> Windows registry is in itself insecure. Applications can't own perms to their own entries.
I think registry entries support DACLs, and permissions can be restricted to SIDs or user accounts. I have no first-hand experience with this though; YMMV.
> The easy and expected fix being that applications get perms for their own folder, rejecting 3rd party by default.
Back in Windows 8, they launched an app model called UWP or something which does exactly this. Met with luke warm reception from the industry because (you guessed it!) back compat.
UWP wasn't just lack of back compat, it enforced things like apps sleeping on minimize which is nuts. This was in an attempt to make Windows a universal OS that's tablet and phone worthy.
They absolutely support DACL's. For the longest time I prohibited my own user account from modifying a certain registry key to prevent Dropbox from constantly reinstalling unwanted green checkmark overlays.
Windows registry is in itself insecure. Applications can't own perms to their own entries.
Look at what people are using and optimize for that. Clearly the intended system is wrong, and ego death is necessary to create real fixes.
The easy and expected fix being that applications get perms for their own folder, rejecting 3rd party by default.
The proper larger solution being open code signing. But MS and friends are making big cash so they don't care.