System & network administration  

Understanding WinVNC registry settings

This article will try to explain how registry settings are working with WinVNC servers, in particular the overriding method used between all keys and values.

There are 4 different settings type:

  • Machine specific settings (MSS)
  • Default user settings (DUS)
  • Per-user settings (PUS)
  • Global per-user settings (GPUS)

These settings are located under the following registry path:

  • HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\Default
  • HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3\<username>

* Please note that HKEY_CURRENT_USER registry hive is not accessible from remote. HKEY_LOCAL_MACHINE is usually accessible from remote by an administrator account (domain or local admin).

WinVNC is using an overriding method to load the parameters from the registry as explained in the following table:

Settings type Override by DUS Override by PUS Override by GPUS
MSS No No No
DUS - Yes Yes
PUS - - Yes
GPUS - - -

MSS settings can't be override by any user settings.

There are also some settings that may be found only under the MSS section:

AllowEditClients (REG_DWORD value)
AllowLoopback (REG_DWORD value)
AuthHosts (REG_SZ value)
AuthRequired (REG_DWORD value)
ConnectPriority (REG_DWORD value)
DebugLevel (REG_DWORD value)
DebugMode (REG_DWORD value)
LoobackOnly (REG_DWORD value)

These settings can be easily changed from a remote administrator workstation and if correctly protected a local user will not be able to change them, they are controlling the way VNC server will globally work.

Now if we look to the user specific settings we can see that the local user may completely change the way a WinVNC server will work. The HKEY_CURRENT_USER hive is only accessible from the local console, so if a user add some registry values under the HKEY_CURRENT_USER\Software\ORL\WinVNC3 key an administrator may completely loose control of the WinVNC server...

You can prevent the end-user to use the GPUS settings, just set the AllowProperties value to 0 (zero), you can also avoid the user to stop the server by setting AllowShutdown value to 0 (zero).

These two following values may be used only in the DUS and PUS sections:

AllowProperties (REG_DWORD value)
AllowShutdown (REG_DWORD value)

Remember that all the other registry values, including the password can be overridden from the DUS to the GPUS sections.

© 1998-2006