|
Wow!
|
|
|
|
|
Hello.
I need your help.
First of all, I hope you understand that the sentence structure can be strange as I ask questions using a translator machine.
I'm looking for group policy editor api.
Especially, Local Computer Policy/Computer Configuration/Administrative Templates/System/Removable Stroage Access area.
When I changed this part, I found a registry that was created or disappeared.
But what I want is to be able to modify this group policy directly.
Because even if the registry is modified, as a result, the registry is changed to data corresponding to the group policy.
If you know the api that can modify the group policy editor, please let me know.
Thank you.
|
|
|
|
|
|
Thanks your reply.
I checked the link you gave me.
But I'm not sure which method to use in the meantime.
I don't see any method to change the content of Group Policy anywhere.
Of course there is a 100 percent chance that I will not find it.
A little more specific, I would really appreciate if you let me know which method I should use.
Thank you.
|
|
|
|
|
|
Thanks to reply.
I went to the link you gave me, but what method should I use there?
If I knew after seeing the answer, I would not request received the answer again.
I don't really know what to use at that link.
There is no setting method anywhere.
I want to set 'Local Computer Policy/Computer Configuration/Administrative Templates/System/Removable Stroage Access' this area below.
Thanks.
|
|
|
|
|
Sorry, I have not used this API, you will need to study the documentation. Alternatively use Google to find sample code.
|
|
|
|
|
You should add more error handling, this is just a code sample:
#include <guiddef.h>
#include <initguid.h>
#include <windows.h>
#include <comdef.h>
#include <cguid.h>
#include <atlcomcli.h>
#include <gpedit.h>
#include <Iaccess.h>
#pragma comment(lib,"gpedit.lib")
int main()
{
HKEY key;
HKEY pol;
DWORD val = 1;
DWORD disp = 0;
GUID ext = REGISTRY_EXTENSION_GUID;
CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
CComPtr<IGroupPolicyObject> lgp;
HRESULT hr = CoCreateInstance(CLSID_GroupPolicyObject, NULL, CLSCTX_INPROC_SERVER, IID_IGroupPolicyObject, (LPVOID*)&lgp);
if (SUCCEEDED(lgp->OpenLocalMachineGPO(GPO_OPEN_LOAD_REGISTRY)))
{
if (SUCCEEDED(lgp->GetRegistryKey(GPO_SECTION_MACHINE, &key)))
{
RegCreateKeyExW(key, L"SOFTWARE\\Policies\\Microsoft\\Windows\\RemovableStorageDevices", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_QUERY_VALUE, NULL, &pol, &disp);
RegSetValueEx(pol, L"Deny_All", 0, REG_DWORD, (BYTE*)&val, sizeof(val));
RegCreateKeyExW(key, L"SOFTWARE\\Policies\\Microsoft\\Windows\\RemovableStorageDevices\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_QUERY_VALUE, NULL, &pol, &disp);
RegSetValueEx(pol, L"Deny_Write", 0, REG_DWORD, (BYTE*)&val, sizeof(val));
RegSetValueEx(pol, L"Deny_Read", 0, REG_DWORD, (BYTE*)&val, sizeof(val));
RegSetValueEx(pol, L"Deny_Execute", 0, REG_DWORD, (BYTE*)&val, sizeof(val));
RegCloseKey(key);
hr = lgp->Save(TRUE, TRUE, &ext, const_cast<GUID*>(&CLSID_GPESnapIn));
_com_error err(hr);
wprintf(L"%s", err.ErrorMessage());
}
}
lgp.Release();
CoUninitialize();
return 0;
}
It will set the following policies:
- All Removable Storage classes: Deny All access
- Removable Disks: Deny execute access
- Removable Disks: Deny read access
- Removable Disks: Deny write access
Best Wishes,
-David Delaune
[Edit two days later]
You can also add an attack surface reduction policy via Windows Defender that requires anything that executes from USB to be signed:
powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled
modified 4-Sep-20 17:57pm.
|
|
|
|
|
To anyone who can help me Please?
