7 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.

 

  • Windows NT operating system

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows XP Professional x64 Edition operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

  • Windows 10 operating system

  • Windows Server 2016 operating system

  • Windows Server operating system

  • Windows Server 2019 operating system

  • Windows Server 2022 operating system

  • Windows 11 operating system

  • Windows Server 2025 operating system

Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 2.1.1: The UUID for the Windows registry interface is "338CD001-2244-31F1-AAAA-900038001003".

The version for this interface is "1.0".

<2> Section 2.1.1: Windows Remote Registry Protocol server specifies "ncacn_np" as the RPC protocol to the RPC implementation [MS-RPCE].

<3> Section 2.1.2: Windows Remote Registry Protocol clients use one of the following RPC protocol sequences in the following order. The protocol sequence used depends on the configuration and implementation of the server.

  1.  ncacn_np

  2.  ncacn_spx

  3.  ncacn_ip_tcp

  4.  ncacn_nb_nb

  5.  ncacn_nb_tcp

  6.  ncacn_nb_ipx

By default, Windows 7 and later and Windows Server 2008 and later, with [MSFT-CVE-2024-43532], will only attempt to use the ncacn_np RPC protocol sequence.

Windows 7 and later and Windows Server 2008 and later, with [MSFT-CVE-2024-43532], will read a DWORD value “TransportFallbackPolicy” from the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoteRegistryClient”.

The value is set to one of the following:

  • 0 – NONE – The remote registry client may try each of the protocol sequences listed above in that order.

  • 1 – DEFAULT – The remote registry client will try to use ncacn_np but may fall back on other transports if the caller specifically requests that behavior.

  • 2 – STRICT – The remote registry client will only try to use ncacn_np.

  • If the value does not exist or is not one of those listed above, the remote registry client will use the DEFAULT policy.

<4> Section 2.1.2: Except in Windows 2000, Windows XP, and Windows Server 2003 prior to Windows Server 2003 operating system with Service Pack 1 (SP1), the following behavior applies when using ncacn_np as the RPC protocol sequence: the client first attempts to use an authentication level of "Packet Privacy" and the Authentication Service "Simple and Protected GSS-API Negotiation Mechanism". If this fails, the client retries by using an authentication level of "Connection" and the "Simple and Protected GSS-API Negotiation Mechanism" Authentication Service.

Additionally, Windows 7 and later and Windows Server 2008 and later, with [MSFT-CVE-2024-43532], will read a DWORD value “SecureModePolicy” from the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoteRegistryClient”.

The value is set to one of the following:

  • 0 – NONE – The remote registry client maintains the same behavior as listed above where it will fall back on Connection security if Packet Privacy fails.

  • 1 – DEFAULT – Same behavior as NONE.

  • 2 – STRICT – If the connection with packet privacy fails the remote registry client will not attempt to fall back on a less secure connection.

  • If the value does not exist or is not one of those listed above, the remote registry client will use the DEFAULT policy.

<5> Section 2.2.3: The KEY_WOW64_32KEY and KEY_WOW_64_64KEY rights do not apply to Windows 2000 and Windows XP (except Windows XP 64-Bit Edition operating system).

<6> Section 3.1.1.4: Requests to operate on the 32-bit registry namespace are ignored for the following paths on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HCP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Current

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\Readers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software\Microsoft\Shared Tools\MSInfo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TermServLicensing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Transaction Server

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDpi

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Locations

HKEY_LOCAL_MACHINE\SOFTWARE\Policies

HKEY_CURRENT_USER\SOFTWARE (except for the following subtree:

            HKEY_CURRENT_USER\SOFTWARE\Classes

In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following paths on Windows 7 and Windows Server 2008 R2:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes except for the following subtrees:

            HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

            HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DirectShow

            HKEY_LOCAL_MACHINE\SOFTWARE\Interface

            HKEY_LOCAL_MACHINE\SOFTWARE\Media Type

            HKEY_LOCAL_MACHINE\SOFTWARE\MediaFoundation

HKEY_LOCAL_MACHINE\SOFTWARE\Appid

HKEY_LOCAL_MACHINE\SOFTWARE\Clients

HKEY_LOCAL_MACHINE\Software\Microsoft\COM3

HKEY_LOCAL_MACHINE\Software\Microsoft\EventSystem

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts

HKEY_LOCAL_MACHINE\Software\Microsoft\Ole

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriverIcons

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PreviewHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Gre_Initialize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Language Pack

