How can I restrict a program to call API functions that are related to the registry?

Question

I use a program that behaves in a way I dont quite like. It can write to the registry even if it is run under a user which has no administrator priviliges. I dont believe there is enything else I can describe so, how can I restrict a program to call API functions that are tied with registry keys/strings editing? Are there widely accepted methods out there to help me achieve my goal? Is the answer to my question poorly documented or it is something I could have found on Microsoft's website with just a few clicks?

Answer 1

The program will surely malfunction if denied access to its registry keys.

If you do not trust this program, isolate it from your registry by using Sandboxie :

Sandboxie uses isolation technology to separate programs from your underlying operating system preventing unwanted changes from happening to your personal data, programs and applications that rest safely on your hard drive.

The program can this way modify anything it wants, but Sandboxie redirects all modifications so as not to affect the rest of the system.

Answer 2

How can I restrict a program to call API functions that are tied with registry keys/strings editing?

The Windows security model is designed to handle this very scenario. Every Registry key has an Access Control List (ACL) that specifies trustees (e.g. user account) and the actions they're allowed to take (e.g. read) on the key.

To leverage this to restrict your application, create a non-administrator user account and always run the application in the context of that user. You can use Windows Run As Another User capability to execute the application in this manner without having to actually log on with the restricted account.

By default standard users only have Read access to the system-wide portions of the Registry such as the HKLM branch and can only make changes to their own account's HKCU branch.

If you wish to further limit the account's Registry permissions, you should modify the appropriate branches of the Registry to specify the permissions desired for the user account. You can use Microsoft's Process Monitor to see which Registry paths its accessing and that may required modified permissions.

It's worth keeping in mind that almost all Windows applications need access to the Registry for proper operation. Wholesale blocking such access is likely to prevent a program from performing its intended function.

More Information:

• How do you run as a different user from the Start Menu in Windows 10?
• Run as a different user on a shortcut
• Process Monitor – Hands-On Labs and Examples