exe generated by autoit and gpedit

[faustf]

hi guys  , i have a  question, i  had  created 3  exe in autoit , and  i  had create  a user  non admin profile  in windows 7 , i want  by mmc and group policy object , snap in able  to run only my 3 exe  file  and  explorer.exe , i  set  in local computer policy --->user configuration --->Administrative template ---->System --->run only specified .......  i open it  and enable ,and  add explore.exe and my1.exe my2.exe my3.exe  (i tryed also with all path c:\programs\my1.exe) but  return me the same effect, or rather explorer go  but  my program give me error  i cant run it . why ??? o_O   any one  can help me or have suggests ??  thankz at  all

 

[jdelaney]

Add in file logging on every step, and see exactly where it's failing.

[faustf]

what i do:

open mmc ----> Add remove snap in (only the first time because at end of procedure i save it)  Add group policy object,---> click button Browse ---> choice user tab ---> select non admin user (name user Rome) and click ok , and after click ok

in the conosle over  + (local computer policy) in tree menu  + ---> user configuration   click ---- > Administrative template -----> + system ---> in the righ pane click over   run only specified windows applications ---->  (open a new window )  ---- >  click in radio button enable  ----> click over button show   and add in first row:  explorer.exe , 2 row: iexplorer.exe, 3 row: teamviewer.exe , 4 row: my program in autoit compiled  inter.exe  ---> at this point apply , click ok  and save  console

logoff  administration user  and login in rome  user  , open explorer and  go , open iexplorer and  go , open teamviewer and  go , open my program inter.exe  and dont  go , try also open notepad.exe and dont go (the policy work correctly, but not for my programm )

the message box is:

restrict

this operation has been cancelled due to restrictions in effects of this computer. please contact your system administrator 

hve some idea??

 

 

 

Edited January 23, 2019 by faustf

[JLogan3o13]

Teamviewer has multiple executables associated with it. Did you allow all of them?

[faustf]

no only teamviewer.exe

 

[JLogan3o13]

Well, as usual, it sounds like you are trying to do something without bothering to comprehend what you're attempting. Good luck with that.

[faustf]

thankz  for help @JLogan3o13

[faustf]

i think the problem is because the exe is not registred in registry  , i think  is problem of  APPid , but not have experience how use  a genereted guid

Edited January 23, 2019 by faustf

[careca]

That would be my guess too. The exe is not "official".

[faustf]

yea   , but  how  is possible create "official" app with autoit ?? , i think  with guid , and  i saw  how many tutorial how  create them , but nothing  how to use it ,

anyone  can explain  after i have created guid number  how  can use  the number  for  tell at  the system , my app is  "official" ??

thankz at all

[careca]

I suspect there must be numerous locations in the registry where the exe has to be mentioned.

Maybe you could create an installer for it, install and see what happens.

[faustf]

yea but i dont know how interact  program  and  guid registry .

example  i create a guid   and  after???  i put inside a registry , but  in my program i suppose  i must  mark the software  with guid , how is possible to do that ??

o_O with regasm.exe ???   (but regasm work only with dll ?? )

 

[careca]

I've seen installers that do all of it.

@JLogan3o13: you seem to know some more about this, care to enlighten us? Thanks

[JLogan3o13]

The OP stated that he is placing TeamViewer.exe in the list of specified applications in the "allow" GPO. My comment was simply around the fact that TeamViewer, depending on the type you are using (stand-alone, full install, endpoint only, full install with Management module, etc.) contains a number of executables (TeamViewer, TeamViewer_Service, tv32, tv64, etc. etc. etc.). GPOs are stupid; if you tell it "only let TeamViewer.exe run", that is all that is going to run.

As usual, the OP is not providing enough information to properly help him, and is in over his head and expecting others to figure it out for him.

Edited January 25, 2019 by JLogan3o13

[faustf]

for @JLogan3o13

who is  OP ?

 

[careca]

Original Poster AKA You.

@JLogan3o13: I understand that, but what did you expect? The OP allowed teamviewer.exe to run and it did, possibly limited in functionality because of the other exe's, but still.

What other information do you need to help further? Im failing to see what the issue could be. The question remais valid, why is the user created exe blocked?

Edited January 25, 2019 by careca

[faustf]

@JLogan3o13

1 I do not think I offended anyone, but if you see in my previous post an offense, I apologize.

2 I know that teamviewer have to many exes, but the question is: ..... (probably you missed) exe created with Autoit as is possible make them work with gpedit ?, so I do not think you need a Autoit  script to create a simple exe, (and test it) but if  you want a code 

#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#Region ### START Koda GUI section ### Form=
$Form1 = GUICreate("Form1", 623, 449, 192, 114)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###

While 1
    $nMsg = GUIGetMsg()
    Switch $nMsg
        Case $GUI_EVENT_CLOSE
            Exit

    EndSwitch
WEnd

after, you must compile it for have exe  ( for do that  press ctrl+f7, in scite editor ) and figure out what I'm talking about with gpedit.
so if you have information and you want to share it with me and @careca you are welcome, if your comments should be limited to offenses (like .. , and is in over his head ) or to insist on things that are out of the question I posed, I would appreciate, you do not answered (I trust your intelligence not to abuse your role as a moderator)

thankz

Edited January 25, 2019 by faustf

[JLogan3o13]

The point I was trying to make is that GPOs are flat policies, they can't intuit what you want. Just a few of the caveats with this policy include:

• If you set the policy to allow TeamViewer.exe, it will allow just that executable. The policy knows nothing about the other executables required.
• The policy also looks at the original file name in the metadata. I cannot, for example, copy Notepad.exe and rename it TeamViewer.exe and expect it to open.
• It also doesn't understand a path - it will start any executable specifically named TeamViewer (not violating the rule above) whether that executable lives in C:\Program Files, D:\Test, X:\AutoIt Scripts, etc.

The point being, you need to read and understand how it works to be able to troubleshoot why it is failing. I can create a "Test.exe" from the code you posted above, add it to the policy (just the name, no path), and it runs just fine for me in both Windows 7 and Windows 10. I can also create a script named Test.exe and put it in one directory, and create a completely different script named Test.exe, place it in a different directory, and they will both run fine. The policy only cares about the name of the file stored in the metadata.

This is not a script issue; it is an question of which of the rules that govern that particular policy you are violating.

[careca]

Thanks for the input, the rule about the original file name is interesting.

Could it be that an exe created in autoit needs a specific pragma or something else, with a matching filename to be recognized by the gpo?

@faustf: I would try to check this, specifically the pragma lines, i suspect one of them defines the file name, maybe that would be enough.

Edited January 25, 2019 by careca

[faustf]

thankz  thankz many thankz  now  is much clear (i hope) i will do some  test thank you so much @JLogan3o13  and @careca