1 Microsoft Windows XP Registration Guide Microsoft Windows XP Registration Guide... Introduction... This book is different...
Microsoft Windows XP Registration Guide Microsoft Windows XP Registration Guide................................ ....... ............................................. Introduction.... ....This book is different—really........................ ........ ............................................ ...... ......power users first; Then IT professionals................................................. ... ................................ Some terminology............. ................................................... ...... ............................................ ..... Must I love Windows XP........................................ ........................................................ ........... ......... Final remark. Part I: Registration overview................................................. .... ................................................ .. ................. Chapter Li parts overview....................... .... ................................................ .. ....................................... Chapter 1: Learning the basics.... .. .................................................. ................................................ Overview heart and soul of Windows XP................................................. ................................................... ... To the power user........................................ ..................................................... ....... ............ For IT professionals........................ ...... ............................................ ........ ................... Registry warnings and myths......... ...... ............................................ ........ .................... Must-Know Concepts ................. ... ......... .......................... ........................ ........................... Security identifiers ..................... ....................... ................... ................................. ......... Global Unique Identifiers..... .................................. ................ ................................... ....... hexadecimal notation...... ................................. ................ ................................... ........... Bits and bit masks. ................................ ................. .................................. ................ .........Little Endian and Big Endian........................ ........... ....................................... ......... ........... ANSI and Unicode encoding.................... .......... .......................................... ........ ........ Null and empty strings................................. .... ................................................ .. ................... Structure d it register ................................ .............. ....................... ........................... ............... Key. Value type organization of the register......................................... ....... ....................................... ....HKEY_USERS ....................................... ..... ....................................... ... .................HKEY_CURRENT_USER................................ ................................................. ... ...............HKEY_LOCAL_MACHINE................................. .................................................. .... ........... HKEY_CLASSES_ROOT.................................. ................................................... ...... ........ HKEY_CURRENT_CONFIG.................................... ................................................... ...... Registry management tools....................................... .. .................................................. .. Hive files of the registry........................................ .... ................................................ .. ............... Beehives in HKLM................. ................................ ................... .............................. .................. Slashes an HKU............................. ................... ............................... ..................... ................. Chapter 2: Using the Registry Editor....... ................. ................................ ................... ................. Overview Running Regedit.......... ............. ..................................... ............... ...................................
Exploring Regedit........................................ ........ ............................................ ...... ........... Keypad................................ ..... ....................................... ... ..................................... value range........ .... ................................................ .. .................................................. .......... Searching for data..................................... .................................................. .... ......................... Incremental search....................... ................................................... ...... ......................... i Chapter 2: Using the Registry Editor Searching in Binary Values....... .. .................................................. ................................. Bookmarking Favorites Buttons .................. ..................................................... ....... ......................... Use of better techniques .................. ................................ ................................................... Editing the registry ..................................................... ..................................................... ....... ............ change values............................. ................... .............................. ...................... ........................ Adding keys or Values...................... .......................... .......................... ........................ ..... Deleting keys or values................. ....................... ....................... ..................... ........... Renaming Keys or Values ........................................ ....................... ......................... ....... Printing the registration................ ....................... ....................... ..................... ........................... Exporting settings to files .......... .......................................... ........ ............................................ Registry files..... ............................................ ...... .............................................. .... ........ Win9x/NT4 registry files................................. .... ................................................ .. ...... Hive files...................................... .. .................................................. ............................... Text files................. . .................................................. ................................................. ... ..... Working with Hive Files................................................ .................................................. .... ............... Going beyond the basics........................ ...... ............................................ ........ ......................... Chapter 3: Backing up the registry ........ ....... ............................ ........................ .......................... Overview Editing the registry securely ................................................. ....................... ......................... .......... Copy single values.... ................................. .................. ................................ ............... Backup to REG files ................................ ...................... ............................ ..................... Backing Up to Hive Files......................... .......................... ........................ ............................ .. Repairing corrupt settings................. ............................ ...................... ................................ ........... Allowing Windows XP to fix errors.. ....................... ................... ....................... Repairing an application's settings................. ....................... ........................... ........ Remove from Programs from the registry........ ..................................... ............... ................ Using the settings from another computer............. .......... ........................................ ............ Using System Restore.................................... .... . .................................................. .. .......... Creating Configuration Snapshots........................ .......... ....................................... Peeking Under the Cover ....... ....................................... ....... ....................................... Manage System Restore ...... ....................................... ....... ....................................... Hack system restore. .................................................. .. ............................................... Scripting for system recovery ................................................ ..................................................... .. Securing the Regular Registration........................................ .... ...................................... Planning a backup strategy ... ................................................... ..... ..................................... Backup system state data ...... .................................................. .... ............ ................. Restore system state data......... ........ .......................................... .......... ............. Backing up user settings........................ ........ .......................................... .......... ................... Disaster Recovery....................... ....... ....................................... ............ ............................. Advanced options menu ................... ....................................................... ......... ........................ Recovery Console........ ........................................................ ........... ...................................Automatic system recovery.. ....... ....................................... ............. ................................ Chapter 4: Hacking the
Registration................................................ . .................................................. .Redirect special folders overview....................................... ...... .............................................. .... Customizing shell folders................................................. ...... .............................................. .... .... Rename desktop icons...................................... ... ................................................. . ....... ii Chapter 4: Hacking the registry with custom icon images......................................... .. .................................................. ............. Adding desktop icons................................. ................................................. ... ................. Hide desktop icons........................ ................................................... ..... ........................ Adjusting file associations....... ........... .......... ....................... ..... .............. ... Execution of programs from the work station............................. ............. ................................... Open command Command prompts for folders........ ....................... ..................... ........... Rooting Windows Explorer in a folder........ ........................ ............................ ............... Adding InfoTips to program classes.. ..................... ....................... ....................... Add file templates......................... ........................ .......................... .......................... .......... Prevent Messenger from running......... ................................ ................... ............................ Personalizing the Start menu................. ....................... ..................... ................................ Configuring the content of the menu......... ................. ................. ................................ ..... Shortening the list of frequently used programs ........................................ ................ ................ restore sort order ...................... ............... ................................... ................. ................... Customizing Internet Explorer.......... ............. ..................................... ............... ................. Expanding the shortcut menus............. ................ ................................. .................. .......... Changing the toolbar background................... ................... .............................. .................. Customize search URLs. .................................................. .. ...................................... Delete history lists... ..... ....................................... ... ................................................. . ... Running programs at startup................................................. ... ................................................. . Controlling the Registry Editor........................................................ . ........ .......................................... ... Default action for REG files ........................................ .......... ........................................ Saving window position and size..................................................... ............. ......................... Automatic login.......... ............. ..................................... ............... ............................. Changing user information... .............. ................................... ...... ....................... ......... Looking for more hacks................ ................... ................................. ................ ..................... Chapter 5: Mapping Tweak UI....... ................ ................................... .............. .................................. Overvi General Fo Mouse .. Hov Wh X-Mouse..... .................................. ................ ................................... .............. ........... Explorer Sh Col Thumbnails .................... ......... ...... .............................................. .... ..................................... Command keys......... ... ................................................. . .................................................. .General dialog boxes...................................... ....... ....................................... ..... ... Taskbar XP Start Menu....................................... ..... ....................................... ... .......................
