VSE 8.x uses both standard Microsoft registry acronyms and VSE-specific acronyms for Access Protection rules. See the tables below for an explanation of the available acronyms and which registry hives and keys they represent.
Standard Abbreviations
Registry Hive Name |
Standard Abbreviation |
HKEY_LOCAL_MACHINE |
HKLM |
HKEY_CURRENT_USER |
HKCU |
HKEY_CLASSES_ROOT |
HKCR |
HKEY_USERS |
HKU |
Access Protection abbreviations
Access Protection
Abbreviation |
Notes |
HKALL |
Combines HKLM and HKU |
HKCU |
Matches all USER registry keys, not just CURRENT_USER |
HKCR |
Matches system classes and all user classes (HKU/*_CLASSES) |
HKCCS |
Matches all Control Sets under HKLM/SYSTEM (CurrentControlSet and all others) |
HKULM |
Combines HKLM and HKCU |
Examples of AP rule definitions and use:
Scenario 1 - Block a
Key from being created under
HKLM\Software.
Tests |
Result
|
- Create the Access Protection rule:
- Log on to the VSE Console.
- Double-click Access Protection.
- Under Categories select User Defined Rules.
- Click New and select Registry Blocking Rule.
- Type a rule name: HKLM\Software.
- In processes to include, type a wildcard (asterisk): *
- In the Registry key or value to protect drop-down list, select HKLM.
- In the input field, type: Software\Test
- In the Registry key or value to protect section, select Key.
- In the Registry Actions to Block, select Create key or value.
- Access the registry and attempt to create a new value called Test:
- Edit the registry and navigate to HKLM\Software.
- Right-click on Software and click New, Key.
- In the input field, type: Test
|
PASS. User is unable to create a key called \Test under HKLM\Software. |
Retest using wildcards.
Edit the rule and change the input field to: \**\Test |
PASS. User is unable to create a key called \Test anywhere under HKLM. |
Scenario 2 - As above, the aim is to block a Key, but choose HKALL because HKALL must refer to HKLM and HKU.
Tests
|
Result
|
- Create the Access Protection rule:
- Log on to the VSE Console.
- Double-click Access Protection.
- Under Categories, select User Defined Rules.
- Click New and select Registry Blocking Rule.
- Type a rule name: HKLM\Software.
- In processes to include, type a wildcard (asterisk): *
- In the Registry key or value to protect drop-down list, select HKALL.
- In the input field, type: Software\Test
- In the Registry key or value to protect section, select Key.
- In the Registry Actions to Block, select Create key or value.
- Access the registry and attempt to create a new value called Test:
- Edit the registry and navigate to HKLM\Software.
- Right-click on Software and click New, Key.
- In the input field, type: Test
|
PASS. User is unable to create a key called \Test under HKLM\Software.
INVALID: No such key exists under HKU
|
Retest using wildcards.
Edit the rule and change the input field to: \**\Test
|
PASS. User is unable to create a key called \Test anywhere under HKLM.
PASS. User is unable to create a key called \Test anywhere under HKU.
|
Scenario 3 - Block a Value called test from being created under HKLM.
Tests
|
Result
|
- Create the Access Protection rule:
- Log on to the VSE Console.
- Double-click Access Protection.
- Under Categories, select User Defined Rules.
- Click New and select Registry Blocking Rule.
- Type a rule name: HKLM\Software.
- In processes to include, type a wildcard (asterisk): *
- In the Registry key or value to protect drop-down list, select HKLM.
- In the input field, type: Software\Test
- In the Registry key or value to protect section, select Value.
- In the Registry Actions to Block, select Create key or value.
- Access the registry and attempt to create a new value called Test:
- Edit the registry and navigate to HKLM\Software.
- Right-click on Software and click New, Value.
- In the input field, type: Test.
|
PASS. User is unable to create a Value called \Test under HKLM. |
Retest using wildcards.
Edit the rule and change the input field to: \**\Test
|
PASS. User is unable to create a Value called \Test anywhere under HKLM.
|
Scenario 4 - As above in Scenario 3 with the aim to block a Value called Test from being created, but for HKALL.
Tests
|
Result
|
- Create the Access Protection rule:
- Log on to the VSE Console.
- Double-click Access Protection.
- Under Categories, select User Defined Rules.
- Click New and select Registry Blocking Rule.
- Type a rule name: HKLM\Software.
- In processes to include, type a wildcard (asterisk): *
- In the Registry key or value to protect drop-down list, select HKALL.
- In the input field, type: Software\Test
- In the Registry key or value to protect section, select Value.
- In the Registry Actions to Block, select Create key or value.
- Access the registry and attempt to create a new value called Test:
- Edit the registry and navigate to HKLM\Software.
- Right-click on Software and click New, Value.
- In the input field, type: Test.
|
PASS. Cannot create HKLM\Software\Test value.
INVALID. No such key exists under HKU. |
Retest using wildcards.
Edit the rule and change the input field to: \**\Test
|
PASS. User is unable to create a Value called \Test anywhere under HKLM.
PASS. User is unable to create a Value called \Test anywhere under HKU. |