How can I configure Microsoft's Secure Desktop Restriction setting in Windows 2000 Service Pack 1 (SP1) and later?

A. Users who interactively log on to a computer running Windows 2000 or later can perform tasks that might be security risks, such as gaining access to display and input devices that a computer process with wider-reaching privileges owns. These users then can create a process to capture passwords or sensitive data. (For more information about the problem, see Microsoft Security Bulletin MS00-200, "Patch Available for 'Desktop Separation' Vulnerability," at the Microsoft Web site.

Win2K SP1 corrected this vulnerability by adding a Secure Desktop Restriction setting, but the new locked-down functionality might adversely affect certain applications. If your application vendor advises you to disable this security setting, perform the following steps:

  1. Start a registry editor (e.g., regedit.exe).
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows.
  3. From the Edit menu, select New, DWORD Value.
  4. Enter a name of SecureDesktop.
  5. Double-click the new value, set it to 0 to disable the setting (you can set the value to 1 to re-enable the default configuration), then click OK.
  6. Restart the machine for the change to take effect.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.