Changing Local Policy "Prevent installation of removable devices "in CMD - cmd

How do I edit Group Policy Object "Prevent installation of removable devices" (https://technet.microsoft.com/en-us/library/cc753539(v=ws.10).aspx) in CMD?
I have a server (Windows Server 2008 R2) that is locked out as I am unable to use keyboard or mouse to as input devices when the windows login requires me to press ctrl+alt+delete. This Policy is the one causing this locked out situation as the old keyboard and mouse which I am trying to solve.
Current situation only allows me to use CMD to make changes to the system when I boot up with a bootable CD.
My server doesn't have PS2 port for the old type keyboard. Any other solution that can help me solve this locked out situation is also welcome :)

"Prevent installation of removable devices" is part of "Administrative Templates" and therefore corresponds to a Registry key.
To find out that registry key, I searched for "Prevent installation of removable devices" within C:\Windows\PolicyDefinitions\en-US\, found <string id="DeviceInstall_Removable_Deny">Prevent installation of removable devices</string> in C:\Windows\PolicyDefinitions\en-US\DeviceInstallation.adml. Then I searched for DeviceInstall_Removable_Deny in C:\Windows\PolicyDefinitions\ and found it in C:\Windows\PolicyDefinitions\DeviceInstallation.admx. The registry key is:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions
valueName: DenyRemovableDevices
enabled Value: decimal 1
disabled Value: decimal 0
If you change that value, it will be overridden when the group policy is applied the next time -- most likely at boot time.
According to http://learnthat.com/prevent-group-policy-from-applying-to-your-computer/ you can avoid this by denying write permissions to that specific registry key. (Note, I did not test this!)
To change the registry offline, you can boot from a windows install CD, press Shift+F10 simultaneously to open cmd, type regedit, select HKEY_LOCAL_MACHINE key, click Menu File -> Load Hive..., navigate to your installations \Windows\System32\Config\ folder and select the file named SOFTWARE.
Chose any key name, that doesn't already exist (e.g. Offline_Software) and then change the registry under that key. (e.g. HKEY_LOCAL_MACHINE\Offline_Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions)
When you're done, select your loaded Hive (e.g. HKEY_LOCAL_MACHINE\Offline_Software) and click File -> Unload Hive...
To shutdown properly, just close all windows, including the setup window.

Related

Windows 10 Compatibility Mode | Registry Key

I'm currently packaging an application to run in compatibility mode. I easily found the location where the registry keys are created in the HKLM (for all users) or HKCU (for only the logged on user).
The problem is; which I really don't know if it's a problem, I can set the registry key in HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers. I create a REG_SZ with the name of the key being the path.
E.G.: C:\Program Files (x86)\MyApplicationDirectory\MyApp.exe
The value of this key is ~WIN7RTM
The problem is this, when I install the application and I create a registry key with this path. I can click on the shortcut properties and go into the Compatibility Tab and noticed it does not appear it's set to run in Compatibility Mode in Windows 7.
I know I created the correct registry key because I originally created the shortcut through the compatibility tab and clicked "Change Settings for All Users" and then set it to run in Windows 7 there. If I set compatibility mode within the shortcut, I can see it checked. (highlighted in yellow)
But if I try to set compatibility mode via the registry key and I go into the properties of the EXE or shortcut, the box is not checked.
If I set the registry key, how do I verify the application is running in compatibility mode?
Is there another way I can set the registry key and be sure it's running in compatibility mode?
Never mind folks. I did a stare and compare on the registry keys that is created. I did not add a space between the ~ and WIN7RTM. Once I added a white space, it worked fine.
Before: ~WIN7RTM (not correct)
After: ~ WIN7RTM (correct)
Overlooked it.