I apologise in advance if my question seems confusing noobish but I have no clue about coding in C++ hence the apparent ignorance & difficulty to me (& for some it may be a very basic question). First of all I have these lines of code that I would like to amend slightly like so:
typedef DWORD(__stdcall *CPP) (DWORD param1, PWCHAR param2, DWORD param3);
void Disable_WFP() {
hmod=LoadLibrary("sfc_os.dll");
CPP SetSfcFileException;
SetSfcFileException=(CPP)GetProcAddress(hmod,(LPCSTR)5);
SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1);
}
It is not my code it belongs to Abdellatif_El_Khlifi & all credit belongs to him but I would like to make a small amendmant to his code but have no clue how to do this the alteration I would like to change this line:
SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1);
and alter to: (this is obviously not C++ but just trying to illustrate what I am trying to do)
SetSfcFileException(0, L"%SystemDrive%\\windows\\system32\\calc.exe",-1);
My question is there a equivelent C++ code for the SystemDrive variable & could someone re-code this to make the small amendmant Please to suit my needs? The reason is it will make the program more generic for me just in case say for instance my OS XP is installed on D:\\ drive instead of C:\\ drive. I have found this snippet of code that may be of help but have no clue as to how I would incorporate in the given scenario above. char *sysDrive = getenv ("SystemDrive"); or this
sysdrive = getenv("SYSTEMDRIVE");
if (sysdrive == NULL || *sysdrive == NUL)
sysdrive = "C:\\";
}
Best Regards,
Jackngill
|
|
|
|
|
Funny that someone who admits having little programming experience wants to explore an issue that has been linked to malware in the past.
Can you explain what legitimate purpose you have?
BTW the article you mention is here on CP. Also I don’t see what useful purpose it serves.
Mircea
modified 30-Aug-20 23:38pm.
|
|
|
|
|
Hi Mircea,
I suppose as with all things in life you can use any tool for either a positive outcome or negative outcome & I am not very happy that I am being targeted as a possible Malware code writer as I am absolutely not. For one thing I would not post a question like this here it would be on the dark web (Whatever that is as I have never been there) And who & what has been linked to malware? If it has been linked to malware why has the code by Abdellatif_El_Khlifi been allowed to remain posted for as long as it has, that to me is what is funny?
As to my personal reasons to undertake this task I will try to explain. Firstly I am still using XP & I like to carry operations like creating mini windows varients of XP Which is not negative in its self. I will chop and change from a good XP system to a Mini XP system on different drives so the code altered re the SystemDrive makes it easier for generic drives not being hardcoded to C:\\ & to me is a legitimate reason. The portion of code suits my needs very well in that I can selectively stop Windows File Protection on individual files to carry out removal or adjustment so that I do not get error messages being reported back. There is a way already of disabling WFP but it is more of a shotgun shampoo approach in that it switches off WFP wholesale but I digress. This code would facilitate me in selectively disarming WFP on a selective file(s) in a quick manner without rebooting etc etc. I stated & came clean about who wrote the original code & I hinted in my original post the reason for it. My motives are honourable & not for negative reasons to me it would prove very useful! XP as an OS is becoming a niche market there is no longer any support for it so if I was a malware code writer I would surely opt for something like Windows 10 for greater kudos YES/NO?
If it is a problem & is considered to be useful for malware can someone private post me the amended code so I can carry out what I want to do quietly for my own purposes? My preferences are set to recieve emails I do not want to cause trouble or engage in arguments, life is too short for that. I am asking for help can someone help Please?
P.S. I was going to ask if there could be an undo portion of code to undo the changes in a separate file that I could compile but I think that is going to be too ambitious as a request.
Best Regards,
Jackngill
modified 31-Aug-20 8:07am.
|
|
|
|
|
Here is one encouraging bit of news though I have stumbled upon the very thing I need called WFPReplacer, it is a commandline windows utility that pretty well does what I want & generally in the same manner. it disables WFP for both singular files & can be used for wholesale switching off of WFP if the right file is replaced. All I need to do is write a batch file as a front end to back up the system files I want to disable use WFPReplacer.exe. So if in the event of the proceedings the routine gets stuffed I can revert back to the backed up files. I think this program uses the same type of embedded coding but is written in Delphi/pascal, it is called Remko Weijnen's Blog (Remko's Blog) "replacing Wfp protected files".
