I introduced winreg in tip 277.
When a users connects over the network to the registry on a Windows NT computer, the Server Service on the target computer checks for the existence of the winreg key. If winreg is not present, the connection is allowed. If winreg exists, the ACL on winreg is checked for read or write access, either of which will allow the connection.
Once the connection is made, normal registry key permissions govern the users abilities.