RegWrite is not working properly on Windows 10 64bit

[cesinha87]

So I have AutoIt installed on Windows 2016 and Windows 10 and they are both 64bit. When I run the code on the Windows Servers 2016 it works but the same code does not work on Windows 10 unless I add #RequireAdmin to the code. This script will be deployed through SCCM and must to run in the background without prompt anything

Note: They Regkey will always be under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer and not Wow6432node 

RegWrite("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoViewOnDrive", "REG_DWORD", "1")
$sFilePath = RegRead("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoViewOnDrive")
;MsgBox($MB_SYSTEMMODAL, "", "Program files are located at: " & $sFilePath)

 

[Subz]

Be default the "Policies" key in HKCU requires admin privileges, suggest using Group Policy.

nb: This is unrelated to 64-bit, it's a user rights issue.

Edited January 29, 2020 by Subz

[ViciousXUSMC]

If you run from SCCM it will execute as System, you wont have any issues.

Also AutoIT might be a bit heavy handed just for a reg key, you can do that with simple .bat files as well.

[Subz]

Problem running as System is it will add the key to the System accounts registry hive not the users.

[ViciousXUSMC]

Yeah might need to use reg load and such to really do it proper. 

[cesinha87]

You are right....it's using the System account. Everything works expect writing the registry, of course, if I right-click on the executable and elevated the resources then it works or add #RequireAdmin.

Any way I can accomplish this silence? Any suggestions? 

[Subz]

System account doesn't use UAC, so you shouldn't be prompted.  However as ViciousXUSMC mentioned if you want to target all user profiles, you would have to load/unload each users hive to add the key, however if you have any logged on user(s) you will need to use HKU\{Guid}\... to add the value, by using RegEnumKey

[AdamUL]

Have a look at engine's HKCUReg UDF.  It allow you to write to all user profiles or only certain ones.  It will do the registry hive load and unload within the UDF.    

 

Adam

 

[Subz]

Group Policy would still be the best option imho:

1. It can be managed centrally
2. You can apply it only to particular AD User group, for example we apply these settings to our Kiosk, Citrix and RDS users, but don't want this being applied to domain admin accounts, system account or support accounts on those systems.  If those users log on to a company desktop/laptop these settings aren't applied.

My 2cents

[jguinch]

Has anyone tried LGPO.EXE ? It could match with that need.

BTW, as @Subz said,  the best practice is to use the Group Policies from you AD.

@cesinha87 , can you explain us why you can't (or don't want) to use GPO ? (if you have SCCM, you have an AD)

 

[cesinha87]

The problem with Group Policy is that if someone steals a laptop and takes home, they won't be able to enforce the policy but they have a way to enforce through SCCM via DMZ and have the ability to trigger as soon the SCCM client connects via DMZ

I did research and LGPO seems to be a way to change the local group policy. Still looking to a way to achieve this problem, I am not a AutoIT guru and I am trying to come up with a code using Registry UDF

 

[jguinch]

If you want to use an AutoIt script through SCCM , you have to consider that :

• the SCCM client is executed as a service, so the UAC should'nt be a problem
• you'll have to apply the modifications in the registry hive of each local profile, including :
  • logged on users : can be done directly from HKEY_USERS\S-1-5-21XXXX keys
  • all existing local profiles (not logged on) : can, be done by loading each regitry hive with the UDF like said @AdamUL
  • each new user profile : can be done by loading the default user's regitry hive

Here is a starting point to list all local user profiles and see how you can load a registry hive: 

 

I suggest you to try the LGPO tool first, maybe it will be simpler.

 

 

 

Edited January 30, 2020 by jguinch