Desktop First Icon............................................. ................................................... ...... ....................... My computer................... ...... ............................................ ........ .......................................... ...... Dri Special Folder... ...................................... .............. ................................... ................ ....... iii Chapter 5: Mapping Tweak UI A Control Panel................. ...................... ............................ ........................ .......................... ......... Temple Internet explorer......... ....................................... ............. ..................................... ............... ... show source................................ ................... ............................... ..................... ..................... Command prompt....... ................... .............................. ...................... ............................ ....... Registration... Part II: Registration in the Managementme n................................ ................. ................................ ................... Chapter list .............................. ...................... ............................ ........................ ........................ Parts overview. ........................ .......................... .......................... ........................ ................. Chapter 6: Using registry-based policies......................................... ....................... ..................... .....Overvi. Edit Local Policies........................................................ ............ ...................................... ... Group Policy Extensions..... ....................................... ....... ....................................... .. Registry-based policy..................................................... ....... ....................................... .. Group Policy Storage... ............................................ ........ .......................................... ....... Extension Reg. No. Istry-based policy................................. ............... ................................... ....... Comments....... ................................... ................. ................................ ................... ...........Str CATEGORY................. ..................... ....................... ....................... ...................... KEY NAME .... ................. ............................... ..................... ....................... .................. TO EXPLAIN.. ............................. ....................... ........................... ....................... ................... VALUE NAME..... ............................ ...................... ................................ ................... ............ VALUEON and VALUEOFF................ .................. .................................. ................ .......... ACTION LIST........................ ................ ................................... .............. ........................... PA CHECKBOX....... ...... ........ ............................................ ...... ................................................ .. COMBINATION BOX. .............................................. .... ................................................ .. ............... DROPDOWN LIST................................ .................................................. .. ........................ EDIT TEXT...... ................... ............................... ..................... ....................... ............ LISTBOX...... ....................... ..................... ....................... ....................... .............. NUMERICAL............ ..................... ....................... ....................... ........................... ...... TE Deploying a registry-based policy......... ................................ ...................... .........................Windows 2000 servers -based networks................ ................................ ...................... ..... Windows NT-based and other networks........ ....... ....................................... ..... .... Customize Windows XP........................................ ... ................................................. . ............ Using the Group Policy tools....................................... ....................................... ........... ............
Gp Gpupdate................................................ .................................................. .. ...................... Help and Support Center.................... ..................................................... ....... ................... resulting set of guidelines ................... ................................................. ... ......................... Finding More Resources ................... ....................................................... ......... ......................iv Chapter 7: Managing Registry Security......... ..... ....................................... ... ................... Set key authorizations overview ........................ ...... .............................................. .... ..................... Adding users to ACLs .................... .... ................................................ .. ............................. Removing users from ACLs......... ......... ... ........................................ .......... ................ Assign Assist special authorizations................................. ................. ................................ ........Assignment of default permissions........................................ ..................... ....................... ...... Taking ownership of keys .................... ..................... ....................... ................... ...................... Check registry access ........ .................. .................................. ................ ....................... Preventing access to the local registry... ............... ..................................... ............. .................... Restricting remote access to the registry ............ ............ ........................................ .......... ............ Deploying Security Templates........................ ............ .............................. .......... ................. Creating a security management console.................... ... ...........................................Selecting a predefined security template.. ..... ..................................... ......... .......... Creating a custom security template......................... .... ..................................... Analyzing the configuration of a computer..... ... ................................................. . ................... Changing the configuration of a computer......................... ... ....................................... Deploy security templates on the network. ...................................... ............ ..... Chapter 8: Locating Registry Settings........................ ................ .................................... ............. Compare of REG files................................. ............. ....................................... ........... ........... Using WinDiff........................ ........................ ............................ ...................... ................ Using Word 2002........ ..................... ....................... ................... ....................... ..... Comparison with Reg.exe................. ........................ .......................... .......................... ............ Auditing of the registry........ ........................ .......................... .......................... ........................ Set audit policy ........................ ................... ................................. ................ ............... Auditing Registry Keys................. ............... ..................................... ............. ................... Analyzing the results ................. .......... .......................................... ........ ............................ Monitoring the registry........ .......... .......................................... ........ ................................. Using Winternals Regmon.... ......... ....................................... ....... .................................. Filter for better results....... ..... ....................................... ... .................................. P Art III: Register in use........ ........................................ .......... .......................................... ..... Chapter list.. ....................................... ... ................................................. . ........................ Parts overview...................... .. .................................................. ....................................... Chapter 9: Scripting Registry Changes ... ................................................. . ..................................... Overvi Choosing a technique......... .................................................. .. .. ................................................ Installing INF files. .................................................. .................................................. .... .......... Starting with a template................................ ....................................................... ......... .......... linking sections together ............................ ...... ................................... ........ ................. Adding keys and values........................ ..... ....................................... ... ...................... Deleting keys and values......................... .................................................. .. ......................
