How to get access rights in a policy to actually work? (registry blocks)

I’m trying to see if I can block an application from creating a registry key. This one is a shell extension that shows up when I right-click on the desktop and select the New submenu. I don’t care about their document type and don’t want to see it listed as an option to select what type of new document that I’ll be creating. I will only use their program when loaded to load their files.

I can go into the following key to delete their entry:


So I go into CFP v3 under Defense+, Advanced, Computer Security Policy. Then I get the joy of scrolling through hundreds of entries (several times back and forth) trying to find the one for their executable. Once I find it, I edit its Custom policy. I select to see its Access Rights. Under “Protected Registry Keys” (set to Ask), I modify it to block any entries under:


The * was added by CFP when I browsed their tree to that key. Seems it should be …\Classes* but that’s their choice for wildcarding. I “Apply” my way out. I then start the application. Nope, no error from the app about creating the registry entry. Why? Because the registry key got created, so the block by CFP’s Defense+ never worked to block this app from writing a subkey under that key.

So how do I get Defense+ so its custom policies on blocked registry keys to actually work?


Anybody? I’m not up on D+ rules to be able to be useful.

Is HKEY_LOCAL_MACHINE\SOFTWARE\Classes* in My Protected Registry Keys?