I generally like to leave whatever I am doing on a positive note. And NO I do not have any interest in coding Malware, so just in case someone else lands on this forum & is trying to accomplish a similair exercise here is the code that one can compile (This is not my code it belongs to Remko Weijnen's Blog (Remko's Blog)) Please be advised it is NOT C++ it is a commandline exe Delhi/Pascal found at this link, so all credits belong to him. The link is:
https://www.remkoweijnen.nl/blog/2012/12/05/replacing-wfp-protected-files/
DWORD __stdcall SfcFileException(RPC_BINDING_HANDLE hServer, LPCWSTR lpSrc, int Unknown)
hServer = hServerVar;
}
nts = SfcRedirectPath(lpSrc, (int)&v8);
if ( nts >= 0 )
dwResult = SfcCli_FileException((int)hServer, v9, Unknown).Simple;
else
dwResult = RtlNtStatusToDosError(nts);
dwResultVar = dwResult;
MemFree(v9);
return dwResultVar;
}
Also as one further warning (Unless you know what you are doing!!!) do not attempt to use this program, ALWAYS ALWAYS ALWAYS backup your system files before deletion or alteration.
What this program will do is disarm WFP for 60 seconds whilst you intercange or amend your files. Example usage for example is:
WfpReplacer.exe c:\windows\Notepad.exe (Errorlevel true or false will be produced on execution).
Best Regards
David
|
|
|
|
|
jackngill wrote:
My question is there a equivelent C++ code for the SystemDrive variable...
Check out SHGetKnownFolderPath() or SHGetFolderPath().
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
Hi David,
Thanks for your post but your answer I think is for vista & above could be wrong but my ? is related to XP
Found this though:
Most of the constants are based on documented CSIDL's ( http://msdn.microsoft.com/en-us/library/bb762494%28v=VS.85%29.aspx ) except temp and quicklaunch IIRC. There is no documented api to get the systemdrive AFAIK so ReadEnvStr is as native as this is going to get.
ReadEnvStr $0 "SYSTEMDRIVE"
status: open --> closed
But even that is not even injectable into the line SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1); as the above only states open or closed status. I think ultimately I am flogging a dead horse, was hoping for a quick easy interchange of code but looks like the answer will require multi-lines of code & I am incapable of undertaking that.
But regardless many thanks for the response david
|
|
|
|
|
jackngill wrote: There is no documented api to get the systemdrive AFAIK
Maybe, maybe not. But taking the first letter of CSIDL_SYSTEM or CSIDL_WINDOWS, for example, will get you the correct drive.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
|
How exactly would that function return the desired information?
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
AS you suggested:
call any of the SHGetFolderPath(), ... with CSIDL_WINDOWS
and then pass the returned path (say, windowsDir) into PathGetDriveNumber:
WCHAR letter = L'A' + PathGetDriveNumberW(windowsDir);
|
|
|
|
|
But the return value from SHGetKnownFolderPath() already contains the system's drive letter. There's no need to pass that path to PathGetDriveNumber(), have it return a number, and then convert that number back into a drive letter that was already obtained.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
Yes, i know it. It was just a proposal to use an API rather than to search for a letter in the returned path ... 
|
|
|
|
|
Victor Nijegorodov wrote: ...rather than to search for a letter in the returned path
Search for something that's always in position 0?
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
|
Once more, my reply was not for you, it was just for the OP... 
Sorry, if I put it in a wrong place! 
|
|
|
|
|
AS you suggested:
call any of the SHGetFolderPath(), ... with CSIDL_WINDOWS
and then pass the returned path (say, windowsDir) into PathGetDriveNumber:
WCHAR letter = L'A' + PathGetDriveNumberW(windowsDir);
|
|
|
|
|
Hi folks thanks for the input,
PathGetDriveNumberA function
Searches a path for a drive letter within the range of 'A' to 'Z' and returns the corresponding drive number.
Syntax
int PathGetDriveNumberA(
LPCSTR pszPath
);
Parameters
pszPath
Type: LPCTSTR
A pointer to a null-terminated string of maximum length MAX_PATH that contains the path to be searched.
Return value
Type: int
Returns 0 through 25 (corresponding to 'A' through 'Z') if the path has a drive letter, or -1 otherwise.
Remarks
Note
The shlwapi.h header defines PathGetDriveNumber as an alias which automatically selects the ANSI or Unicode version of this function based on the definition of the UNICODE preprocessor constant. Mixing usage of the encoding-neutral alias with code that not encoding-neutral can lead to mismatches that result in compilation or runtime errors. For more information, see Conventions for Function Prototypes.
Taken from: PathGetDriveNumberA function (shlwapi.h) - Win32 apps | Microsoft Docs[^]
does this help in any way?
Regards
Jackngill
|
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
