Protecting Windows NT Machines


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame


Environment: Windows NT 4.0 (Server or Workstation)

Windows NT security makes it possible to lock down a desktop so a given user has access to only one or a few specific programs. On a public kiosk computer, it is often important that user access be restricted. This article explains the steps that need to be taken to implement this before you start please read the IMPORTANT notice.

IMPORTANT: This article contains information about editing the Windows registry. Before you edit the registry, you should first make a backup copy of the registry files (System.dat and User.dat). Both are hidden files in the Windows folder. Do not run the sample .reg file which contains all the specified registry entries as a demonstration or test because doing this will disable the menus of the demonstrator and might not give him access to remove the entries also. It is advised that for demonstration, make only one entry at once. Unsolicited changes in registry might damage the system functionality in which cases author can not be held responsible.

Windows always works on its Registry entries which are stored some hidden .dat files usually the system.dat and user.dat in widows directory. It can be viewed as the settings for the individual user determining his environment in Windows NT user session. It is found that these settings or registry entries play a key role while deciding the access to individual user on any Windows NT machine. Whenever the user loggs in, Windows fetches all the settings from files, and loads it in the memory. So the user settings are stored with your windows explorer which works like shell for your Windows NT session. For making the registry entries, you can either go to RUN menu and run regedit.exe or regedt32.exe. This will open a windows similar to Windows explorer. There are five by default major categories viz. HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS,HKEY_CURRENT_CONFIG which are used for the basic functionality of the Registry and Windows security.

You can browse through and make the entries at right places.Windows also specifies a format which goes in .reg file (see the sample code), which can be run from any location. This .reg file can be edited using a simple notepad also. In this format, specify the REGEDIT4 first, to tell the version of editing utility, then you have to specify the absolute path in square brackets where this registry entry will go for example [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies] you can specify multiple paths also where the settings will be stored followed by the name of the entries which have to be made are written as


For restricting the access, following are the names of the entries/keys and their functionality at [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

Key Name Functionality Data Type Value
NoFind Removes Find command from Start menu. dword 00000095
NoFolderOptions Removes the Folder Options menu item from the Settings dword 00000001
NoRecentDocsMenu Removes the Documents command from the Start menu. dword 00000001
NoDesktop Hide all items on desktop. dword 00000001
NoRun Removes Run command from Start menu dword 00000001
NoLogOff Disables the logoff options dword 00000001
NoClose Disables Shut Down command. dword 00000001
NoNetHood Hides Network Neighborhood. dword 00000001
NoDrives Hides drives in My Computer. dword 00000000
To give access to only drive C dword fbffff03
To give access to drives C and D dword f3ffff03
To give access to drives A to F dword c0ffff03
NoTrayContextMenu Removes context menus for tray including the start button, tab control, and clock. dword 00000001
NoSetFolders Remove folders from Settings/Start menu dword 00000001
NoSetTaskbar Remove Taskbar from Settings/Start menu. dword 00000001
NoFavoritesMenu Removes the Favorites folder from the Start menu. dword 00000001
NoSaveSettings Does not save settings at exit. dword 00000001
NoDriveTypeAutoRun Prevents CD-ROM drive from running automatically. dword 00000001
NoViewContextMenu Removes the context menu when you right click the desktop, or when you right click explorer in the results pane. dword 00000001
NoFolderOptions Removes the Folder Options menu item from the Settings dword 00000001

Note : NoRecentDocsMenu and NoRecentDocsHistory requires Active Desktop to be installed; otherwise they do not work

At the place [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

Key Name Functionality Data Type Value
DisableLockWorkstation Disables the Lock workstation option from menu dword 00000001
DisableTaskMgr Disables the Task Manager dword 00000001
DisableChangePassword Disables the password change option dword 00000001

Copy the following source in notepad and save it as .reg file








Download instructions:

1. Save it to your disk
2. For running: Save it as .reg file, and double click
3. For editing:  You can edit it in test format or you can right click the .reg file and click on edit option.

Download demo registry source code - 1 Kb


  • How to disable logoff/shutdown buttons from taskmanager

    Posted by patro1322 on 10/20/2009 01:43pm

    I want to disable the logoff button present in the users tab of taskmanger. I don't want to disable the logoff command from start menu. How can I do it ? Thanking you in advance.

  • How to enable it back again

    Posted by Legacy on 06/13/2003 07:00am

    Originally posted by: DOMINIC BENEDICT

    How to enable the setting again?

  • Disabling Registry Keys as Administrator for another User

    Posted by Legacy on 10/01/2002 07:00am

    Originally posted by: Mr. Stephan Mueller

    Hi to all,
    the given hints are very usefull for the restriction of users rights.
    Only the key "NoDrives, dword 0000000 does not work as expected: I can still see the local drives, using the explorer. Is this key only valid for "MyComputer" and not for the windows explorer? What do I have to do, to hide the local drives within the explorer?

    If I (with administration rights) decide to restrict the rights of an user, I can modify the registry of that user by log on with that user's name and password. After that, the rights of that user are restricted in a way that there is no possibility to change the registry again. Now my questions:
    Is there any way to change the users registry, if I am logged on as administrator? What is the name and extention of a registry file? Where do I find it? How can I tell "regedit.exe" to open the users registry and not mine?

    With best regards.

    Stephan Mueller

  • You must have javascript enabled in order to post comments.

Leave a Comment
  • Your email address will not be published. All fields are required.

Most Popular Programming Stories

More for Developers

RSS Feeds

Thanks for your registration, follow us on our social networks to keep up-to-date