If you do a clean install with an installation source that has SP4 slipstreamed, this might be one of the easiest fixes. (alternatively you could disable the sp4sec feature in an unattended installation file, but I have not tested this yet.)
Extract sysoc.in_ and comment out the line containing text similar to:
sp4sec=ocgen.dll,OcEntry,xpfixit.inf,hide,7
in sysoc.inf with a semicolon in front of the line. Then, delete sysoc.in_.
Another fix would be to edit xpfixit.inf to omit all lines starting with "HKEY_CLASSES_ROOT\".
I do not know how to fix a live install of SP4 or the service pack installer to circumvent this issue though.
P.S.: I am quite shocked that it took much of a decade (8 years!) for people to notice that publicly, because when I investigated this a year ago, I was not able to find anything.
Edit 2: FYI, in WindowsXP-USP4-v3.1b-NODOTNET-x86-ENU.exe/i386/update/update.inf (might vary for the normal version), line 4033 (under the [ProcessesToRun] INF section) the installation of the "SP4 Security enhancement is triggered", as far as live SP4 installation is concerned. Perhaps one could edit xpfixit.inf before starting the live installation of SP4?