PDQ.com mobilePDQ.com desktop

10 Handy Registry Settings for System Administration

Adam RuthAdam Ruth

Here’s a (seemingly) random collection of registry settings which I have recently encountered that you may find useful. Hopefully there’s one or more that you may not be aware of. 1. Enable Unsolicited Remote AssistUnsolicited remote assist is very handy for troubleshooting problems on a remote computer where you don’t have some other form of remote control such as VNC. I’ve found that enabling it through the UI doesn’t always allow it to work, and you get some cryptic errors. These settings seem to really get it going.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services fAllowUnsolicited = 1 fAllowUnsolicitedFullControl = 1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server AllowTSConnections = 1 fDenyTSConnections = 0 fAllowToGetHelp = 1

2. Increase Desktop HeapSometimes opening a lot of windows or tabs in Internet Explorer pushes use of the heap (a section of memory used by the desktop.) When you bump up against the limit, strange things start to happen. This blog post details a way to increase it which gives you more headroom.http://weblogs.asp.net/jongalloway/registry-setting-keeps-windows-from-wigging-out-when-you-open-lots-of-ie7-tabs 3. Allow Popups on Secure SitesInternet Explorer’s popup blocker is pretty handy most of the time. But when you’re connected to a secure web site you may want it disabled because the popups are part of the user interface for the site (such as for authentication.) This setting allows popups on HTTPS sites.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows Allow HTTPS = 1

4. No LAN Manager HashesAn oldie, but a goodie. This entry prevents the system from storing LAN Manager password hashes which are much less secure than Kerberos or NT hashes. Older systems such as Win 98 and ME won’t be able to authenticate, but that’s actually a benefit.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Parameter NoLMHash = 1

5. Disable ShakingThis one is a personal taste thing. I don’t like the shaking feature of Aero in Windows 7, I seem to activate it all the time on accident (perhaps I have muscle spasms.) Here’s a way to disable it.

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced DisallowShaking = 1

6. Screen Saver Grace PeriodThe default setting for the grace period on requiring a password after the screen saver starts may be a bit too short for you.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ ScreenSaverGracePeriod = (number of seconds)

7. Take Ownership MenuThis one isn’t as much of a registry setting as it is a shortcut, but it’s still handy. If you find yourself needing to take ownership of files a lot, this will be quicker than going through the security tab. It adds a menu item in Windows Explorer when you right click on a file or directory which will give you ownership.

HKEY_CLASSES_ROOT\*\shell\runas (default) = “Take Ownership” NoWorkingDirectory = (empty) HKEY_CLASSES_ROOT\*\shell\runas\command (default) = “cmd.exe /c takeown /f \”%1\” && icacls \”%1\” /grant administrators:F” IsolatedCommand = “cmd.exe /c takeown /f \”%1\” && icacls \”%1\” /grant administrators:F” HKEY_CLASSES_ROOT\Directory\shell\runas (default) = “Take Ownership” NoWorkingDirectory = (empty) HKEY_CLASSES_ROOT\Directory\shell\runas\command (default) = “cmd.exe /c takeown /f \”%1\” /r /d y && icacls \”%1\” /grant administrators:F /t” IsolatedCommand = “cmd.exe /c takeown /f \”%1\” /r /d y && icacls \”%1\” /grant administrators:F /t”

8. Disable Simple File SharingSimple file sharing in XP makes remote administration a bit difficult, mainly by disabling the admin shares (ADMIN$, C$, D$, etc.) 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa forceguest = 0

9. Disable Writing to USB DrivesThis is a helpful security setting if your organization wants to disable writing to USB drives on certain machines.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicie WriteProtect = 1

10. Default User SettingsThis is more of a tip than a setting. If you need to restore a key in HKEY_CURRENT_USER to its default, you can find them all in HKEY_USERS\.DEFAULT.  This is also handy if you want to change a setting that will be used for all new user accounts because it is used as a template for each new user’s registry settings.

Don't miss the next post!

Using PowerShell to Install Printers

When installing printers, we will need to do the four things; Add Driver to the Store, Install the Driver, Create Printer Port, and Install the Printer