Hardening HKCU\Software\Classes - Key not accessible

Discussion in 'Windows XP / Older OS' started by kattekop, Apr 17, 2015.

Tags:
  1. kattekop

    kattekop MDL Novice

    Apr 23, 2010
    38
    5
    0
    #1 kattekop, Apr 17, 2015
    On our workstations this key is not accessible for our restricted users. This is to prevent they would create keys, so UsrClass.dat won't grow. However, the Registry ACL makes no notice of an USERS being denied for Read or being denied for All Access. Also, the file permissions on its UsrClass.dat are unmodified, all just like in a normal XP installation it seems.

    I'm thinking about a GPO, or is there another technique? Which one would prevent reading from the HKCU\Software\Classes directory?
    Does anyone know how I can reproduce this error to harden my other PCs?
     
  2. kattekop

    kattekop MDL Novice

    Apr 23, 2010
    38
    5
    0
    #2 kattekop, Apr 17, 2015 (OP)
    Uh, HKLM\System\CurrentControlSet\Control\hivelist has JohnDoe's NTUSER.DAT but lacks his UsrClass.dat entry ;)
    Anyone familiar with this?
     
  3. kattekop

    kattekop MDL Novice

    Apr 23, 2010
    38
    5
    0
    #3 kattekop, Apr 21, 2015 (OP)
    I believe it was done with adding a SymbolicLinkValue ;)
    dabcc.com/article.aspx?id=9762
     
  4. Michaela Joy

    Michaela Joy MDL Crazy Lady

    Jul 26, 2012
    4,071
    4,651
    150
    #4 Michaela Joy, Apr 22, 2015
    What OS is the workstation running?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. kattekop

    kattekop MDL Novice

    Apr 23, 2010
    38
    5
    0
    #5 kattekop, May 22, 2015 (OP)
    The OS is Windows XP Professional SP3. It wasn't done using SymbolicLinkValue but they told me they have set some permissions on the restricted user account folder and subfolders. And as I look at it, I can see they are not the same as with a standard XP installation.
     
  6. kattekop

    kattekop MDL Novice

    Apr 23, 2010
    38
    5
    0
    #6 kattekop, May 13, 2016 (OP)
    Well uh, the answer is right here:

    Events displayed in Event log after uninstalling Internet Explorer 8 on Windows XP SP2 or SP3 or Windows server 2003 SP2 or lator:
    If you view the Event log in Windows XP SP2 or SP3 you might see event ID 1041 from Userenv after uninstalling Internet Explorer 8
    The message will be "Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} / {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration."
    The cause is that some of the Internet Explorer 8 registry keys were not removed when it was uninstalled. These keys do not affect the operation of Internet Explorer 6 or Internet Explorer 7.
    To resolve this error, delete the following registry keys:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\]
    {7B849a69-220F-451E-B3FE-2CB811AF94AE} = Internet Explorer User Accelerators
    {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} = Internet Explorer Machine Accelerators

    If anyone is having this trouble or want to 'harden' it this way, here you go :)
    It works.