# Set Internet Options via the registry

I ran into a situation where I needed to remotely set the values in a user’s Internet Options control panel. With all the problems with SSL 2.0 and SSL 3.0 lately, we’ve pushed out configurations to block them. Some of our users have reported problems connecting to business-critical websites which aren’t working with our settings. So I need to remotely check the SSL 3.0 box for them.

To get this done I had two problems:

• What values do I need to store in the registry?
• Where do I store them?

# First, find the keys.

I fired up procmon from Sysinternals and opened up my Internet Options control panel. With some trial and error I was able to narrow the settings i needed to change. The process is to change the settings in my UI (remember to click apply!) and watch the registry changes in procmon. In case you’re looking for exactly the same thing I am, changing the SSL/TLS settings, here’s the key you need:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols

And here are the values you need:

SSL/TLS Version Decimal Hexidecimal
SSL 2.0 8 0x8
SSL 3.0 32 0x20
TLS 1.0 128 0x80
TLS 1.1 512 0x200
TLS 1.2 2048 0x800

This is a bitfield. To get the correct value, you just add up the options you want and then store that value in the registry.

I needed to have SSL 3.0, TLS 1.0, and TLS 1.1 enabled.
$\begin{array}{c} \phantom{+9}32\\ \phantom{+}128\\ \underline{+512}\\ \phantom{+}672\end{array}$

When you store the result in the registry, make sure you enter it in the expected format.

# Second, figure out where to store the values.

Now, just open up the remote registry and find HKEY_CURRENT_USER and and rock and roll!

Okay, going to have to pull some teeth here. The issue is that there really isn’t a HKEY_CURRENT_USER hive. When a user logs on, Windows maps their HKEY_USERS hive onto the HKCU hive. It makes things so much easier. Since we’re not logged on to this system as that user, we don’t get the easy version.

If your users generally have one PC each, you probably will see several short SIDs and a pair of long ones. The long one without “_classes” on the end is your user’s SID. But you can get a user’s SID via powershell to be 100% sure.

So in my case, I’ll need to use HKEY_Users\S-1-5-21-776511741-573735546-682002230-13423.

# Put it all together.

Almost done, I swear. In regedit I connected to the remote computer then browsed to the right user’s HKEY_USERS key (that long SID we found earlier). I browsed to the key I found earlier, Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols. Finally, I set the value I calculated, 672 (decimal).

Sites are fixing their SSL settings as fast as they can, so don’t just set something like this and forget it. Periodically test the sites your users require to see if they work with SSL 2.0 and SSL 3.0 disabled. Once they do, you can undo your changes.

• Ethan Juengerman

This is great. I had to write a Powershell program to enable only TLS 1.1 and 1.2 and this made it all so much easier. Exactly what I needed.

• Well, this tutorial to setup the internet via registry will help the users to setup their own internet connection by themselves and without talking help from any where.