Software Restriction Policy not allowing Program Files directory on 64-bit machines

Similar Messages

• Software Restriction Policy not blocking MSI files

  Hello, we have one SRP in place on our domain that includes MSI files in the Designated File Types, however it is not blocking users from running them.  Has any one else had this issue?  What are some things I should look out for?  Thanks.

  Hi Erin,
  >>we have one SRP in place on our domain that includes MSI files in the Designated File Types, however it is not blocking users from running them.
  Are these users standard user accounts (without administrative privileges) ? Besides, what SRP rule did we configure to disallow the .msi files? Here, we can run command
  gpreport.html gpresult/h to collect  group policy result report to check how group policy settings are applied. Note, to collect computer part group policy setting report, we need to run the command with administrative privileges.
  In addition, to block .msi files, we can also use Applocker to do this. Regarding Applocker, the following article can be referred to for more information.
  AppLocker Overview
  https://technet.microsoft.com/en-us/library/hh831440.aspx
  Understanding AppLocker Rules
  https://technet.microsoft.com/en-us/library/dd759068.aspx
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Software restriction policy not working correctly

  Ladies and Gents,
  we run a windows server 2008r2 environment.
  we have a software restriction policy in place for quite some time now and it's been working fine until about a week ago. here's how we have it setup:
  Enforce = All Software files except libraries (such as DLLs). + All Users.
  Security Level = Disallowed
  Designated File Types= 
  Defaults
  Additional Rules:
  C:\* = Disallow.
  The rest of the rules are paths for files and folders that we have set as Unrestricted.
  Since about a week ago, our security team discovered that they can open any allowed file type such as text file, and then go to file and click on open. In the open dialog box they would type
  in C:\Windows\System32\drivers\etc\hosts and then click and open it would actually open the hosts file.
  I even tried adding a path rule for C:\Windows\System32\drivers\etc\hosts with Disallow, and it’s still allows opening this file for non admins.
  Any ideas as to why is software restriction policy not blocking access to any files or folders that are not explicitly allowed via a path rule?
  Any help or comments are much appreciated.
  Mohsen Almassud

  You are moving in a wrong way. Software Restriction Policies are designed to prevent users to launch executables/applications. It cannot prevent you from opening TXT file, because it is not an executable. In order to prevent TXT files, you have to block
  notepad.exe executable. It is very different technology.
  You must move to a permission configuration. If there are folders users should not access, remove them from respective folder's ACL. You must be careful with restricting user access to system folders (%systemroot%), because you may block critical applications
  and eventually no one will be able to log on to server, because logon-dependant paths are not accessible due to restrictions in the ACL.
  My weblog: http://en-us.sysadmins.lv
  PowerShell PKI Module: http://pspki.codeplex.com
  Check out new:
  PowerShell FCIV tool.

• Software Restriction Policy block zipped js file.

  Trying to block zipped js files from running. Have applied the following path rule under our software restriction policies.
  *.zip\*.js
  *\*.zip\*.js
  *.zip\test.js
  Neither works to block.
  Using "test.js" as path rule works fine.
  Am I missing something here?
  Also I have added JS as a file type in software restriction policies.

  Hi  Allister Wade 2,
  Here is a link for reference of Software Restriction Policies.
  Software Restriction Policies
  https://technet.microsoft.com/en-us/library/hh831534.aspx
  All the failed rules including the letter "*", I am afraid this policy will not support the fuzzy query. Considering test.js will work well ,we would add an exact file path to be forbidden .
  What is the purpose of this operation ?If it is used to forbid the ZIP software from running the js file .
  As a work around ,we can change the js file association to have a check.(Control Panel\All Control Panel Items\Default
  Programs)
  Best regards
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Adobe and software restriction policy

  Hello!
  Could you enumerate what other programs are called by acrord32.exe?
  I have to use software restriction policies, to prevent run other programs except adobe readre 9.
  I set up group policy for user's software restriction policy: acrord32.exe
  When I start acrobat reader, the program starts, reader window appears, but I get the following message.
  Software cannot be run due to softwre restriction policies and adobe reader stops.
  My question is what other programs I have to allow to run acrord32.exe?
  Thank's

