regedit
How to use
- Run it from Start Menu > Programs >
Accessories > System Tools >
Registry Editor, or if not there then use
Start Menu > Run > regedit OK.
- Search with [ctrl-F] (or Edit > Search), then
repeat with [F3] (Edit > Search again).
Search looking at keys, values and data; search
strings seem to be case-independent. Searches start at current point:
scroll to top, click on first thing to do whole registry.
- Use [Alt], [E], [R] (Edit >
Rename) to change key/value names. Use [Alt], [E],
[M] (Edit > Modify), or select and
[RETURN], to change data. (To clobber commands, insert
-disabled at end of filename in front of .exe, so it will
be easy to undo changes, should you ever need to.)
- Some key/value names are case-sensitive, some are not. Generally, if you
see what you want then use it, even if it has a different capitalization.
I wonder what is the relationship between the commands in the registry and
the [Extensions] section of C:\windows\win.ini.
Tasks
- Rename occurences of values named "NeverShowExt" to "AlwaysShowExt" (do
also for lnkfile or piffile, even though your Desktop and StartMenu will
look ugly). Also ensure the "Hide file extensions for known file types"
option is disabled in Start Menu > Settings >
Folder Options, View.
- Fake MS00-036 patch with new key and DWORD values
[HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\MrxSmb\Parameters]
RefuseReset=1
MaximumBrowseEntries=1
(or should the second one be zero?).
- Clobber regedit command for REG files:
[HKEY_CLASSES_ROOT\regfile\shell\open\command]
default=...
- Banish LM password hashes with DWORD values
[HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Control\Lsa]
LmCompatibility=3 (for Win9x)
LmCompatibilityLevel=3 (for WinNT and Win2k)
- Set SMB message encryption level with DWORD values
[HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Control\Lsa\MSV1_0]
NtlmMinClientSec=0
NtlmMinServerSec=0x20080030
- Prevent LM hashes from being stored locally with new registry key
[HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Control\Lsa\NoLMHash]
or, for WindowsXP, create a new DWORD value
[HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Control\Lsa]
NoLMHash=1
- Disallow anonymous access with
[HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Control\Lsa]
RestrictAnonymous=2
- To prevent Office XP from sending debugging info, create keys
[HKEY_CURRENT_USER\Software\
Policies\Microsoft\Office\10.0\Common] and
[HKEY_USERS\.Default\Software\
Policies\Microsoft\Office\10.0\Common]
and in both set DWORD values:
DWNeverUpload=1
DWNoExternalURL=1
DWNoFileCollection=1
DWNoSecondLevelCollection=1
- For Office 2003, set DWORD value
[HKEY_CURRENT_USER\Software\
Policies\Microsoft\Office\Common]
QMEnable=0
- Protect (Win2k only?) from DoS via NetBIOS with new DWORD value
[HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\LanmanServer\Parameters]
MaxWorkItems=256 (decimal 256 = hex 100, or less?)
Or should the key be ...\LanmanServer without \Parameters ?
- Protect against open ports and services by setting:
[HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\NetBT\Parameters]
SmbDeviceEnabled=0 (DWORD)
[HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Rpc\Linkage]
Bind=(empty) (MULTI_SZ)
[HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\RpcSs]
ListenOnInternet=N (SZ)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
EnableDCOM=N (SZ)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc]
DCOM Protocols=(not including ncacn_ip_tcp) (MULTI_SZ)
Note that Win2k regedit cannot create REG_MULTI_SZ values, need to use
regedt32 for that.
For the following it may be possible (and simpler) to
rename the commands used,
rather than editing the registry.
- Clobber command hh.exe for CHM files:
[HKEY_CLASSES_ROOT\chm.file\shell\open\command]
- Clobber commands for VBS files (probably not there after you
disable Windows Scripting Host). Look for wscript.exe and
cscript.exe (maybe also jscript.dll and vbscript.dll);
do also VBE, WSH, WSF, JS and JSE files:
[HKEY_CLASSES_ROOT\xxFile\Shell\Open\Command] and
[HKEY_CLASSES_ROOT\xxFile\Shell\Open2\Command]
What about wshom.ocx and wshext.dll?
- Clobber shscrap.dll or rundll32.dll for SHS and
SHB files:
[HKEY_CLASSES_ROOT\ShellScrap\shell\open\command]
[HKEY_CLASSES_ROOT\DocShortcut\shell\open\command]
- Clobber most occurences of iexplore (far too many keys to list
here...)
- Clobber most occurrences of outlook, excel and
MSaccess.
- Clobber some (most? all?) occurrences of VBA.
Paul Szabo
psz@maths.usyd.edu.au
18 Apr 05