Issues with registry permissions protecting specific values? No problem, copy reg.exe to reg1.exe and voilà

It's awful coding from Microsoft to allow that.

I'm trying to wrap my head around, why this actually works. Can someone explain?

If I didn't know better I'd say the permissions only apply when reg,exe or regedit.exe is doing the executing. Great argument for AppLocker. Hopefully Microsoft get this addressed

To clarify here - permissions isn’t the right term, this is just a protected value in this instance. Not sure why it’s a protected value - this one is for disabling widgets on the taskbar in HKCU.

Ah

Have you loaded the default user registry?

No, I just created a key in HKLM and stripped the permissions off it

It’s that reg value specifically

This is typically how Microsoft do these things based on names of signed binaries: https://kolbi.cz/blog/2024/04/03/userchoice-protection-driver-ucpd-sys/ Christoph Kolbicz is a master of reversing and explaining this. So copying reg.exe to reg1.exe makes sense for what Aaron discovered here. But it's still crap coding from Microsoft to even allow this. If they managed this based on file hash, or something like that, it may stop this from happening.

Back in my AppSense days we copied reg.exe to do all kinds of tricks. Go get it to work properly you need a matching reg1.exe.mui in the system32\en-us folder to go with reg1.exe.

Yeah, but with AppSense you could also block an exe based on file hash. So if you block Notepad.exe based on file hash, copying Notepad.exe to Notepad1.exe would not allow Notepad1.exe to run.

I'm not necessarily talking about AppSense but my experience working there. Reg.exe requires a corresponding reg.exe.mui. If you rename reg you need a renamed mui file.