Crashing Windows 7 using batch

I came across this link : https://vmxp.wordpress.com/2014/10/29/stress-testing-an-esxi-host-with-windows-server-vms/
.Since I am not so good in powershell i turned the whole thing to a simple batch script:
:loop
start testlimit64 -d
timeout /t 15
taskkill /f /im "testlimit64.exe"
timeout /t 9
goto loop
Note that I got into SYSTEM ACCOUNT before doing that using PsExec. The system I am using is a VM under ESXi. But nothing is happening, even the vm is not crashing. My aim is to crash whole esxi server.
I have two VMs under the ESXi and I ran the above scripts in both of them.
Still no luck. Am I missing something?
Windows 2000 Feature Allows a Memory.dmp File to Be Generated with Keyboard
Q244139
The information in this article applies to:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.
SUMMARY
Microsoft Windows 2000 includes a feature that enables you to have the system stop responding and generate a Memory.dmp file (if configured to do so). The "Stop" screen that generates contains the following parameters:
*** STOP: 0x000000E2 (0x00000000,0x00000000,0x00000000,0x00000000)
The end-user manually generated the crashdump.
MORE INFORMATION
WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT or Windows 2000, you should also update your Emergency Repair Disk (ERD).
This feature is disabled by default. To enable this feature, you must edit the registry as indicated below and restart the computer. After restarting the computer, you can generate a system to stop responding by holding down the right CTRL key and pressing the SCROLL LOCK key twice. Pressing left CTRL key does not generate the system to stop responding.
Please note that the steps below will not work on Legacy Free computers, i.e., those that use a USB keyboard. For those, you must attach a debugger.
Start Registry Editor (Regedt32.exe).
Locate the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters
On the Edit menu, click Add Value, and then add the following registry value:
Value Name: CrashOnCtrlScroll
Data Type: REG_DWORD
Value: 1
Quit Registry Editor.
Additional query words: blue screen force dump bluescreen crash memory.dmp
For USB keyboards a USB one was added in a later OS. This sets Left Ctrl + Space, Spece for both USB (kbdhid) and PS/2 (i8042) keyboards.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\crashdump]
"Dump1Keys"=dword:00000020
"Dump2Key"=dword:0000003D
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\crashdump]
"Dump1Keys"=dword:00000020
"Dump2Key"=dword:0000003D
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters]
"CrashOnCtrlScroll"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters]
"CrashOnCtrlScroll"=-

Authentication issues using simulated host via UNC

After modifying my "hosts" file I have appended the location for "testunc" to "127.0.0.1". When I type in the path "\testunc\share" into "Run" (I have a shared folder on my C:\ drive called "share") I receive an authentication prompt. I am asked for the credentials to the "Guest" account on my local machine. Though the "Guest" account does not have a password, it always fails.
I am coding an application locally for use on a standalone network. I need to simulate the UNC path locally so that I can see if the application will work on the actual network.
\127.0.0.1\share works great, \localhost\share yields the following alert: "You were not connected because a duplicate name exists on the network."
Edit & Answer
Since I only have 9 rep at the moment I can't self answer for 6 more hours. I will self answer later on. Answer is as follows:
Ok, figured it out. I don't advise doing this if there are security concerns on the local PC that you will be using. I.E. undo this once you've done what you need.
Do all this after modifying your C:\windows\system32\drivers\etc\hosts file with the new hostname and IP.
Required Steps Overiew
Install Loopback adapter from Microsoft (might not matter)
Modify registry to disable loopback authentication
Modify registry to disable strict name checking.
Step Breakdown
First install the loopback adapter following these instructions (this is on Windows XP mind you). Go into the properties for this adapter and change its static IP address and gateway if you like. It will work the same way as Localhost but use a different IP.
Follow the instructions in the technet post referenced in my comments above (enumerated below):
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Right-click Lsa, point to New, and then click DWORD Value.
Next open your registry (windows + r, 'regedit' in the run prompt).
Type DisableLoopbackCheck, and then press ENTER.
Right-click DisableLoopbackCheck, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor.
Restart the computer.
After reboot you must now disable strict name checking following the instructions from this article (enumerated below):
Click Start, click Run, type regedit, and then click OK.
Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
On the Edit menu, click Add Value, and then add the following registry DWORD value: DisableStrictNameChecking
Right-click DisableStrictNameChecking, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor.
Restart the computer.
After the last restart you will be able to path to a "simulated" unc location on your localhost computer. This should help in testing network deployed applications / scripts on a standalone system.
Self answering this one. Answer is also included in original question text.
I don't advise doing this if there are security concerns on the local PC that you will be using. I.E. undo this once you've done what you need.
Do all this after modifying your C:\windows\system32\drivers\etc\hosts file with the new hostname and IP.
Required Steps Overiew
Install Loopback adapter from Microsoft (might not matter)
Modify registry to disable loopback authentication
Modify registry to disable strict name checking.
Step Breakdown
First install the loopback adapter following these instructions (this is on Windows XP mind you). Go into the properties for this adapter and change its static IP address and gateway if you like. It will work the same way as Localhost but use a different IP.
Follow the instructions in the technet post referenced in my comments above (enumerated below):
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Right-click Lsa, point to New, and then click DWORD Value.
Next open your registry (windows + r, 'regedit' in the run prompt).
Type DisableLoopbackCheck, and then press ENTER.
Right-click DisableLoopbackCheck, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor.
Restart the computer.
After reboot you must now disable strict name checking following the instructions from this article (enumerated below):
Click Start, click Run, type regedit, and then click OK.
Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
On the Edit menu, click Add Value, and then add the following registry DWORD value: DisableStrictNameChecking
Right-click DisableStrictNameChecking, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor.
Restart the computer.
After the last restart you will be able to path to a "simulated" unc location on your localhost computer. This should help in testing network deployed applications / scripts on a standalone system.

