In order to take some measures against BadUSB exploit, I want to restrict USB device installations on Windows 8, as suggested here.
However, gpedit.msc to reach Local Group Policy Editor is not available in Windows 8. Price for Pro upgrade (450₺) is not close to being reasonable in my opinion and I wonder if I can change following settings using Registry Editor.
Prevent installation of devices using drivers that match these device setup classes:
- 4d36e96b-E325-11CE-BFC1-08402BE10318 – this one controls the
automatic installation of USB keyboards. - 4D36E972-E325-11CE-BFC1-08012BE10318 – this one corresponds to the
NIC (network interface controller) - e0cbf06c-cd8b-4647-bb8a-263b45f0f974 – this one is for bluetooth.
- 4d36e96b-E325-11CE-BFC1-08402BE10318 – this one controls the
Allow administrators to override Device Installation Restrictions policies
I could not find these settings here.
If this is not possible via Registry Editor can you suggest me an alternative solution? ("Not using USB ports at all" is not an option.)
Answer
Local Group Policy Editor is not available in Windows 8
I used the following procedure to successfully install gpedit.msc
on Windows 7 64 bit Home Premimum.
It apparently works on Windows 8 and Windows 8.1 as well.
UPDATE: According to some readers, this tool also works fine in Windows 8 and Windows 8.1.
Today we are going to share a simple installer which installs the required system files in Windows so that you can enjoy Group Policy Editor in all Windows 7 editions.
First download the setup file using following link:
Download Group Policy Editor Installer
You'll find the download link in right-side section of the above
mentioned page.
After downloading the ZIP file, extract it using WinRAR or 7-Zip.
Run the extracted setup.exe file.
It will install the files and you'll be able to access gpedit.msc
command via RUN or Start Menu search box.
Note:
- For Windows 7 64-bit (x64) users! You'll also need to go to "SysWOW64" folder present in "C:\Windows" folder and copy
"GroupPolicy", "GroupPolicyUsers" folders and gpedit.msc file from
there and paste them in "C:\Windows\System32" folder.
If you are getting "MMC could not create the snap-in" error message
while running gpedit.msc, check out following steps to fix the
problem. Basically it happens when your username in Windows contains
more than one word.
Run the installer and leave it at the last step (do not click on the "Finish" button).
Now go to
C:\Windows\Temp\gpedit\
folder.
If you are running 32-bit (x86) edition of Windows 7, right-click on x86.bat file and choose "Open With -> Notepad" option. If you are
running 64-bit (x64) edition of Windows 7, right-click on x64.bat file
and choose "Open With -> Notepad" option.
You'll find a total of 6 lines containing the following string in the file:
%username%:f
Edit those lines and replace
%username%:f
with"%username%":f
For example:
Original: `icacls %WinDir%\SysWOW64\gpedit.dll /grant:r %username%:f`
New: `icacls %WinDir%\SysWOW64\gpedit.dll /grant:r "%username%":f`
Save and run the file (right-click -> Run as Administrator).
That's it. You'll have working gpedit.msc.
Could you please provide the content of x64.bat file?
@echo off
echo x64
takeown /f %WinDir%\SysWOW64\gpedit.dll
icacls %WinDir%\SysWOW64\gpedit.dll /grant:r %username%:f
takeown /f %WinDir%\SysWOW64\fde.dll
icacls %WinDir%\SysWOW64\fde.dll /grant:r %username%:f
takeown /f %WinDir%\SysWOW64\gptext.dll
icacls %WinDir%\SysWOW64\gptext.dll /grant:r %username%:f
echo.
echo.
takeown /f %WinDir%\SysWOW64\appmgr.dll
icacls %WinDir%\SysWOW64\appmgr.dll /grant:r %username%:f
takeown /f %WinDir%\SysWOW64\fdeploy.dll
icacls %WinDir%\SysWOW64\fdeploy.dll /grant:r %username%:f
IF NOT EXIST %WinDir%\SysWOW64\GPBAK\NUL MKDIR %WinDir%\SysWOW64\GPBAK
takeown /f %WinDir%\SysWOW64\GPBAK\*
icacls %WinDir%\SysWOW64\GPBAK\* /grant:r %username%:f
IF EXIST %WinDir%\SysWOW64\gpedit.dll copy %WinDir%\SysWOW64\gpedit.dll %WinDir%\SysWOW64\GPBAK\gpedit.dll
IF EXIST %WinDir%\SysWOW64\fde.dll copy %WinDir%\SysWOW64\fde.dll %WinDir%\SysWOW64\GPBAK\fde.dll
IF EXIST %WinDir%\SysWOW64\gptext.dll copy %WinDir%\SysWOW64\gptext.dll %WinDir%\SysWOW64\GPBAK\gptext.dll
IF EXIST %WinDir%\SysWOW64\appmgr.dll copy %WinDir%\SysWOW64\appmgr.dll %WinDir%\SysWOW64\GPBAK\appmgr.dll
IF EXIST %WinDir%\SysWOW64\fdeploy.dll copy %WinDir%\SysWOW64\fdeploy.dll %WinDir%\SysWOW64\GPBAK\fdeploy.dll
IF EXIST %WinDir%\SysWOW64\gpedit.msc copy %WinDir%\SysWOW64\gpedit.msc %WinDir%\SysWOW64\GPBAK\gpedit.msc
copy gpedit.dll %WinDir%\SysWOW64\gpedit.dll
copy fde.dll %WinDir%\SysWOW64\fde.dll
copy gptext.dll %WinDir%\SysWOW64\gptext.dll
copy appmgr.dll %WinDir%\SysWOW64\appmgr.dll
copy fdeploy.dll %WinDir%\SysWOW64\fdeploy.dll
copy gpedit.msc %WinDir%\SysWOW64\gpedit.msc
IF NOT EXIST %WinDir%\SysWOW64\GroupPolicy\NUL MKDIR %WinDir%\SysWOW64\GroupPolicy
IF NOT EXIST %WinDir%\SysWOW64\GroupPolicy\adm\NUL MKDIR %WinDir%\SysWOW64\GroupPolicy\adm
copy system.adm %WinDir%\SysWOW64\GroupPolicy\Adm\system.adm
copy inetres.adm %WinDir%\SysWOW64\GroupPolicy\Adm\inetres.adm
copy conf.adm %WinDir%\SysWOW64\GroupPolicy\Adm\conf.adm
copy wmplayer.adm %WinDir%\SysWOW64\GroupPolicy\Adm\wmplayer.adm
copy wuau.adm %WinDir%\SysWOW64\GroupPolicy\Adm\wuau.adm
regsvr32 /s %WinDir%\SysWOW64\gpedit.dll
regsvr32 /s %WinDir%\SysWOW64\fde.dll
regsvr32 /s %WinDir%\SysWOW64\gptext.dll
regsvr32 /s %WinDir%\SysWOW64\appmgr.dll
regsvr32 /s %WinDir%\SysWOW64\fdeploy.dll
No comments:
Post a Comment