[trympet]

> Windows registry is in itself insecure. Applications can't own perms to their own entries.

I think registry entries support DACLs, and permissions can be restricted to SIDs or user accounts. I have no first-hand experience with this though; YMMV.

> The easy and expected fix being that applications get perms for their own folder, rejecting 3rd party by default.

Back in Windows 8, they launched an app model called UWP or something which does exactly this. Met with luke warm reception from the industry because (you guessed it!) back compat.

[coffeeling]

UWP wasn't just lack of back compat, it enforced things like apps sleeping on minimize which is nuts. This was in an attempt to make Windows a universal OS that's tablet and phone worthy.

[rkagerer]

They absolutely support DACL's. For the longest time I prohibited my own user account from modifying a certain registry key to prevent Dropbox from constantly reinstalling unwanted green checkmark overlays.

[sneak]

Restricting to user accounts is useless. Malware runs as your user.

https://xkcd.com/1200/