In Windows NT 4.0, anyone who can log on to an NT 4.0 machine can use Performance Monitor to gather and analyze system data on a local or remote machine. Our IT security-auditing department has directed us to change this policy so that only administrators can use Performance Monitor. What's the easiest way to restrict the use of Performance Monitor?
By default, the Everyone group has read access to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib registry subkey. Remove the access control entry (ACE) for the Everyone group on this subkey, and leave only the Administrators group and the Creator Owner and System accounts with full-control access to the subkey.
After you change this setting, all accounts that aren't members of the Administrators group will get an Insufficient privilege to access performance data error when they try to add performance counters to a performance-counter chart. The setting effectively blocks them from using Performance Monitor to gather and analyze system data on a local or remote machine. Note that this registry access-control change doesn't prevent users from copying previously saved Performance Monitor chart files from the local system to another system or another medium. That's why administrators should never save chart files to a folder that everyone can access.
