The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibility of unauthorized and anonymous modification to the operating system.
Check
Review the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive noted below.
If any nonprivileged groups such as Everyone, Users, or Authenticated Users have greater than Read permission, this is a finding.
If permissions are not as restrictive as the default permissions listed below, this is a finding.
Run "Regedit".
Right-click on the registry areas noted below.
Select "Permissions", and then click "Advanced".
HKEY_LOCAL_MACHINE\SECURITY
Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full Control - This key and subkeys Administrators - Special - This key and subkeys
HKEY_LOCAL_MACHINE\SOFTWARE
Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys
HKEY_LOCAL_MACHINE\SYSTEM
Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Authenticated Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and Subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys Server Operators - Read - This Key and subkeys (Domain controllers only)
Other examples under the noted keys may also be sampled. There may be some instances where nonprivileged groups have greater than Read permission.
Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2025 to the following SID. This is not a finding.
If the defaults have not been changed, this is not a finding.
Fix
Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive.
The default permissions of the higher-level keys are noted below:
HKEY_LOCAL_MACHINE\SECURITY
Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to SYSTEM - Full Control - This key and subkeys Administrators - Special - This key and subkeys
HKEY_LOCAL_MACHINE\SOFTWARE
Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys
HKEY_LOCAL_MACHINE\SYSTEM
Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Authenticated Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys ALL APPLICATION PACKAGES - Read - This key and subkeys Server Operators - Read - This Key and subkeys (Domain controllers only)
Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2025 to the following SID: