not one of those listed above, the remote registry client will use the DEFAULT policy.
<4> Section 2.1.2: Except in Windows 2000, Windows XP, and Windows Server 2003 prior to Windows Server 2003 operating system with Service Pack 1 (SP1), the following behavior applies when using ncacn_np as the RPC protocol sequence: the client first attempts to use an authentication level of "Packet Privacy" and the Authentication Service "Simple and Protected GSS-API Negotiation Mechanism". If this fails, the client retries by using an authentication level of "Connection" and the "Simple and Protected GSS-API Negotiation Mechanism" Authentication Service.
Additionally, Windows 7 and later and Windows Server 2008 and later, with [MSFT-CVE-2024-43532], will read a DWORD value “SecureModePolicy” from the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoteRegistryClient”.
The value is set to one of the following:
0 – NONE – The remote registry client maintains the same behavior as listed above where it will fall back on Connection security if Packet Privacy fails.
1 – DEFAULT – Same behavior as NONE.
2 – STRICT – If the connection with packet privacy fails the remote registry client will not attempt to fall back on a less secure connection.
If the value does not exist or is not one of those listed above, the remote registry client will use the DEFAULT policy.
<5> Section 2.2.3: The KEY_WOW64_32KEY and KEY_WOW_64_64KEY rights do not apply to Windows 2000 and Windows XP (except Windows XP 64-Bit Edition operating system).
<6> Section 3.1.1.4: Requests to operate on the 32-bit registry namespace are ignored for the following paths on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HCP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Current
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Readers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DFS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software\Microsoft\Shared Tools\MSInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TermServLicensing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Transaction Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDpi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Locations
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_CURRENT_USER\SOFTWARE (except for the following subtree:
HKEY_CURRENT_USER\SOFTWARE\Classes
In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following paths on Windows 7 and Windows Server 2008 R2:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes except for the following subtrees:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DirectShow
HKEY_LOCAL_MACHINE\SOFTWARE\Interface
HKEY_LOCAL_MACHINE\SOFTWARE\Media Type
HKEY_LOCAL_MACHINE\SOFTWARE\MediaFoundation
HKEY_LOCAL_MACHINE\SOFTWARE\Appid
HKEY_LOCAL_MACHINE\SOFTWARE\Clients
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\Software\Microsoft\EventSystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriverIcons
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PreviewHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Gre_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Language Pack
HKEY_CURRENT_USER\SOFTWARE\Classes except for the following subtrees:
HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID
HKEY_CURRENT_USER\SOFTWARE\Classes\DirectShow
HKEY_CURRENT_USER\SOFTWARE\Classes\Interface
HKEY_CURRENT_USER\SOFTWARE\Classes\Media Type
HKEY_CURRENT_USER\SOFTWARE\Classes\MediaFoundation
In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following paths on Windows 8, Windows Server 2012 operating system, Windows 8.1, and Windows Server 2012 R2 operating system:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following paths on Windows 10 v1507 operating system and Windows 10 v1511 operating system:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Phone
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pim
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Poom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ras
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Unified Store
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UserData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Theme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\ThemeVolatile
In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following paths on Windows 10 v1607 operating system and Windows 10 v1703 operating system:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cellular
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DeviceReg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FingerKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FuzzyDS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Messaging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MTF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MTFFuzzyFactors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MTFInputType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MTFKeyboardMappings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Semgr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XAML
In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following paths on Windows Server operating system:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Parental Controls
In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following path on Windows Server v1803 operating system:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay
In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following path on Windows Server v1903 operating system and Windows 10 v1903 operating system and later:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Containers
In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following path on Windows Server v2004 operating system and Windows 10 v2004 operating system and later:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\HvSocket
<7> Section 3.1.1.4: On 64-bit systems, Windows supports both 32-bit and 64-bit key namespaces and maintains a separate set of keys for 32-bit and 64-bit applications.
<8> Section 3.1.1.4: Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 do not return an error because they assume that the client is requesting access to a key in the 64-bit key namespace.
<9> Section 3.1.1.4: Updates to the following keys are copied from the 32-bit view to the 64-bit view and from the 64-bit view to the 32-bit view on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes except for the following subtree:
-
-
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HCP
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RPC
HKEY_CURRENT_USER\SOFTWARE\Classes
<10> Section 3.1.1.4: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 postpone the copy until the handle to the key is closed.
<11> Section 3.1.1.11: Applicable Windows Server releases limit the maximum symbolic link chain depth to 64.
<12> Section 3.1.5: In Windows, remote access is controlled by two keys, winreg and AllowedPaths. The winreg key specifies groups and users with remote access while the AllowedPaths key allows some users, groups, services, and machines to bypass the winreg key restrictions for the specified paths. The keys have the following locations under HKEY_LOCAL_MACHINE.
-
\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg \SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
Except in the following Windows releases, only members of the Administrators Group have remote access to the registry by default:
On Windows XP, members of the Administrators Group have remote read access. On the Windows XP Professional operating system, members of the Backup Operators Group also have remote read access.
On the Windows NT 3.51 operating system, any user has remote read access to the registry.
