10 handy registry settings for sysadmin

smiling man
Adam Ruth|Updated June 17, 2021
10 Handy Registry Settings for System Administration
10 Handy Registry Settings for System Administration

Here’s a (seemingly) random collection of registry settings which I have recently encountered that you may find useful. Hopefully there’s one or more that you may not be aware of.

1. Enable unsolicited remote assist

Unsolicited remote assist is very handy for troubleshooting problems on a remote computer where you don’t have some other form of remote control such as VNC. I’ve found that enabling it through the UI doesn’t always allow it to work, and you get some cryptic errors. These settings seem to really get it going.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
fAllowUnsolicited = 1
fAllowUnsolicitedFullControl = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
AllowTSConnections = 1
fDenyTSConnections = 0
fAllowToGetHelp = 1

2. Increase desktop heap

Sometimes opening a lot of windows or tabs in Internet Explorer pushes use of the heap (a section of memory used by the desktop.) When you bump up against the limit, strange things start to happen. Check out how Remote Desktop Protocol (RDP) makes it possible for users to remotely access and control Windows computers as if they were right in front of them.

3. Allow popups on secure sites

Internet Explorer’s popup blocker is pretty handy most of the time. But when you’re connected to a secure web site you may want it disabled because the popups are part of the user interface for the site (such as for authentication.) This setting allows popups on HTTPS sites.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows
Allow HTTPS = 1

4. No LAN Manager hashes

An oldie, but a goodie. This entry prevents the system from storing LAN Manager password hashes which are much less secure than Kerberos or NT hashes. Older systems such as Win 98 and ME won’t be able to authenticate, but that’s actually a benefit.

NoLMHash = 1

5. Disable shaking

This one is a personal taste thing. I don’t like the shaking feature of Aero in Windows 7, I seem to activate it all the time on accident (perhaps I have muscle spasms.) Here’s a way to disable it.

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Explorer \ Advanced
DisallowShaking = 1

6. Screen saver grace period

The default setting for the grace period on requiring a password after the screen saver starts may be a bit too short for you.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
ScreenSaverGracePeriod = (number of seconds)

7. Take ownership menu

This one isn’t as much of a registry setting as it is a shortcut, but it’s still handy. If you find yourself needing to take ownership of files a lot, this will be quicker than going through the security tab. It adds a menu item in Windows Explorer when you right click on a file or directory which will give you ownership.

(default) = “Take Ownership”
NoWorkingDirectory = (empty)
(default) = “cmd.exe /c takeown /f \”%1\” && icacls \”%1\” /grant administrators:F”
IsolatedCommand = “cmd.exe /c takeown /f \”%1\” && icacls \”%1\” /grant
(default) = “Take Ownership”
NoWorkingDirectory = (empty)
(default) = “cmd.exe /c takeown /f \”%1\” /r /d y && icacls \”%1\” /grant
administrators:F /t”
IsolatedCommand = “cmd.exe /c takeown /f \”%1\” /r /d y && icacls \”%1\”
/grant administrators:F /t”

8. Disable simple file sharing

Simple file sharing in XP makes remote administration a bit difficult, mainly by disabling the admin shares (ADMIN$, C$, D$, etc.) 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa forceguest = 0

9. Disable writing to USB drives

This is a helpful security setting if your organization wants to disable writing to USB drives on certain machines.

WriteProtect = 1

10. Default user settings

This is more of a tip than a setting. If you need to restore a key in HKEY_CURRENT_USER to its default, you can find them all in HKEY_USERS\.DEFAULT. This is also handy if you want to change a setting that will be used for all new user accounts because it is used as a template for each new user’s registry settings.

smiling man
Adam Ruth

Adam is a co-founders of PDQ.

Related articles