Skip to main content
Question

Can BT EPM for Windows control registry modifications within endpoints?

  • October 28, 2025
  • 3 replies
  • 41 views
B

We have a requirement in our environment wherein we want to restrict users from modifying certain registry keys/ hives. We want to know:

  1. whether we can enforce this using EPM policies or do we need to use group policies for this?
  1. Will EPM Policy be able to block users from modifying registry values within their respective endpoints?
  2. Can Avecto Defendpoint Service identify such events related to registry modifications i.e. will we see event logs (in Event Viewer and BT EPM cloud console) related to every unique registry key/ hive?

3 replies

J
Forum|alt.badge.img+4
  • Jens Hansen
  • Veteran
  • 162 replies
  • October 28, 2025

The EPM client as so can’t prevent user from tampering with the registry settings unless we blocks the apps that allows them to do so. This is of course only valid for HKCU were admin rights are not required.

Then it becomes more complicated as many apps query the registry in the context of a user, so an exception now we have to distinguish between the legit action and non-legit for our rules.

Once we have that information it becomes possible to some extent, but not flawless.

Think of the tools for tampering the registry
Command line tools, Reg.reg regedit.exe etc.
Reg files *.reg

These can all be controlled, but becomes complicated very fast.

Jens

J
Forum|alt.badge.img+4
  • Jens Hansen
  • Veteran
  • 162 replies
  • October 29, 2025

We don’t have to worry about the location that require Admin rights.
Then I see two options, you can audit anything that has a possibility to write, change, alter in the registry.

sample for reg.exe
reg add "HKCU\Software\MyApp" /v "Data" /t REG_BINARY /d "01020304" /f

  REG QUERY /?
  REG ADD /?
  REG DELETE /?
  REG COPY /?
  REG SAVE /?
  REG RESTORE /?
  REG LOAD /?
  REG UNLOAD /?
  REG COMPARE /?
  REG EXPORT /?
  REG IMPORT /?
  REG FLAGS /?

 

Regedit 
regedit /s "C:\path\to\your\file.reg"

Or block users from running regedit.exe as they can always load it and make changes that is not visible when altering things directly in the registry.

I suggest using a Audit rule scripts (Powershell, js) for when a Reg file is executed and copy it to share to for analyzing it.

 

Please note the Quickstart Policy does have some default issues with HostedFile types, that renders you unable to pickup the meta data on a Reg file, it comes with to analytics as reg.exe and the commandline instead.

This can be fixed with a few changes in the policy.

Paul
BeyondTrust Employee
  • Paul
  • BeyondTrust Employee
  • 41 replies
  • November 6, 2025

Hey ​@Binoy_Dey,

Are you trying to prevent the user from modifying something they would normally have access to (e.g., something in their HKCU hive), or are you elevating their access to the registry (e.g., adding admin rights to Regedit.exe) - but want to prevent the user from modifying certain areas? 

There are some approaches you can use and some product features which may apply, but whether they can be used and how to implement them would be determined by your use-case. 

BR,
Paul.


Badge Earners

  • BCA: Password Safe
    Nthabihas earned the badge BCA: Password Safe
  • BCA: Password Safe
    Anas DSShieldhas earned the badge BCA: Password Safe
  • BCA: AD Bridge
    mcencienzohas earned the badge BCA: AD Bridge
  • BCSE: Privileged Remote Access
    ptseculoniahas earned the badge BCSE: Privileged Remote Access
  • 1 Courses Completed - Privilege Remote Access
    Brauhas earned the badge 1 Courses Completed - Privilege Remote Access
Show all badges
Terms & ConditionsCookie settingsAccessibility statement