To override the default remote registry settings, the \SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key has a single value of type "REG_SZ" named "Description" with value "Registry Server". The security descriptor for the \SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key configures remote access for individual users and groups. For example, if the group "Domain Administrators" is allowed remote access to the registry, then the security descriptor on the \SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key contains an access control entry (ACE, [MS-DTYP] section 2.4.4) granting permissions to the "Domain Administrators" group.
The \SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths key specifies registry key paths under the HKEY_LOCAL_MACHINE key to which remote access will be granted, regardless of security descriptor policies for the \SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key. FQNs for which access is granted are specified in a value named "Machine" of type "REG_MULTI_SZ" with value data containing the name of those paths allowed. For example, to allow access to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers, "SYSTEM\CurrentControlSet\Control\Print\Printers" is added to the Machine value data.
Note Even if an FQN is specified in the "Machine" value, access will be granted only if the client is allowed access according to the security descriptor of the accessed key as described in 3.1.1.10.
<13> Section 3.1.5.1: The 64-bit editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 do not return ERROR_INVALID_PARAMETER when both the KEY_WOW64_64KEY and KEY_WOW64_32KEY are set in the samDesired parameter. These Windows releases assume the client is requesting access to a key in the 64-bit key namespace.
<14> Section 3.1.5.3: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 do not return ERROR_INVALID_PARAMETER when both the KEY_WOW64_64KEY and KEY_WOW64_32KEY are set in the samDesired parameter. These releases of Windows assume the client is requesting access to a key in the 64-bit key namespace.
<15> Section 3.1.5.4: Applicable Windows Server releases do not use the security descriptor associated with the HKEY_PERFORMANCE_DATA key and instead use the security descriptor that is associated with the key HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PERFLIB.
<16> Section 3.1.5.7: All applicable Windows Server releases check whether lpClass is equal to NULL and return ERROR_INVALID_PARAMETER as a defense against malicious clients that bypass the RPC infrastructure even though this situation is forbidden by the RPC specification and cannot occur through normal operation.
<17> Section 3.1.5.7: The 64-bit editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 do not return ERROR_INVALID_PARAMETER when both the KEY_WOW64_64KEY and KEY_WOW64_32KEY are set in the samDesired parameter. These releases of Windows assume that the client is requesting access to a key in the 64-bit key namespace.
<18> Section 3.1.5.9: All applicable Windows Server releases check whether lpValueName is equal to NULL and return ERROR_INVALID_PARAMETER as a defense against malicious clients that bypass the RPC infrastructure even though this situation is forbidden by the RPC specification and cannot occur through normal operation.
<19> Section 3.1.5.15: A single registry key can be opened only 65,534 times (18,446,744,073,709,551,615 on Windows Server 2003 operating system with Service Pack 2 (SP2), Windows Vista, and Windows Server 2008). When attempting the 65535th (18,446,744,073,709,551,616th on Windows Server 2003 SP2, Windows Vista, and Windows Server 2008) open operation, this function fails with ERROR_NO_SYSTEM_RESOURCES.
<20> Section 3.1.5.15: Windows XP, Windows Server 2003, Windows Server 2008, and Windows Vista do not return ERROR_INVALID_PARAMETER when both KEY_WOW64_64KEY and KEY_WOW64_32KEY are set in the samDesired parameter. These releases of Windows assume the client is requesting access to a key in the 64-bit key namespace.
<21> Section 3.1.5.17: If the lpData buffer size, as indicated by the client in the lpcbData parameter, is too small for the requested information, Windows Remote Registry servers will set the lpData parameter to NULL and return the size of the value, in bytes, in the lpcbData parameter.
<22> Section 3.1.5.18: Windows file names can be up to 255 characters long and for Windows registry server methods are specified as full file paths relative to the registry server instance. For example, to specify the "regfile.reg" file in the "C:\testfiles" directory on the C: volume of the registry server, the file name is specified as "C:\testfiles\regfile.reg". For more information, see [WININTERNALS].
<23> Section 3.1.5.18: Windows registry servers require the files referred to by lpNewFile and lpOldFile to be located on the same disk volume as the OS instance hosting the registry server (for example, "boot disk"). If this condition is not met, the method fails with ERROR_NOT_SAME_DEVICE (0x11).
<24> Section 3.1.5.19: Windows file names can be up to 255 characters long and for registry server methods are specified as full file paths relative to the registry server instance. For example, to specify the "regfile.reg" file in the "C:\testfiles" directory on the C: volume of the registry server, the file name is specified as "C:\testfiles\regfile.reg". For more information, see [WININTERNALS].
<25> Section 3.1.5.19: For Windows NT, this value is not supported.
<26> Section 3.1.5.20: Windows file names can be up to 255 characters long and for registry server methods MUST be specified as full file paths relative to the registry server instance. For example, to specify the "regfile.reg" file in the "C:\testfiles" directory on the C: volume of the registry server, the file name is specified as "C:\testfiles\regfile.reg". For more information, see [WININTERNALS].
<27> Section 3.1.5.24: Itanium-based and x64-based releases of Windows Server 2003 with SP1, Windows Vista, and Windows Server 2008 return 6 to denote the 64-bit version of the registry. In addition, Windows XP 64-Bit Edition also returns 6 to denote the 64-bit version of the registry.
All other x86 and Itanium-based releases of Windows return 5.