Granting Users Read Access to the Registry

Q: I need to grant a user the authority to monitor the performance counters on our servers without giving him more authority than necessary. The user won’t be logged on locally; instead, he'll need to perform the monitoring over our network. How can I grant him this authority?

A: It’s simply a matter of assigning the user logon rights and a couple of registry permissions. I’ve tested this procedure and verified that it works with the Microsoft Management Console (MMC) Reliability and Performance Monitoring snap-in, and it should also work with other performance-monitoring tools because they all use the same Win32 API set. Windows exposes performance counters under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib, so you’ll have to make sure that the user can remotely access this part of the registry on your servers.

First, grant the user the Access this computer from the network right, which you can find in Local Security Policy under Security Settings\Local Policy\User Rights Assignment. Without this right, the user can’t remotely access resources, such as performance counters, on a Windows server. By default, users in the Users group (in which all new users are automatically placed) have this right, so you can skip this step unless you've removed the user from the Users group.

If the user isn't a member of the Users group, you need to grant him remote access to the registry. Windows restricts remote registry access to those users and groups listed in the ACL of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg subkey, so you must use regedit to grant the user read access to winreg.

However, being listed in the winreg ACL doesn’t give the user access to the entire registry because he's still governed by each registry subkey’s ACL. To let the user access the performance counters on the registry, use regedit to grant him read access to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib. The user should now be able to load the Reliability and Performance Monitoring snap-in on his local computer and begin monitoring performance counters on your server.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.