HKEY_CURRENT_USER\SOFTWARE\Classes except for the following subtrees:

            HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID

            HKEY_CURRENT_USER\SOFTWARE\Classes\DirectShow

            HKEY_CURRENT_USER\SOFTWARE\Classes\Interface

            HKEY_CURRENT_USER\SOFTWARE\Classes\Media Type

            HKEY_CURRENT_USER\SOFTWARE\Classes\MediaFoundation

In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following paths on Windows 8, Windows Server 2012 operating system, Windows 8.1, and Windows Server 2012 R2 operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder

In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following paths on Windows 10 v1507 operating system and Windows 10 v1511 operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Phone

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pim

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Poom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ras

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Unified Store

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UserData

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Theme

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\ThemeVolatile

In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following paths on Windows 10 v1607 operating system and Windows 10 v1703 operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cellular

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DeviceReg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FingerKB

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FuzzyDS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Messaging

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MTF

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MTFFuzzyFactors

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MTFInputType

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MTFKeyboardMappings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Semgr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XAML

In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following paths on Windows Server operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Parental Controls

In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following path on Windows Server v1803 operating system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay

In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following path on Windows Server v1903 operating system and Windows 10 v1903 operating system and later:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Containers

In addition to the paths listed above, requests to operate on the 32-bit registry namespace are ignored for the following path on Windows Server v2004 operating system and Windows 10 v2004 operating system and later:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\HvSocket

<7> Section 3.1.1.4: On 64-bit systems, Windows supports both 32-bit and 64-bit key namespaces and maintains a separate set of keys for 32-bit and 64-bit applications.

<8> Section 3.1.1.4: Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 do not return an error because they assume that the client is requesting access to a key in the 64-bit key namespace.

<9> Section 3.1.1.4: Updates to the following keys are copied from the 32-bit view to the 64-bit view and from the 64-bit view to the 32-bit view on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes except for the following subtree:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HCP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RPC

HKEY_CURRENT_USER\SOFTWARE\Classes

<10> Section 3.1.1.4: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 postpone the copy until the handle to the key is closed.

<11> Section 3.1.1.11: Applicable Windows Server releases limit the maximum symbolic link chain depth to 64.

<12> Section 3.1.5: In Windows, remote access is controlled by two keys, winreg and AllowedPaths. The winreg key specifies groups and users with remote access while the AllowedPaths key allows some users, groups, services, and machines to bypass the winreg key restrictions for the specified paths. The keys have the following locations under HKEY_LOCAL_MACHINE.

 \SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
 \SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths

Except in the following Windows releases, only members of the Administrators Group have remote access to the registry by default:

  • On Windows XP, members of the Administrators Group have remote read access. On the Windows XP Professional operating system, members of the Backup Operators Group also have remote read access.

  • On the Windows NT 3.51 operating system, any user has remote read access to the registry.

To override the default remote registry settings, the \SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key has a single value of type "REG_SZ" named "Description" with value "Registry Server". The security descriptor for the \SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key configures remote access for individual users and groups. For example, if the group "Domain Administrators" is allowed remote access to the registry, then the security descriptor on the \SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key contains an access control entry (ACE, [MS-DTYP] section 2.4.4) granting permissions to the "Domain Administrators" group.

The \SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths key specifies registry key paths under the HKEY_LOCAL_MACHINE key to which remote access will be granted, regardless of security descriptor policies for the \SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key. FQNs for which access is granted are specified in a value named "Machine" of type "REG_MULTI_SZ" with value data containing the name of those paths allowed. For example, to allow access to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers, "SYSTEM\CurrentControlSet\Control\Print\Printers" is added to the Machine value data.

Note Even if an FQN is specified in the "Machine" value, access will be granted only if the client is allowed access according to the security descriptor of the accessed key as described in 3.1.1.10.

<13> Section 3.1.5.1: The 64-bit editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 do not return ERROR_INVALID_PARAMETER when both the KEY_WOW64_64KEY and KEY_WOW64_32KEY are set in the samDesired parameter. These Windows releases assume the client is requesting access to a key in the 64-bit key namespace.