Setting and deleting bits................................................. ................................................... ..... Using strings in INF files........................................ ...... ............................................ ........ Specifying values with REG files.................................... ................................................... .. Export settings to REG files........................................................ ....... ...................................... Manually creating REG files........................................................ ........... ............................... Coding of special characters ..... ............. ..................................... ............... .......................... v Chapter 9: Scripting Registry Changes Deleting Keying using a REG file ........................................................ ................. .................... Editing from the command prompt ....................... ......................... ........................... ........... Adding Keys and Values...... ....................................... ....... ....................................... Query values....... .......................................... ........ ............................................ ...... .... Deleting keys and values........................ .................. .................................. ........ Comparison of keys and values... ................... .............................. ...................... .. Copying Keys and Values........................ .................. ................................ .................... Exporting keys to REG files.................................... ................ ................................. ........... Importing REG files.. ................................ ................... .............................. ...................... Storing keys in H ive files....................................... ........ ............................................ Restoring Hive files on Keys...... .......................................... .......... ................. Loading Hive files................. ..................................................... ....... .......................... Unloading Hive files............. .......... ........................................ ............ ............................... Scripting with Windows Script Host.. ....... ....................................... ............. ................... Creating script files ................ ..................................................... ....... ......................... Executing script files......... ........ .......................................... .......... ............................... Formatting Key and Value Names... ................................................... ...... ................. There adding and updating values........................ ...................... ................................ ...........Removing keys and values.... ................... .......................... ..... ........................... Querying registry values....... ........... ....................................... ......... ................ Creating Windows Installer Packages........ ..................... ....................... .......... Chapter 10: Deploying User Profiles... ................... .............................. ...................... ....... Overvi Browsing User Profiles.................. ...... ............................................ ........ ............... Profile Hives........................ ........ .......................................... .......... ................................ Profile folder....... .......... ........................................ ............ ...................................... ........ .. Special profiles.. ................................................ ....................................................... ......... ........ Retrieving User Profiles........................ ....... .................. ................................ ........ Local Profiles........ ................................ ................... .............................. ...................... ...... Roaming Profiles................. .......................... ........................ ............................ ................ Using roaming user profiles. ...................... ............................ ........................ ............... Manage roaming user profiles....... .......................... ........................ ............................ Basics of fast network logon................................. ..................... ....................... .... Understanding the new merge ............ .............................. ...................... ......... ............... Deploying Default User Profiles........................ .......... .......................................... ........ ........... Adjusting user settings....................... ............. ....................................... ........... .... C Related user profiles....................................... .... ................................................ .. Creating default user folders................................................ ...... ................................Providing default user folders.. ............. ....................................... ........... ...................... Coexistence with previous versions of Windows....... ............... ..................................... .......... User settings on Windows Migrate XP................................. ............... ....................... Wizard for transferring files and settings. .................................................. .. ..........................
