Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Registry value from Group Policy or malware?

Registry value from Group Policy or malware?

Forum Windows 2000/NT : Windows 2000/NT General Discussion - Registry value from Group Policy or malware?

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
Anonymous   05-02-2005 at 08:30:07 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

 

Some malware critters are adding Group Policy settings to the
registry. Some current favorites are enabling Active Desktop and
specifying the wallpaper. The user unaware of Group Policy is hapless
to reset the display.

It's easy enough to scan the registry to determine if the settings
exist, but is there any way to differentiate on a given PC between
settings applied by Group Policy (which would not be alarming) from
values that were simply added to appropriate sub-keys under
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies?

If the values were unauthorized, the user would be warned. If the
values were added under the auspices of Group Policy, no warning would
be needed.

regards, Andy
--
**********

Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com

To identify everything that starts up with Windows, download
"Silent Runners.vbs" at www.silentrunners.org

**********

Add a reply
Sponsored Links
Register or log in to remove.
Anonymous   05-03-2005 at 06:17:37 AM
- 0 +

Archived from groups: microsoft.public.win2000.group_policy (More info?)

 

If you run gpresult /v on a suspect PC this should tell you exactly what was
being applied by Group Policy. (Assuming you use Windows XP)

"Andrew Aronoff" <NOSPAM_WRONG.ADDRESS@yahoo.com> wrote in message
news:fp6c71dbphj24pbpnrcqvdpguk1v3okjc5@4ax.com...
> Some malware critters are adding Group Policy settings to the
> registry. Some current favorites are enabling Active Desktop and
> specifying the wallpaper. The user unaware of Group Policy is hapless
> to reset the display.
>
> It's easy enough to scan the registry to determine if the settings
> exist, but is there any way to differentiate on a given PC between
> settings applied by Group Policy (which would not be alarming) from
> values that were simply added to appropriate sub-keys under
> HKCU\Software\Microsoft\Windows\CurrentVersion\Policies?
>
> If the values were unauthorized, the user would be warned. If the
> values were added under the auspices of Group Policy, no warning would
> be needed.
>
> regards, Andy
> --
> **********
>
> Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com
>
> To identify everything that starts up with Windows, download
> "Silent Runners.vbs" at www.silentrunners.org
>
> **********

Reply to Anonymous
Anonymous   05-03-2005 at 05:28:01 PM
- 0 +

Archived from groups: microsoft.public.win2000.group_policy (More info?)

 

Hi, Simon.

>If you run gpresult /v on a suspect PC this should tell you exactly what was
>being applied by Group Policy. (Assuming you use Windows XP)

GPRESULT /V doesn't appear to provide the info I'm looking for. For
instance, I enabled two policies to an XP Pro workstation that added
values to
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
I added a third value to this key manually, simulating the actions of
malware. I ran GPRESULT /V and saw the following:

Administrative Templates
------------------------
GPO: Local Group Policy
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Syst
em
State: Enabled

This report doesn't tell me _which_ values are the legitimate result
of policies. Is there any way to tell?

regards, Andy
--
**********

Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com

To identify everything that starts up with Windows, download
"Silent Runners.vbs" at www.silentrunners.org

**********

Reply to Anonymous
Ask the community Add a reply
Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Registry value from Group Policy or malware?
Go to:

There are 724 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.437 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them
How do I win badges?