Tariq Shaikh 0 Posted April 14, 2018 Share Posted April 14, 2018 Hello, We are using ERA 6.7 and Endpoint security Client for our windows pc users. We have created a rule in HIPS to block users from deleting , modifying or changing the value of a particular key, which works fine. The Key is : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastuserSwitching However, when we are trying to achieve similar result for another key, its not working, .i.e. user is able to delete or modify the key ! The Key is : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun The Key is : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer The reason for blocking the keys are, we want to restrict users from performing : 1. Disable Fast User Switching ( working fine with disabling in registry and HIPS rule monitoring to deny any change) 2. Disable Win + R i.e. show RUN for the user/system (working fine with disabling in registry BUT HIPS rule doesn't work) 3. Disable Right Click Properties option (working fine with disabling in registry BUT HIPS rule doesn't work) Do let us know if we are doing something wrong and help us in resolving the issue. Thanks, Tariq Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted April 14, 2018 Administrators Share Posted April 14, 2018 Instead of HKEY_CURRENT_USER, use HKEY_USERS\%SID%. I reckon that * should work as a wildcard for any SID. Link to comment Share on other sites More sharing options...
Tariq Shaikh 0 Posted April 14, 2018 Author Share Posted April 14, 2018 Hi Marcos, Thanks, appreciate your prompt reply ! I tired HKCU\*\ rest of the key but it didn't help, after troubleshooting I realized that i could use the HKLM instead of HKCU for the key which i wanted to block ( blocking for entire system), hence problem solved as its already working with HIPS. However , if i need to use the HKCU, is it possible for you to send me the correct syntax, as HKCU\*\ didnt work for me. Thanks Tariq Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 15, 2018 Share Posted April 15, 2018 15 hours ago, Tariq Shaikh said: However , if i need to use the HKCU, is it possible for you to send me the correct syntax, as HKCU\*\ didnt work for me. Using this reg. key for reference: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun when you code HKCU\*\ , what it means all keys under the registry branch HKEY_CURRENT_USER\ \ only. Try this instead: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\* . This will protect all sub-keys referenced under Explorer . Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted April 15, 2018 Administrators Share Posted April 15, 2018 I advised you to use HKEY_USERS\*\ where "*" represents any SID, ie. any user. Note that I'm talking about HKU, not about HKCU. Link to comment Share on other sites More sharing options...
Tariq Shaikh 0 Posted April 18, 2018 Author Share Posted April 18, 2018 Thanks Marcos and itman, our mgmt. decided to go with system wide blocking and not user wide, hence I used the HKLM key. I would soon test for myself on the HKCU as suggested by both of you. Many Thanks Cheers ! Link to comment Share on other sites More sharing options...
Recommended Posts