I'm in the process of configuring a new Thinkpad T410s with Win7 x64. After setting up the standard software restriction policies (disallowed by default w/ program and root directory path rules), I noticed that a number of Thinkpad apps no longer functioned, such as the Fn key OSD modules. SRP was verified as the cause; disabling SRP returns functionality.
The OSD executables are stored in two different directories:
C:\Program Files\Lenovo\HOTKEY
C:\Program Files\ThinkPad\
Both of these directories should be included in the default SRP path rule that allows execution from %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%.
So the anomalies are:
1. Other programs in the Program Files directory will execute with SRP enabled; only the OSD modules fail.
2. Attempting to manually execute the failed OSD modules from the shell with SRP active does not give the standard "Program is blocked by group policy" message. Instead, "driver not installed"-type messages are displayed, or else no message is displayed at all.
3. The OSD modules are flagged as 32-bit programs in Task Manager, but the executables are stored in the C:\Program Files\ folder instead of C:\Program Files (x86)\
The most interesting part, however, was that adding an additional path rule allowing "C:\Program Files\" completely solved the problem.
So my question is, what is going on? And why is there a difference in behavior between using "C:\Program Files" and using %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%?
The OSD executables are stored in two different directories:
C:\Program Files\Lenovo\HOTKEY
C:\Program Files\ThinkPad\
Both of these directories should be included in the default SRP path rule that allows execution from %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%.
So the anomalies are:
1. Other programs in the Program Files directory will execute with SRP enabled; only the OSD modules fail.
2. Attempting to manually execute the failed OSD modules from the shell with SRP active does not give the standard "Program is blocked by group policy" message. Instead, "driver not installed"-type messages are displayed, or else no message is displayed at all.
3. The OSD modules are flagged as 32-bit programs in Task Manager, but the executables are stored in the C:\Program Files\ folder instead of C:\Program Files (x86)\
The most interesting part, however, was that adding an additional path rule allowing "C:\Program Files\" completely solved the problem.
So my question is, what is going on? And why is there a difference in behavior between using "C:\Program Files" and using %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%?
Facebook
Twitter