VB6 Application on Windows 7 Cannot Access Mapped Drives

I have a VB6 application which links to several POS terminals from a Windows 7 32-bit machine. The POS terminals are mapped to the Windows 7 machine and I can access the POS terminals from the Windows 7 machine from Explorer or via the cmdline/shell.
The application has been updated to ADO 2.8 and all other controls and components I no longer had source code for have been re-written. After a few annoying hiccups, I got the application to recompile on the Windows 7 computer without errors.
Now come the problems. The VB6 application cannot see or navigate to any mapped drives! I have tried twiddling UAC settings; I have set the app to run in Windows XP SP3 mode; I have tried running as Administrator. None of these things (and many permutations of these) work.
Any suggestions on how to make this work?
Adding this registry setting solved the problem for me: http://technet.microsoft.com/en-us/library/ee844140%28v=ws.10%29.aspx.
To work around this problem, configure the EnableLinkedConnections
registry value. This value enables Windows Vista and Windows 7 to
share network connections between the filtered access token and the
full administrator access token for a member of the Administrators
group. After you configure this registry value, LSA checks whether
there is another access token that is associated with the current user
session if a network resource is mapped to an access token. If LSA
determines that there is a linked access token, it adds the network
share to the linked location. To configure the EnableLinkedConnections
registry value
Click Start, type regedit in the Start programs and files box, and
then press ENTER.
Locate and then right-click the registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
Point to New, and then click DWORD Value.
Type EnableLinkedConnections, and then press ENTER.
Right-click EnableLinkedConnections, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor, and then restart the computer.
I believe you are having trouble because casual drive mapping is per-user, and on a UAC system Administrators group users have two separate contexts (one for each token: SU & elevated).
There is such a thing as a system level drive mapping, which is one done under the System user (NT Authority\System). When you map a drive under this account, and map it persistently, all users can see and use the mapping (subject to the usual access rights for files there).
The normal way you do this is via Domain-level GPOs (Group Policy Objects), which means bribing your local box jockeys if in a corporate managed LAN environment.
One way to do this in a Workgroup machine is to map the letter as System via the AT command, from an elevated command prompt:
at 8:53 am "net use m: \\MediaShare\MyLibrary
ThePW /user:MediaShare\TheUser /persistent:yes > nul"
There the remote server is MediaShare, user TheUser, password ThePW, and 8:53 AM is a minute or two in the future to avoid accidentally scheduling this for tomorrow.
But this fails on Vista and later due to Session 0 Isolation!
So... use the 3rd alternative at Run CMD.exe as Local System Account which is the same thing mentioned by ForcePush's reply to How to map a network drive to be used by a service.
I believe that's what you are after here.
don't know if you ever figured this one out but for me it was the ChDir command (even with the registry fix above).
I had in my code
ChDir "P:\Temp\VidCap\Cam1\" 'I almost never use ChDir
Open "list.txt" For Output As #1
and all the VB6 inbuilt file commands looked straight though any operations, no errors, no nothing. I solved it by explicitly having the path, (in my code it was in a string but you could have it explicitly):
dd = "P:\Temp\VidCap\Cam1\"
Open dd & "list.txt" For Output As #1
works as expected.
hope this helps
H
Try this:
Open command prompt as administrator, and type this in:
net use Z: \\IP Address\share /user:you passwd /persistent:Yes
Change "IP Address", the "share" name, and your username and password as needed.
The author of this is howtogeek (source).
I had same problem. VB6 kept crashing when trying to access USB and mapped drives using the Commondialog method, even though the drives and files were all accessible OK via Explorer. Problem is the drives were not set as shared.
Solved by selecting the connected USB drive in explorer and then right click to
select Properties.
Select Sharing Tab
Select Advanced Sharing
Set the sharing and user rights as needed. May need to have local admin rights.