  When a software restriction policy "goes off," Windows creates event-log entries that describe what happened.  In many cases, you must be an Administrator to view the contents of this log.
  Here's a page that might be useful.  (I Googled "software restriction policy" "event viewer" ):
  http://technet.microsoft.com/en-us/library/cc737011.aspx
  Although it is tedious to set up restriction policies, it can be worth it.  (But also make sure that you are observing all the other prudent security practices, most especially making sure that the end-users are not "administrators.")
  Realistically, the event log is the only way to determine "what runs what."  It is also important that you run your tests from every flavor of user-account that will be affected by the policy, and that you periodically review the event logs to proactively detect errors that end users did not bother to report.

• Software Restriction Policy exceptions for Spiceworks scanning

  Is there a list of exceptions that should be added to allow Spiceworks to scan the network? I have a network with Software Restriction Policy blocking anything from running out of the temp folders, and I'm seeing this in the logs:
  TextAccess to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Spiceworks\spiceworks_upload.vbs has been restricted by your Administrator by location with policy rule {c5b16481-b6f1-41e2-a202-65ae9ceb3865} placed on path C:\Documents and Settings\Administrator\Local Settings\Temp\*
  Will everything Spiceworks related run from the %temp%\Spiceworks folder, or are there other locations?
  This topic first appeared in the Spiceworks Community

  Hello,
  C:\Program Files\Internet Explorer\iexplore.exe
  You can try to use this variable:
  %ProgramW6432%
  It only exists on 64-Bit systems.
  Otherwise you can create a WMI-Filter that will enable the policy only for 64-Bit systems.
  select * from Win32_ComputerSystem WHERE SystemType LIKE "%64%"
  MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs:
  Let's go, use GPO!
  Success!  Well, sort of.
  I had already tried the WMI Filter but using the system variable worked.
  But it only worked for IE 9 and below.  IE 10 and above are still displaying the same issues.  Luckily we'll be on IE 9 for the foreseeable future so this isn't a big concern.
  Thanks Matthias!

• RoboHelp9 HTML won't open software restriction policy

  My system administrator installed my upgrade to RoboHelp 9 today, but RH HTML won't open and gives a "Windows cannot open this program because it has been prevented by a  software restriction policy" error. Note that I do not have admin rights to my PC.

  Thanks you for quick answer.
  But I have tryed set this options to false.
  And restart FF.
  Nothing, error still present.
  browser.download.manager.scanWhenDone;false
  services.sync.prefs.sync.browser.download.manager.scanWhenDone;false
  Now i have write small test application thats will start program
  <pre><nowiki>#include <windows.h>
  #include <stdio.h>
  void main(int argc, char *argv[])
  static char CommandLine[4096];
  if(argc < 2)
  printf("\nSoftware Restriction Policy ByPass for FireFox Thunderbird.\n"
  "Set this Application Name as Mail Attachment Processing Handler.\n");
  return;
  sprintf(CommandLine, "Start %s", argv[1]);
  system(CommandLine);
  }</nowiki></pre>
  Application is setup in FF as application for .doc files. And start. But error still present.
  But if I set IE as application for .doc files IE will start and will open .doc with Word!
  I have found that MS Office and 7-zip, that not works, - are 64 bits applications.
  Foxitreader is 32 bit application that is work normally.
  Firefox also is 32 bit.

• Software Restriction Policy/AppLocker Restricting Process by Parameters

  Is there any way with Software Restriction Policy or AppLocker to restrict the parameters a process is called with? For example we only want to allow: some.exe <this is OK to run>, but block everything else passed to that exe at start-up?