User State Migration Tool........................................................ .................................................. Chapter 11 : Mapping Windows Installer........................................ .... ........................................ Overvi Repairing registry settings.. ................................................... ...... ........................................... Managing Windows Installer with guidelines.................................................... ..................... vi Chapter 11: Associating the Windows Installer Installation with Elevated Privileges....... .......... ........................................ ............ .............. caching transformations in a safe place................. ...... ....................................... Lock Windows Installer ..................................................... ....... ...................... Removing Windows Installer data............. .. ............ ........................................ .......... ......... Msizap .exe...................................... .......... ........................................ ............ ................... Msicuu.exe................ ............. ..................................... ............... ................................... ...... Inventory applications .......... ................................ ................... .............................. ........... Chapter 12: Deploying with Answer Files. .................................................. .. ................................ Overvi Creating Distribution Folders............ ................................................. ... ...............................Customizing response files....... ...... .............................................. .... ................................ Setup Manager............... .................................................. ................................................... .Notepad and Miscellaneous Text Editors................................................. .................................... Add Add settings to Unattend.txt.... ....................... ..................... .......................... [GuiRunOnce] ..................... ....................... ................... ................................. ............ Cmdlines.txt.. ..................................... ............. ....................................... ........... ................. .... Automatic login after installation................ ........................ ............................ ........ Chapter 13: Disk cloning with Sysprep...... ................................. ................ ................................... Overvi Cloning Windows XP.......... ...................................... ............ ........................................ .......... .Windows XP Tools................................. ............ ........................................ .......... ......... Sysprep limitations........................ ......... ....................................... ....... .................. Give g a disk image.......................... ....................... ........................... ....................... ......... Adjusting the mini setup......... ............ ...................................... .............. ......... Preparing to Duplicate........................ ....... ........................ ............................ ........ Cloning the disk image......... .............. ................................... ................ .......... Reducing the number of images.................... ................................................... ...... ................. Fill SysprepMassStorage manually........................ ........ .......................................... ... Automatically populating SysprepMassStorage.. ............................................ ........... ................ Clean up after Sysprep.................... ................................................... ..... ............. Mapping Sysprep settings....................... .... ................................................ .. .................. Keeping perspective .................. ................................................... ...... ................................ Chapter 14: Microsoft Office XP user settings.... ... ................................................ ...... ............. Overvi Profile Wizard............................ ..................................................... ....... ................................... Customizing the wizard ..... ...... ............................................ ........ ................................... Capture settings ..... ............. ..................................... ............... ................................... ...... Deploy Settings..... ................................... ................ ................................. .................. Custom Install Wizard.................................. ..................................................... ....... Add/Remove Registry Entries......... ...................... ................................ ...................
Adjusting the default application settings........................................ ........ ................. Change Office user settings....... ...................... ................................ ................... .. Add installations and run programs........................ .................. .................................. .... Custom Maintenance Wizard........ ....................... ................... ................................. .. Group and System Policy........... ............................ ...................... ................................ ......vii Chapter 15: Work around IT problems..... .................. ................................ ................ Control of just-in time setting ................................ ....................... ........................... .................Outlook Express.... ........................... ....................... ......................... ....................... ..... Windows Media Player.................... ...................... ................................ ................... ......... Desktop Themes........................ ............... ..................................... ............. ............................ Other shortcuts......... ........... ....................................... ......... ....................................... .Removing Components... ................................... .............. ...................................... ......Response file section [Components] . ..................................... ............. ............................ Extend Windows Components Wizard.... ........... ....................................... ......... ....... Removal of components after installation......................... .............. ........................... Hide non-removable components.... ............... ..................................... ............. ......... Ri Remove line of sight tattoos ................................ .................... ................................ ............. ..... ........ Increasing the privileges of processes................................. .... ................................................ .. ...... Group Policy........................................ ... ................................................. . ........................ Second log-on....................... .................................................. .. .................................. Scheduled Tasks............ .................................................. .... ...................................... Automatic login..... . .................................................. ................................................. ... ............. Separating file associations................................. .................................................. .... ............... Deploying Trusted Office XP Sources................. ........................................................ ........... .Enable Remote Desktop remotely................................. ...... ...................................... C Customize the Windows XP Registration....................................... .......... ............................ Part IV: An appendix list...... ........... ....................................... ......... ....................................... ....... ...... Parts overview................................ .......... .......................................... ........ ........................ Appendix A: File Associations................. ..... ....................................... ... .............................. Overvi Merge Algorithm............ .. .................................................. .................................................. .. .. File Extension Keys...................................... ...... .............................................. .... .......... OpenWit hList................................. ................ ................................... .............. ............... Perceived type...................... .......... .......................................... ...... .. ................................. Programming class keys......... . .................................................. ................................................E Shel Special key ..................................................... ................................................... ..... .............. SystemFileAssociations.............................. ................................................... ..... ............ Unknown................................ ..................................................... ....... ................................. COM class key....... ........ .......................................... .......... ........................................ ............ Appendix B: Settings per user................. ..................... ....................... ....................... ...... Overview
AppEv Console Control Panel........................................ ...... .............................................. .... ..................... D Desktop\Window Metrics........................ .................................................. .. ........................ viii Appendix B: Custom Settings M Envi Keyboard Layout........ ....... ....................................... ..... ....................................... Network printer. Software C Microsoft\Command Processor..................................... ...... ................................... Microsoft\Internet Connection Wizard... ....... ....................................... ..... ..................Microsoft Internet Explorer....................... ...... .............................................. .... ................Microsoft\Internet Explorer\MenuExt........................ ... ................................................. . ...Microsoft\Internet Explorer\SearchURL........................................ ... .................................Microsoft\MessengerService........... ................................................... ..... ..........................Microsoft Office................. ................................................... ...... .......................................Microsoft\Search assistant...... .......................................... .......... ................................... Microsoft\VBA\Trusted ......... .......................... ............... ..................................... ............. ....Pol Software\Microsoft\Windows\CurrentVersion........................ ............. ................................... Explorer\Advanced... ......... ....................................... ....... ....................................... .. Explorer\AutoComplete ....................................... ..... ....................................... ... Explorer\ComDlg32............................................ ... ................................................. . ......... Explorer\HideDesktopIcons..................................... . .................................................. ..... Explorer\HideMyComputerIcons........................................ .. ....................................... Explorer\MenuOrder..... ... ................................................. . ............................................... Explorer\ Current Documents...... ....................................... ....... .................. ...................... Explorer\RunMRU....... ................ ................................. .................. ................................ Explorer\User Shell Folder................ ............................ ........................ .......................... Appendix C: Settings per computer ........................................ ....................... ......................... Overview DESCRIPTION ................................ ...................... ................................ ................... ................ DEVICE CARD............. .................... ................................ ................. .................................. SAM..... SEC S C Cli Microsoft\Active Setup... ................................... .............. ...................................... ............ .Microsoft\Command Processor................................. ............. ....................... .......... ... Microsoft\Driver Signing................................. ........... ................................... .... ...............Microsoft Internet Explorer............................ .... ................................................ .. .............. Microsoft\Sysprep................................. .................................................. .. ..........................