<14> Section 3.1.5.3: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 do not return ERROR_INVALID_PARAMETER when both the KEY_WOW64_64KEY and KEY_WOW64_32KEY are set in the samDesired parameter. These releases of Windows assume the client is requesting access to a key in the 64-bit key namespace.

<15> Section 3.1.5.4: Applicable Windows Server releases do not use the security descriptor associated with the HKEY_PERFORMANCE_DATA key and instead use the security descriptor that is associated with the key HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PERFLIB.

<16> Section 3.1.5.7: All applicable Windows Server releases check whether lpClass is equal to NULL and return ERROR_INVALID_PARAMETER as a defense against malicious clients that bypass the RPC infrastructure even though this situation is forbidden by the RPC specification and cannot occur through normal operation.

<17> Section 3.1.5.7: The 64-bit editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 do not return ERROR_INVALID_PARAMETER when both the KEY_WOW64_64KEY and KEY_WOW64_32KEY are set in the samDesired parameter. These releases of Windows assume that the client is requesting access to a key in the 64-bit key namespace.

<18> Section 3.1.5.9: All applicable Windows Server releases check whether lpValueName is equal to NULL and return ERROR_INVALID_PARAMETER as a defense against malicious clients that bypass the RPC infrastructure even though this situation is forbidden by the RPC specification and cannot occur through normal operation.

<19> Section 3.1.5.15: A single registry key can be opened only 65,534 times (18,446,744,073,709,551,615 on Windows Server 2003 operating system with Service Pack 2 (SP2), Windows Vista, and Windows Server 2008). When attempting the 65535th (18,446,744,073,709,551,616th on Windows Server 2003 SP2, Windows Vista, and Windows Server 2008) open operation, this function fails with ERROR_NO_SYSTEM_RESOURCES.

<20> Section 3.1.5.15: Windows XP, Windows Server 2003, Windows Server 2008, and Windows Vista do not return ERROR_INVALID_PARAMETER when both KEY_WOW64_64KEY and KEY_WOW64_32KEY are set in the samDesired parameter. These releases of Windows assume the client is requesting access to a key in the 64-bit key namespace.

<21> Section 3.1.5.17: If the lpData buffer size, as indicated by the client in the lpcbData parameter, is too small for the requested information, Windows Remote Registry servers will set the lpData parameter to NULL and return the size of the value, in bytes, in the lpcbData parameter.

<22> Section 3.1.5.18: Windows file names can be up to 255 characters long and for Windows registry server methods are specified as full file paths relative to the registry server instance. For example, to specify the "regfile.reg" file in the "C:\testfiles" directory on the C: volume of the registry server, the file name is specified as "C:\testfiles\regfile.reg". For more information, see [WININTERNALS].

<23> Section 3.1.5.18: Windows registry servers require the files referred to by lpNewFile and lpOldFile to be located on the same disk volume as the OS instance hosting the registry server (for example, "boot disk"). If this condition is not met, the method fails with ERROR_NOT_SAME_DEVICE (0x11).

<24> Section 3.1.5.19: Windows file names can be up to 255 characters long and for registry server methods are specified as full file paths relative to the registry server instance. For example, to specify the "regfile.reg" file in the "C:\testfiles" directory on the C: volume of the registry server, the file name is specified as "C:\testfiles\regfile.reg". For more information, see [WININTERNALS].

<25> Section 3.1.5.19: For Windows NT, this value is not supported.

<26> Section 3.1.5.20: Windows file names can be up to 255 characters long and for registry server methods MUST be specified as full file paths relative to the registry server instance. For example, to specify the "regfile.reg" file in the "C:\testfiles" directory on the C: volume of the registry server, the file name is specified as "C:\testfiles\regfile.reg". For more information, see [WININTERNALS].

<27> Section 3.1.5.24: Itanium-based and x64-based releases of Windows Server 2003 with SP1, Windows Vista, and Windows Server 2008 return 6 to denote the 64-bit version of the registry. In addition, Windows XP 64-Bit Edition also returns 6 to denote the 64-bit version of the registry.

All other x86 and Itanium-based releases of Windows return 5.