  Hi,
  >>Is there any way with Software Restriction Policy or AppLocker to restrict the parameters a process is called with?
  How is it going? Based on the description, I am afraid that we should not be able to acheive this. As you may already know, both SRP and Applocker use policy rules to restrict or un-restrict softwares. The policy rules of SRP are: Certificate rules, Hash
  rules ,Internet zone rules, Path rules ; the rule conditions of Applocker are: Publisher, Path, File hash.
  Regarding SRP rules and Applocker rules, the following articles can be referred to for more information.
  Work with Software Restriction Policies Rules
  http://technet.microsoft.com/en-us/library/hh994597.aspx
  Understanding AppLocker Rules
  http://technet.microsoft.com/en-us/library/dd759068.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Antivirus has quarantined files from firefox program files directory as malware

  These 3 files have been quarantined as heuristic viruses or Trojans:
  libegl.dll
  nssdbm3.dll
  webapprt-stub.exe
  All 3 files are in the program files directory for firefox. After these files were quarantined and I tried to start FF I got error:
  Could not initialize the application's security component. The most likely cause is problems with files in your application's file directory. Please check that this directory has no read/write restrictions and your hard disk is not full or close to full. It is recommended that you exit the application and fix this problem. If you continue to use this session, you might see incorrect application behavior when accessing security features.
  Once I click OK it opens FF but it won't open the homepage. I want to be very sure these are actually FF program files and not some virus attempting to wreak havoc on my laptop. thanks.
  unfortunately, I can't add any troubleshooting information as i'm in IE writing this up since I can't open FF.

  This might have been false positives.
  See also:
  *https://support.mozilla.org/kb/Could+not+initialize+the+browser+security+component
  Try to delete the cert8.db file and possibly the secmod.db file as well.
  *http://kb.mozillazine.org/Profile_folder_-_Firefox
  Do a clean reinstall and delete the Firefox program folder before (re)installing a fresh copy of the current Firefox release.
  Download a fresh Firefox copy and save the file to the desktop.
  *Firefox 24: http://www.mozilla.org/en-US/firefox/all.html
  Uninstall your current Firefox version, if possible, to cleanup the Windows registry and settings in security software.
  *Do NOT remove personal data when you uninstall your current Firefox version, because all profile folders will be removed and you lose personal data like bookmarks and passwords from profiles of other Firefox versions.
  Remove the Firefox program folder before installing that newly downloaded copy of the Firefox installer.
  *(32 bit Windows) "C:\Program Files\Mozilla Firefox\"
  *(64 bit Windows) "C:\Program Files (x86)\Mozilla Firefox\"
  *It is important to delete the Firefox program folder to remove all the files and make sure that there are no problems with files that were leftover after uninstalling.
  *http://kb.mozillazine.org/Uninstalling_Firefox
  Your bookmarks and other personal data are stored in the Firefox profile folder and won't be affected by an uninstall and (re)install, but make sure that "remove personal data" is NOT selected when you uninstall Firefox.
  If you keep having problems then also create a new profile.
  *http://kb.mozillazine.org/Profile_folder_-_Firefox
  *http://kb.mozillazine.org/Profile_backup
  *http://kb.mozillazine.org/Standard_diagnostic_-_Firefox#Clean_reinstall

• Firefox 8.0.1 bypasses Windows software restriction policy and Windows UAC

  With the release of Firefox 8.0.1, Firefox bypasses Windows Software Restriction Policy (SRP).
  With Firefox 8.0.0 - (and previous), Firefox conformed to the policy set forth in SRP.
  In addition to the fact that Firefox completely ignores Windows SRP, Firefox also ignores Windows User Account Control. Standard, non-admin, accounts are able to install Firefox without administrative privileges. When the user executes the Firefox installer, Windows UAC prompts the user to elevate to install the program. If the user clicks "no" the Firefox installer continues past UAC and installs the program in the user's %appdata%\local folder instead of the %programfiles% (if the user were to elevate). Any other program would have ceased the installation if not elevated.
  I haven't seen any other software ignore SRP and continue to run and/or bypass UAC and continue to install.
  Please advise on what software policy needs to be in place to prevent Firefox from being installed and ran on my domain.

