IRONSMITHINTEL
HIGH
|Auth: network user (for exploitation)|Reboot: not required|Est. 5 minutes|Manual only

Disable the Remote Registry Service to Prevent Remote Registry Enumeration and Modification

The Remote Registry service allows any authenticated user to connect to the Windows registry over the network — disabling it removes a reconnaissance and persistence vector.

Published May 7, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker with any valid domain credentials can connect to the Remote Registry service and enumerate registry keys to discover security configurations, software inventory, and potential privilege escalation paths. Certain lateral movement techniques write persistence mechanisms directly to the registry remotely.

How the attack works

The Remote Registry service (RemoteRegistry) allows authenticated remote connections to read and write the Windows registry over the network. Attackers use it during reconnaissance to enumerate installed software, security configurations, and service accounts. Lateral movement tools use Remote Registry to deploy malware by writing service entries or scheduled task configurations.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows Servers not requiring remote registry access by management tools
Running Remote Registry service running or set to Manual/Automatic start

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inRemote Registry service disabled
Real-world incidentsWhat we've seen

Remote Registry is used by many legitimate management tools (SCCM, some monitoring agents) but also by attacker toolkits. If your environment doesn't have software that requires it, disabling it removes the service with no operational impact.

How to patch

Manual remediation steps

5 minutes

Check Remote Registry Status

Get-Service -Name RemoteRegistry | Select-Object Name, Status, StartType

Disable Remote Registry

Stop-Service -Name RemoteRegistry -Force -ErrorAction SilentlyContinue
Set-Service -Name RemoteRegistry -StartupType Disabled

Verification

Get-Service -Name RemoteRegistry | Select-Object Name, Status, StartType
# Status = Stopped, StartType = Disabled

Notes

    1
    Verify no management tools (SCCM, monitoring agents) require Remote Registry before disabling
    1
    Some Group Policy processing can briefly start Remote Registry — this is normal
    1
    Can be deployed via Group Policy: Computer Configuration → Windows Settings → Security Settings → System Services
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.