Updated LGPO utility sources
The updated sources corresponding to the updated versions of the Apply_LGPO_Delta and ImportRegPol utilities are attached to this post.
Comments
Anonymous
January 01, 2003
Aaron, How long before we start seeing Windows 7 FDCC Blog related materials? From what I have read it appears Microsoft and the Air Force are working on Windows 7 FDCC settings. There is also some indications that DISA has a Windows 7 STIG document but I have yet to see anything formal in public forums yet. The Army indicated DISA has a checklist, but I couldn't find it anywhere yet. Any indication when we will see the Windows 7 FDCC settings start rolling out? I would be interested in getting my hands on any LGPO utilities as early as possible. Thanks, Robert [Aaron Margosis] Hopefully soon. I can't really publish anything here until after NIST or the DoD release their drafts for public review. Chances are very good that the settings will be similar to what's in the Vista settings, so if you want to do some Win7/FDCC testing, apply the Vista settings to a Win7 computer. One way you can do that is download the latest NIST GPOs, find the registry.pol files in them that apply to Vista or "Both" and apply them with ImportRegPol, and find the security templates (GptTmpl.inf) that apply to Vista or "Both" and apply them either with Secedit.exe or Apply_LGPO_Delta (the latter is easier).Anonymous
February 22, 2011
Hi Aaron, I'm not a developer but I appreciate the functionality of Apply_LGPO_Delta.exe a lot. Would it be possible add functionality to delete a registry branch including all values? if using the action DELETEALLVALUESyou need to recursively specify all sub-branches that contains values in the input file. E.g. I would like to be able to delete HKEY_CURRENT_USERSoftwarePoliciesMicrosoftOffice14.0 by just specifying this string and not have to specify all sub branches eg HKEY_CURRENT_USERSoftwareMicrosoftOffice14.0Access HKEY_CURRENT_USERSoftwareMicrosoftOffice14.0Common etc. Thanks, Carl
Anonymous
July 28, 2011
How would I apply the policies to win7 using ImportRegPol.exe, or do I use the Set_FDCC_LGPO.exe and Apply _LGPO_Delta.exe as well? is there sample code? [Aaron Margosis] See the PowerShell script on this post: http://blogs.technet.com/b/fdcc/archive/2010/10/02/fdcc-is-now-usgcb.aspx Set_FDCC_LGPO is for XP and Vista only. It will not be updated for Win7.Anonymous
August 10, 2012
I would like to use the provided source as part of my product. Is this allowed by the license? It is unclear to me since the license states: /* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. Copyright (C) 2008. Microsoft Corporation. All rights reserved. */ [Aaron Margosis] You can use the source code the way you would any MSDN sample code.Anonymous
September 03, 2014
Would it be possible to add support for REG_MULTI_SZ by adding something like this to the if-else construct in RegFilesProcessor? I'm not a developer and have no idea how to compile or test it, so hoping someone can tell me whether this is worth pursuing before I try to figure it out...
...
