Registry best practices
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In the Windows Server 2003 family, system configuration information is centrally located in the registry. While this simplifies the administration of a computer or network, one incorrect edit to the registry can disable the operating system. The following list provides some best practices for using the registry and Registry Editor safely:
Before making changes to the registry, make a backup copy.
You can back up the registry by using a program such as Backup. After you make changes to the registry, update your Automated System Recovery (ASR) disk. For troubleshooting purposes, keep a list of the changes you make to the registry. For more information, see the "Windows Server 2003 family Registry Reference" at the Microsoft Windows Resource Kits Web site.
Do not replace the Windows Server 2003 family registry with the registry of another version of the Windows or Windows NT operating systems.
Edit the registry carefully.
Incorrectly editing the registry may severely damage your system.
Limit the number of people who have access to the registry.
For example, because members of the Administrators group have full access to the registry, add only users who need such access to the Administrators group. Alternately, you can use Registry Editor to set permissions for specific keys and subtrees, or simply remove Registry Editor from the computers of users whom you do not want to alter the registry.
Never leave Registry Editor running unattended.
Do not run Registry Editor as Administrator, except when necessary.
A malicious user who has access to Registry Editor running as Administrator can cause severe damage to the operating system and software. Only run Registry Editor as Administrator if you need to see or change keys that you cannot otherwise access.
Use Run as to run Registry Editor as Administrator or a different user.
To maintain registry security when making changes to a key that requires administrative credentials, log in as a member of the Users group and run Regedit as an administrator by right-clicking the Regedit icon, clicking Run as, and choosing an account in the local Administrators group. The Regedit icon does not appear by default from the Start menu. To access the icon, open the Windows or WINNT folder on your computer.
Do not access HKEY_CURRENT_USER or HKEY_CLASSES_ROOT using services that impersonate more than one user.
HKEY_CURRENT_USER and HKEY_CLASSES_ROOT are aliases for other keys in the registry. For example, HKEY_CURRENT_USER is an alias for the key in HKEY_USERS for the user who is currently logged in. If a service accesses one of these keys while running as one user, and again while running as another user, the operating system might still have the alias data cached from the first user. If this happens, an error will result because the second user will not have access rights for keys belonging to the first user.