Thursday, April 2, 2015

windows - How can I use Process Monitor to detect register changes made by GPEdit modifications?




It is supposed that Process Monitor can capture the registry changes made by any program. This thread explains it fine (thanks you, James T).



But it seems things are not so easy when talking about Group Policies Editor (gpedit.msc), because I am getting more than 738 register events when trying to change just one entry:



User Configuration -> Administrative Templates -> Code signing for drivers


Lots of captured data




How can I isolate the specific registry change for my GPEdit change performed?



New data:



As suggested by Frank Thomas (thanks), there was only one RegSetValue entry, named HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{7C9BF3F4-1B9E-476F-871D-D20B09E6DA5A}User\Software\Policies\Microsoft\Windows NT\Driver Signing\BehaviorOnFailedVerify.
This BehaviorOnFailedVerify key was what I was changing, but such key has been changed in multiple places at the register:




  • At HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{7C9BF3F4-1B9E-476F-871D-D20B09E6DA5A}User\Software\Policies\Microsoft\Windows NT\Driver Signing as stated.

  • At HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing.

  • At HKEY_USERS\S-1-5-21-1389804526-12218611-1726603683-1004\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{7C9BF3F4-1B9E-476F-871D-D20B09E6DA5A}User\Software\Policies\Microsoft\Windows NT\Driver Signing.


  • At HKEY_USERS\S-1-5-21-1389804526-12218611-1726603683-1004\Software\Policies\Microsoft\Windows NT\Driver Signing.



This is: four changes, and only one of them has been detected by Process Monitor.
Is this correct? Why?
If pretending to perform the same change via the reg command (without using gpedit.msc, which one should I change? All the four?



Note: I did not explain, as long as I did not think it was necessary, but my original idea was to be capable to change the key BehaviorOnFailedVerify via remote shell, like SSH or telnet).
Note-2: For those wondering what does this change: it disables driver signature verification request so nothing prompts no the screen to the GUI user when installing some unsigned drivers like TAP-driver (network) for OpenVPN unattended installation.


Answer



Use RegFromApp instead. Attach it to the MMC.exe that runs gpedit, and click on the green arrow to start logging. If you change the entries, the tool generates a .reg file that you can save and use later again.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...