LOGO Mobile menu
Download SpyShelter

How and why you should protect your Windows Registry

This article will help you learn why the Windows Registry is an important thing to monitor when protecting your PC from threats. Don’t ever let processes make random changes to your Registry without understanding what it will mean for your security.

Windows registry protection

What is the Windows Registry?

The Windows Registry is a hierarchical database that holds settings for your operating system, installed programs, and more. It's like the DNA of your Windows PC, containing instructions that tell your computer how to behave. Many of these specific PC instructions controlled by the Registry can help protect your PC from threats, but unfortunately, other Registry changes can cause great harm.

As a PC Antispyware software provider, we at SpyShelter study the Windows Registry carefully to understand how it can be used to help, and unfortunately sometimes harm your PC’s security.

Why does the Windows Registry matter for your PC Security?

The Registry's importance cannot be understated, especially when it comes to security. It's like your PC’s command center; if someone unauthorized gets access, they could potentially control many aspects of your PC. Malware often targets the Registry to hide its presence or disable security measures. Therefore, understanding and protecting your Registry is crucial for maintaining your PC’s health and safety.

Let me give you an example…

If you’re even slightly protective of your PC you most likely require some kind of authentication, like a logon/password to logon and start using your computer. Unfortunately, just a simple Registry modification can disable any authentication required to access your PC. Microsoft itself even documents how to store your logon/password data in the Registry to make it automatically logon for anyone who boots up your PC.

Other Sensitive Registry Keys and Their Impact

Some Registry keys are more sensitive than others. These include keys that control your system bootup, user profiles, and installed software. If these keys are modified incorrectly or maliciously, it can lead to system instability, security vulnerabilities, or even lock you out of your PC! It's like leaving your house with the doors unlocked; anyone or anything could come in.

And speaking of anything coming in… recently a cybersecurity team called Prevailion, found a (RAT) Trojan that used the Windows Registry for all of its storage capabilities, letting it completely bypass antivirus monitoring!

In this case the malware didn’t change any specific Registry keys, but instead, it actually used the Registry area so it could operate in secrecy without the PC user ever knowing. Scary isn’t it? And that’s another reason you should stay on top of changes to your Windows Registry.

Using the Windows Registry to Harden Your PC

But did you know you can actually use the Windows Registry to your own advantage? For instance, you can adjust settings to enhance security features, like enforcing strong password policies or disabling USB ports to prevent unauthorized data transfer. If you’re an advanced PC user or IT Professional, we recently found a very useful article written by the Australian Cyber Security Centre that gives many different examples of how you can harden your PC against threats by making changes to the Windows Group Policy Settings, which are stored in the Registry.

List of Registry Keys to Consider Protecting

Image of regedit editing a windows registry keyIMAGE OF REGEDIT EDITING A WINDOWS REGISTRY KEY

Now you’re probably wondering… what are some security-related Registry keys you should consider monitoring with your PC? Let me give you a list of 5 Registry keys our cybersecurity team at SpyShelter likes to continually monitor:

1. Windows Startup and Run Keys

Keys to Protect:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Reason: These keys determine which programs run automatically when a user logs in (for CURRENT_USER) or at the system start for all users (LOCAL_MACHINE). Malicious software often adds entries here to ensure it runs at every startup, making these keys prime targets for protection.

2. Windows SmartScreen Protection Keys

Keys to Protect:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SmartScreenEnabled

Reason: The SmartScreen filter helps protect your PC against phishing and malware websites, as well as downloading or running malicious software. By altering this key, an attacker can disable these protective measures, leaving your system vulnerable to a wide range of threats.

3. Windows Security Keys (Previously known as Windows Defender)

Keys to Protect:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

Reason: This key controls various settings of Windows Security (previously called Windows Defender), a crucial component in defending your system against malware and other security threats. Alterations to this key could weaken your system's defenses.

4. Task Manager Key

Keys to Protect:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Reason: This key can be used to disable the Task Manager, which is a vital tool for monitoring system activity and terminating suspicious processes. Malware might use this to avoid detection and removal by preventing access to the Task Manager. Therefore, monitoring and protecting this key is important for maintaining the integrity and security of your system. The ability for malware to disable your Windows Task Manager could be another reason to have SpyShelter in the background watching your processes in real-time, just in case.

5. Remote Desktop Registry Key

Keys to Protect:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections

Reason: This registry key controls whether Remote Desktop is enabled (0) or disabled (1) on the machine. Unauthorized changes to this key could allow remote access to your computer, posing a significant security risk. Malicious actors or malware may enable Remote Desktop to gain remote control of your system. Monitoring this key helps ensure that Remote Desktop is only enabled when necessary and by authorized users.

How to stop changes to the Windows Registry

So how can you stop, or at least track changes to the Windows Registry if it’s so important for PC security? Our SpyShelter Antispyware software has a setting that specifically tracks and stops changes to your Registry.

After installing our SpyShelter Antispyware app for Windows, go to your bottom “Protection” tab, then turn on “Registry Integrity Control”. Now click the right arrow and decide which mode you prefer to be on. The default SpyShelter Registry protection controls only stops apps that are known threats from accessing and changing your Registry.

Use the pull-down menu and set it to “Moderate” to get notice when a Windows app accesses your registry if that app is unsigned. An unsigned executable/process (also known as an app) means that it has no publisher. Most forms of malware are usually unsigned, so this “Moderate” SpyShelter setting can help protect you from many types of Registry changes by malware.

ALLOW/DENY FOR A REGISTRY CHANGE BY AN APP ALONG WITH AN INSIGHT ALLOW/DENY FOR A REGISTRY CHANGE BY AN APP ALONG WITH AN INSIGHT

When an unsigned app tries to change your Windows Registry, SpyShelter will give you an alert where you can allow, or block the Registry modification. Then, on top of this SpyShelter has “Registry Insights” that can usually tell you what exactly that Registry key controls, to help you make a good decision about allowing or denying the Registry change. Please note that some legitimate Windows apps make their own legitimate Registry changes, so in many cases it’s probably safe to allow the Registry change. But, if you’re unsure you can check SpyShelter’s Insights to see if more information is available.

If you want to up your Registry protection game to an even higher level, you can set SpyShelter’s Registry Integrity control to “High”. With a “High” Registry Integrity setting you’ll get an allow/deny notification from SpyShelter any time any app tries to change your Windows Registry. If you allow the requested Registry change, then that app can now access and change your Registry any time.

This “High” setting may be overkill for most non-technical PC users, but if you have a good understanding of the registry this setting might be perfect for you, especially if you value the visibility of knowing exactly when apps access your Registry. Download SpyShelter for free to track and stop changes to your Windows Registry.

The Windows Registry is a powerful tool in the hands of those who know how to use it. By understanding its role and how to protect key areas, you can significantly boost your PC's security.