Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Custom GPO - Default REG_SZ Value is duplicating

76 views
Skip to first unread message

Steve

unread,
Jan 23, 2009, 4:30:18 PM1/23/09
to
Hi,

Basically I am trying to create a custom ADM that will add the following
Registry Key.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Here is what i have...

CLASS USER

CATEGORY !!My_Computer

POLICY !!Disable_Windows_Autorun_Policy
KEYNAME "Software\Microsoft\Windows
NT\CurrentVersion\IniFileMapping\Autorun.inf"
EXPLAIN !!Disable_Windows_Autorun_Comments_Explain
VALUENAME ""
VALUEON !!Disable_Windows_Autorun_Value
VALUEOFF DELETE

END POLICY

END CATEGORY

The custom ADM almost works. Problem is when a new key is created
(Autorun.inf), it also creates a new string value with no value data. So
when I apply my custom GPO, a second new string value gets created and there
should only be one.

To get a better idea of what I am trying to accomplish, here are a few
links.

http://www.us-cert.gov/cas/techalerts/TA09-020A.html

http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html

http://nick.brown.free.fr/blog/2007/10/memory-stick-worms

Any help would be appreciated.

Steve


Steve

unread,
Jan 23, 2009, 7:06:01 PM1/23/09
to
Figured it out. For anybody else who might be interested, here is a working
ADM.

CLASS USER

CATEGORY !!My_Computer

POLICY !!Disable_Windows_Autorun_Policy
KEYNAME "Software\Microsoft\Windows
NT\CurrentVersion\IniFileMapping\Autorun.inf"
EXPLAIN !!Disable_Windows_Autorun_Comments_Explain
VALUENAME ""
VALUEON !!Disable_Windows_Autorun_Value
VALUEOFF DELETE

END POLICY

END CATEGORY

[strings]
My_Computer="Company Specific"
Disable_Windows_Autorun_Policy="Disable Windows Autorun Policy"
Disable_Windows_Autorun_Comments_Explain="Enter the String Value
@="@SYS:DoesNotExist". This will disable windows autorun. This is also used
in addition to the Default Domain Policy - Computer Configuration\Admin
Templates\Windows Components\Turn Off Autoplay Policy."
Disable_Windows_Autorun_Value=@SYS:DoesNotExist

"Steve" <steve@steve> wrote in message
news:OeNTLHaf...@TK2MSFTNGP06.phx.gbl...

Florian Frommherz [MVP]

unread,
Jan 24, 2009, 5:14:49 AM1/24/09
to
Steve,

Steve wrote:
> Figured it out. For anybody else who might be interested, here is a working
> ADM.
>
> CLASS USER
>
> CATEGORY !!My_Computer
>
> POLICY !!Disable_Windows_Autorun_Policy
> KEYNAME "Software\Microsoft\Windows
> NT\CurrentVersion\IniFileMapping\Autorun.inf"
> EXPLAIN !!Disable_Windows_Autorun_Comments_Explain
> VALUENAME ""
> VALUEON !!Disable_Windows_Autorun_Value
> VALUEOFF DELETE
>
> END POLICY
>
> END CATEGORY
>
> [strings]
> My_Computer="Company Specific"
> Disable_Windows_Autorun_Policy="Disable Windows Autorun Policy"
> Disable_Windows_Autorun_Comments_Explain="Enter the String Value
> @="@SYS:DoesNotExist". This will disable windows autorun. This is also used
> in addition to the Default Domain Policy - Computer Configuration\Admin
> Templates\Windows Components\Turn Off Autoplay Policy."
> Disable_Windows_Autorun_Value=@SYS:DoesNotExist

Thanks for sharing. This will certainly help people out.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

0 new messages