  UAC prevents software from making system-wide changes without an administrator's consent. It's purpose isn't for IT staff to control which software may run, though most installers try to make their software available to all users on the computer.
  Are you checking the hash of the installer instead of the executable? Firefox get's updated frequently enough that maintaining hashes will be a lot of work.
  I haven't tried this, but perhaps populating user profile folders with a read-only path will cause the Firefox installer to fail. You'll also need to consider [http://portableapps.com/apps/internet/firefox_portable portable firefox]

• Windows Media Center - wont launch...due to Software Restriction Policy???

  Current system:
  Windows Vista x64 Ultimate RETAIL installed onto clean system.
  UAC disabled
  Using full administrator account w/ no restrictions
  Problem:
  Anytime I attempt to launch Windows Media Center or Media Center Extender I receive the following popup error and the program does not attempt to to even start:
  Error:
  [Windows Media Center
  "Windows cannot open this program because it has been prevented by a software restriction policy.  For more information contact your system administrator."
  Summary:
  When I initialy installed the OS, this problem did not exist.  I was able to launch WMC just fine.  Only after a couple month of reinstalling necessary base applications do I now get this error.  My family cannot even use it as an extender for the XBOX360 anymore. 
  From what i can tell there are a lot of people with this issue and NO SOLUTION from MS as yet.  I did see in one post that someone else had this error and was able to correct it by setting WMC as the default application in "Default Programs --> Set Program Access and Computer Defaults"  This did not work for me at all.  At this point I am at a complete loss.  Any insight would be appreciated.
  -J

  For Windows 8 here was the solution that FIXED it for us:
  http://windows.microsoft.com/en-us/windows-8/set-program-access-computer-defaults
  To start, open the Set Program access and computer defaults page:
  Swipe in from the right edge of the screen, and then tap Search.
  (If you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then clickSearch.)
  Enter control panel in the search box, and then tap or click Control
  Panel.
  Under View by:, select Large
  Icons, and then tap or click Default Programs.
  Tap or click Set program access and computer defaults.
  Set program access
  If you want to make a program inaccessible without uninstalling it, you can set it so it doesn't appear where programs are typically listed.
  On the Set Program access and computer defaults page, under Choose
  a configuration, tap or click Custom.
  Clear the Enable access to this program check box next to the programs you want to make inaccessible,
  and then tap or click OK.
  Shawn Lafferty

• Software Restriction Policy batch vs vbs

  Hi there,
  I have recently implemented a Software Restriction Policy on a Computer level with Disallowed level as default.
  I whitelisted the \\mydomain\SysVol so that my Group Policies could run.
  I have a few batch files that run upon user logon. The batch files run but the the commands within them do not, they are being "access denied"
  example of one of the batch files:
  sc start servicexyz, killtask processxyz
  if I were to convert my batch script into a vb script, would vb script be treated as a single file? unlike batch file which makes calls to other executables.
  Thanks,

  What you are trying to do cannot be done with a GP and  cannot be done with a script.  Thisis becsue what you are trying to do makes very little technical sense.  Either delegate the right or use another method.
  ¯\_(ツ)_/¯
  This is how it worked for me just fine before I introduced SRP. 
  When user logged off, a logoff batch script used "sc start service" to start service
  When user logged on, a logon batch script used "sc stop service" to stop a service from running
  Before SRP, all of my users were local administrators of their computers so permissions were not in a way. After the SRP introduction,
  I had to remove all users local admin right and now experience this issue.
  Do you mean it makes little technical sense with SRP or in general? Care to elaborate please?
  Why do you think you have to start and stop the service all of the time?  It sounds like a design issue or an issue with  a bad service.
  You can use SC to give users permissions on a service.  You can give out just start and stop (control) to a group thyne add or remove users from the group.
  The group can be a domain group and GP can change the security on a service.
  ¯\_(ツ)_/¯

• How do I programmatically find Program Files directory?

