Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to specify Windows folder for offline systems #72

Open
gdmeunier opened this issue Aug 20, 2023 · 0 comments
Open

Add ability to specify Windows folder for offline systems #72

gdmeunier opened this issue Aug 20, 2023 · 0 comments
Labels
enhancement A request for additional functionality

Comments

@gdmeunier
Copy link

Hello,
I want to suggest a new feature for Policy Plus:

It would be perfect for Policy Plus to be able to manually specify the path to a Windows folder, such as when plugging-in a different drive over USB to edit its group policies offline.

Policy Plus already has a forensic-friendly method for editing group policies without using built-in runtime components from Windows.

It directly edits the registry hives and regenerates the .POL files manually so this feature requeqt means the following:

  • Policy Plus would have to get a window menubar item named 'Edit Offline System'

  • Then a Folder picker window appears and I select e.g. a Windows folder on USB HDD

  • Policy Plus tries finding the system hives and mounts SOFTWARE, then it tries to mount the SYSTEM HIVE (e.g. as HKLM\OFFLINE_X_SOFTWARE, HKLM\OFFLINE_X_SYSTEM)

  • Once it mounts the SYSTEM hive it tries to parse where the User Profiles directory should be

  • Then it mounts User profile hives ('ntuser' with .dat extension?) as well

  • Afterwards it's 'just' a matter of prefixing all read values found in the offline system ADMX files (e.g. X:\Windows\PolicyDefinitions) with HKLM\OFFLINE_X_SOFTWARE instead of HKLM\ only

  • User hives can be mounted as HKLM\OFFLINE_X_USERNAME_SOFTWARE for example

This way we exploit the existint forensic editing capability o Policy Plus for editing offline systems' group policies.

This is nonetheless a sizeable task to do, in terms of parsing & exception handling too.

If you implement this feature this will however make Policy Plus a considerable boost / plus for using it to diagnose system problems related to wrong Group Policy edits (such as edits that accidentally strip Admin users of Admin capabilities at reboot).

And as a last note: I think that it should really be mentionneed explicitly in Policy Plus that we have to manually to Save to Registry & Apply Policy in order for policies to correctly be updated in gpedit.msc too.

Otherwise some GPO edits just don't work and don't show as modified either in gpedit.msc.

I didn't know that we had to manually do Apply Policy (.POL file) after saving to registry.

This will help users new to Policy Plus to avoid frustration when editig lots of GPOs and getting no effect, with no modified policy in gpedit.msc (I had thought that all the edits were either lost or done in vain).

Wishing success for Policy Plus, and to also become able to edit offline systems (much like how Sysinternals AutoRuns cans edit offline installs).
@Fleex255 Fleex255 added the enhancement A request for additional functionality label Aug 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement A request for additional functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Fleex255 @gdmeunier