How to auto login to windows account?

I am researching ways to auto login to a windows server, so applications can be restarted on reboot if the server crashes. Do windows services load before or after a user logs in? Can a windows service be used to login to an account?
If not, is there any way to use some sort of login script to facilitate automatically loggin in?
For auto login. Here is one of them:
To use Registry Editor (Regedt32.exe) to turn on automatic logon, follow these steps:
Click Start, and then click Run.
In the Open box, type Regedt32.exe, and then press ENTER.
Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Double-click the DefaultUserName entry, type your user name, and then click OK.
Double-click the DefaultPassword entry, type your password, and then click OK.NOTE: If the DefaultPassword value does not exist, it must be added. To add the value, follow these steps:
On the Edit menu, click New, and then point to String Value.
Type DefaultPassword, and then press ENTER.
Double-click DefaultPassword.
In the Edit String dialog, type your password and then click OK.
NOTE: If no DefaultPassword string is specified, Windows automatically changes the value of the AutoAdminLogon key from 1 (true) to 0 (false), disabling the AutoAdminLogon feature.
On the Edit menu, click New, and then point to String Value.
Type AutoAdminLogon, and then press ENTER.
Double-click AutoAdminLogon.
In the Edit String dialog box, type 1 and then click OK.
Quit Registry Editor.
Click Start, click Shutdown, and then type a reason in the Comment text box.
Click OK to turn off your computer.
Restart your computer. You can now log on automatically.
Taken from: http://support.microsoft.com/kb/324737
Services run regardless of whether a user logs on. If you need an application to run all the time, have you considered converting it to a service? Auto-logon is a security risk.
Windows Services do load before user logins. A Windows service cannot be used to login to an account, but you can specify the account to run the service under. You can setup automatic login in the registry under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. AutoAdminLogon, DefaultUserName, DefaultPassword, DefaultDomainName, and ForceAutoLogon are the keys you will need to set. They are all strings.
P.S. This is more a Server Fault \ Super User question.
Services start before login.
And rather than using a service to log into an account, why not just set the account to auto log in?
http://www.expta.com/2008/03/how-to-enable-autologon-in-windows.html.
*edit*Beaten to it*
I have tested it on:
WIN10 updated Jan-2016
WIN7 updated Jan-2016
And it works!
I use this .REG file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoAdminLogon"="1"
"DefaultDomainName"="DOMAINNAME"
"DefaultUserName"="USERNAME"
"DefaultPassword"="PASSWORD"
Extracted from: http://www.sysadmit.com/2016/01/windows-configurar-autologin.html
Maybe systinternals/autologon.exe should be mentioned here.
It has a very simple gui and can also be used by command line only.
I guess it does the registry entry in the background.

Resources