if ( 0 == wcsncmp(L"MULTISZ:", sAction.c_str(), 8) )
{
bSetValue = true;
sValueData = sAction.substr(8);
dwRegType = REG_MULTI_SZ;
cbData = (DWORD)(sValueData.length() + 1) * sizeof(wchar_t);
pData = (const BYTE *)sValueData.c_str();
}
else
... [Aaron Margosis] The problem is coming up with a way to specify the multi-sz input data in a text file. Multi-sz data is a series of null-terminated strings. One could use a different separator character, but what if you wanted to use that character as part of a string? I didn't spend a lot of time thinking about it because for the purposes of the tool (mostly FDCC/USGCB policies) there was little need for Multi-Sz -- or Binary for that matter.Anonymous
September 04, 2014
Well, I believe the USGCB policies are based on the DISA STIGs, and those do specify a policy for the Optional Subsystems registry key, which is Multi-Sz. I didn't dig any further into how the reg value is parsed and processed...any lessons we could crib from other methods? I believe both secedit and reg can process multi-sz values... [Aaron Margosis] If you ever export a multi-sz or expand-sz from Regedit and look at the resulting .reg file, it's all hex data. Here are examples of both: "Posix"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,
00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,70,00,
73,00,78,00,73,00,73,00,2e,00,65,00,78,00,65,00,00,00
"Optional"=hex(7):50,00,6f,00,73,00,69,00,78,00,00,00,00,00 The former is REG_EXPAND_SZ ("hex(2)") and the latter is REG_MULTI_SZ ("hex(7)"). I'm trying to stick with readable text representations. Also, Optional Subsystems is specified in a security template (e.g., GptTmpl.inf) and the MMC Security Templates snap-in serves as a fine editor for those files. If it were more important to represent an expand or multi-sz in an administrative template (registry.pol), that would raise the priority to solve this issue.Anonymous
September 04, 2014
Ok, I looked over the code a bit more, and it appears there is no parsing of the value data. It's set to pdata and passed directly to RegSetValueEx. In which case, the formatting of the value falls to the user, yes? I'd certainly be fine with that. The format to use would just need to be specified in the readme, I'd think. From the examples I can find, the format would be something like 'value1�value2�'. Might need a second '�' at the end, depending on how the data is read in and how c_str() works. [Aaron Margosis] When you see '�' in C/C++ related text, it refers to the ASCII NUL character, not to the sequence of a backslash character and a digit zero. If I treat that two-character sequence as a representation of the NUL character, then I'd also need a way to allow the literal � sequence to be represented also. It gets complicated. What's the scenario you're working with where multi-sz representations are important?Anonymous
September 05, 2014
I get it, we're basically talking about how to support special characters and how to escape them. I know that's not a particularly straight-forward problem.
I only have the one requirement at the moment. I'm building a framework to automate the application of DISA STIGs to Windows systems (since the tools they provide are waaaaaaay behind), and the W2k8-r2 STIG specifies a requirement for the Optional Subsystems value. At first, I was making the registry edits directly, then I switched to apply_lgpo_delta.exe with the .inf method to configure all the settings, but both those methods get overridden by the security policies in the administrative template. So I changed everything over to the syntax to update the security policy with apply_lgpo_delta.exe. That works for every setting except this one, of course. [Aaron Margosis] Nothing in the administrative templates (the registry.pol file(s)) should be overriding the settings for Optional Subsystems. I see no .admx-based settings that write anything to that part of the registry. This in a security template file should be all you need: [Registry Values]
MACHINESystemCurrentControlSetControlSession ManagerSubSystemsoptional=7,Anonymous
September 05, 2014
Yes, that's more or less what I've resorted to. It's just annoying to have to configure some settings in one way and other settings in another way. Makes the whole thing more fragile and harder to understand, troubleshoot, and maintain. [Aaron Margosis] Well, it's been that way since the advent of Group Policies and Administrative Templates. Security templates have been around a lot longer. (And advanced auditing uses yet another entirely different interface!)Anonymous
September 07, 2014
Yep, I am applying the advanced auditing policies in my toolset as well. I am really thankful for the work you've all been doing on the security baselines, and especially the LocalScript method to apply them. It's really made it easier to figure out how all the pieces work, write new baselines to cover custom security policies (like the DISA STIGs), and incorporate the application of the baselines into a larger configuration management framework. Cheers!Anonymous
July 06, 2015
I used your source to add policy-based QoS rule and it works. But I found one problem with it.
If I did not run gpedit.msc to create any rule before, the QoS policy rule that I add using the LGPO API cannot be activated. If I run gpedit.msc to create any rule or edit the rule added by LGPO API, it works without any problem. Can you tell me what it is enabled by gpedit.msc in this case? I tried to find any API or approach and it seemed not work at all. Is LGPO API is only used to edit the rules created by gpedit.msc?