  Do I need to use the Windows Registry? If so, where is it in the registry?
  I'm ultimately trying to find the Wordpad.exe file. I've been able to find where it's location is stored in the registry, but the location listed is relative to the Program Files directory. Thus, I must now find the Program Files directory, too.
  Thanks in advance,
  Derek

  Attached is a VI WINDOWS-FIND-ABSOLUTE-APPLICATION-PATH.VI
  Given an application name in the regsitry such as WORDPAD.EXE this VI is intended to read all the necessary information from a Windows machine registry and return an absolute path.
  The VI specifically checks first to ensure that it is operating on a Windows platform before proceeding to read any registry keys. I don't work with other platforms a great deal, perhasps someone would care to 'fill in the blanks'. Entrys in the registry for an application registration are either absolute or relative (I believe they should normally be relative to the %ProgramFiles% registry entry to allow system restoration to an alternative location).
  I did this because I wonderd why the question had been posed. There are a number of especilly interesting things happen with respect to WORD and the way associated files are dealt with. However I imagine a scenario like this. I am running a nice fat VI with lots of demands on system resources and I want to open up a viewer application for an RTF file I have generated. I don't want WORD to open the files as its a great FAT application and has currently taken over the association for RTF files (despite it not being the registered handler in the registry - that's another story). Thus I want a lightweight application to do the work. Hence this VI.
  If this does the job please let us all know.Message Edited by Conseils on 04-16-2005 10:15 PM
  Attachments:
  Windows-Find-Absolute-Application-Path.vi ‏88 KB

• Your current security settings do not allow this file....

  Trying to download the latest version of iTunes and get the message "Your current security settings do not allow this file to be downloaded." I have made no changes at all, previous to attempting to download this update and have never had a download problem previous to this. I turned off my antivirus and set my browser security to its' lowest security level; still get the same message.

  Uh...that would be a tad difficult. I'm not supposed to have it. No one is...yet. I keep in touch with a friend I worked with as a PC tech about 10 years ago at a Best Buy (while in college.) He does Beta testing, sends me odds and ends (that typically wreck my system) and this one halfway works (actually less than half the features.) But, I've escaped bad software in the past using it. Sometimes, however, it prevents good software from loading as well. That's why I have asked if anyone else reported this kind of thing.
  The name, if you can find it, is 'Illegal Opcodes Anti-Trash.' Illegal Opcode is a screen name, by the way. And, it was written using Visual Basic. That's about all I can give you; that's pretty much all I know.
  If anyone else can verify something similar to this, let me know. I could uninstall it (Anti-Trash) and try again, but I just read other peoples problems and I'm a little leary to say the least. My current version of iTunes still works fine, so why risk it.
  Thanks for the feedback,
  Bradley

• Software Restriction Policy

  Hi,
  We have applied Software restriction policies on a Test LAB to restrict the unwanted applications from running. We have made exception path, hash rules for genuine applications and software.
  We have observed that if the exception list grows large then we cannot open or change GPO's and clients also cannot apply policy. Once we restore it back from Backup it works fine again.
  I wanted to know is there any limitation to the exception list after which we should consider creating additional policy.
  Thanks

  Hi Sukhwin08,
  Based on my knowledge, there is no limited about the amount of the Software restriction policy.
  Please help to enable the GPSVC debug logging on problematic client machine if the SRP cannot apply successfully, this log records the detailed information about the group policy applying
  process which is very useful for troubleshooting the group policy related issues. To do so, add the following registry entry:
  Sub-key:HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
  Entry:      GPSvcDebugLevel
  Type:      REG_DWORD
  Value:     30002 (HEX)
  After you make this change, run
  gpupdate /force on the computer to reproduce the issue. After that, compress the %SystemRoot%\Debug\UserMode\ folder and check of there are any errors about the issue.
  Please note: the registry key Diagnostics does not exist by default, we need to add it first. In addition, we can disable the debug logging after the troubleshooting.
  Regards,
  Lany Zhang