- Aug 25, 2001
- 56,587
- 10,227
- 126
I followed the directions shown on here , I ran secpol.msc, created a software restriction policy on the local machine. I set it to default deny, and to apply to users other than local administrators.
Now, the documentation shows that four default allow rules are applied, to prevent locking you out of the machine. Those rules appear to allow execution of files out of \WINDOWS\system32\*.exe, and \Program Files\*.exe.
Only, they aren't allowed. I can't start my Brother printer monitor (in C:\Program Files\Brother), nor can I even start MSPaint.exe (in C:\WINDOWS\system32)
Can someone tell me what I'm doing wrong?
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Those are the four default path rules, set to unrestricted (allow).
Nevermind, I'm a dumbass. The example said to remove the ".LNK" file type from the restricted list, and I didn't do that. So when I went to start MSPaint using the shortcut on the start menu, the .LNK file itself was stored in C:\Documents and Settings\(user)\blah\blah, which fell outside of the allow rules.
The error message about starting the program was very unhelpful though, it only listed the full path to the exe, but that wasn't what was denied, it was the .LNK file, but the error dialog said nothing about that.
It's a shame that this amount of security power isn't available to XP home users. I tried secpol.msc, and XP Home gives me a not found error.
Now, the documentation shows that four default allow rules are applied, to prevent locking you out of the machine. Those rules appear to allow execution of files out of \WINDOWS\system32\*.exe, and \Program Files\*.exe.
Only, they aren't allowed. I can't start my Brother printer monitor (in C:\Program Files\Brother), nor can I even start MSPaint.exe (in C:\WINDOWS\system32)
Can someone tell me what I'm doing wrong?
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Those are the four default path rules, set to unrestricted (allow).
Nevermind, I'm a dumbass. The example said to remove the ".LNK" file type from the restricted list, and I didn't do that. So when I went to start MSPaint using the shortcut on the start menu, the .LNK file itself was stored in C:\Documents and Settings\(user)\blah\blah, which fell outside of the allow rules.
The error message about starting the program was very unhelpful though, it only listed the full path to the exe, but that wasn't what was denied, it was the .LNK file, but the error dialog said nothing about that.
It's a shame that this amount of security power isn't available to XP home users. I tried secpol.msc, and XP Home gives me a not found error.
Facebook
Twitter