Microsoft\Windows NT\CurrentVersion............................................ ................................pol SOFTWARE\Microsoft\Windows\CurrentVersion.......... .................................................. .... . App Paths................................................ ................................................. ... ..................... Apix Appendix C: Computer-specific settings Ex Explorer\AutoplayHandlers..................... ................................................. ... .......................... Explorer\Desktop\NameSpace................ ................................................... ...... .................Explorer\FindExtensions........................ ..................................................... ....... ................. Explorer\HideDesktopIcons....................... ....................................................... ......... ............ Explorer\HideMyComputerIcons.......................... .......... ........................................ ........ Explorer \My Computer........ .............................. ...................... ............................ ............. Explorer\My Network Places\NameSpace... ............................. ................... .... ...........Explorer\RemoteComputer\NameSpace.............................. ... ...................................... Explorer\Start Menu...... ................................................... ..................................................... Explorer\User Shell Folder ................................................ ........................................................ Explorer\Visual Effects...... ....................................... ........... ...................................... Pol Run RunOnce... ....................................... ....................................................... ......... ................. Un SYST CurrentControlSet\Control................... ........................................................ ........... ................CurrentControlSet\Enum................... ....... ................ ....................... ..........................Current control set \Hardware profiles.................... ................................ ................... ..............CurrentControlSet\Services................. ................ ................................... .............. ............ Appendix D: Group Policy ..................... ............. ....................................... ........... ........................ Conf. Inetcorp.adm..................... ....................... ..................... ....................... ................... ...... Inetres.adm......................... ................ ................................... .............. .................................. Internet set. Administrator................................................ . .................................................. ............................. System.adm..................... ................................................... ...... ............................................ ... Wmplayer.adm ............................................ ........ .......................................... .......... ................. List of figures List of tables .. List of listings List of Sideba x Jerry Honeycutt Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 980526399 Copyright © 2003 by Jerry Honeycutt All rights reserved. No part of the content of this book may be reproduced or transmitted without the written permission of the publisher. Library of Congress Cataloging-in-Publication Data Honeycutt, Jerry. Microsoft Windows XP Registration Guide / Jerry Honeycutt. p. cm.
Including index.
ISBN 0735617880 1. Microsoft Windows (computer file) 2. Operating systems (computer) I. Title. QA76.76.O63 H6636 2002 005.4'4769--dc21 2002075317 Printed and bound in the United States of America. 1 2 3 4 5 6 7 8 9 QWT 7 6 5 4 3 2 Distributed in Canada by H.B. Fenn and Company Ltd. A CIP catalog entry for this book is available from the British Library. Microsoft Press books are available worldwide through booksellers and distributors. For information on international editions, contact your local Microsoft Corporation office directly, Microsoft Press International, at fax (425) 936-7329. Visit our website at www.microsoft.com/mspress. Submit comments to Active Desktop, Active Directory, ActiveX, DirectSound, DirectX, FrontPage, Hotmail, IntelliMirror, JScript, Links, Microsoft, Microsoft Press, MSDN, MS-DOS, MSN, NetMeeting, NetShow, PhotoDraw, PowerPoint, VGA, Visual Basic , Visual InterDev, Windows, Windows Media, NT and Win32 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein are trademarks of their respective owners. 1 Organization, product, domain name, email address, logo, person, place, or event should be derived. For Microsoft Press: Acquisitions Editor: Alex Blanton Project Editors: Jenny Moss Benson and Kristen Weatherby For Online Training Solutions, Inc.: Project Managers: Joyce Cox, Nancy Depper, and Joan Preppernau Technical Editor: Keith Bednarczuk Copy Editor: Nancy Depper Setzer: RJ Cadranell and Liz Clark Proofreading: Lisa Van Every Body Part # X08-81847 To Carlo and Kay Acknowledgments Never let authors tell you that they wrote their books all by themselves. Creating the gibberish of a book author takes a lot of work from many people with many different skillsets. Some whips and others are artisans. You all deserve recognition. First, I'd like to thank my acquisitions editor, Alex Blanton. Alex is good at pushing me to get things done without breaking my will to do things right. The result is quality and topicality. However, the people I had the most contact with was Jenny Benson Weatherby. They were the project editors of this book with responsibility for managing the overall process. Kristen worked on the early stages of this book and drove the entire project forward, and Jenny had the unenviable task of completing it. I bow to both "I am not worthy." A number of other people also have my admiration. Nancy Depper has corrected my brutal use of language with this book. Lisa Van Every reviewed the content of the book, Bednarczuk was the book's technical editor. I think the layout of this book looks great and goes to RJ Cadranell and Liz Clark. Finally, Joyce Cox and Joan Preppernau provide
Leadership skills. Thank you all. Jerry Honeycutt empowers people to work and play better by helping them leverage technologies including the Microsoft Windows family of products, IP-based networking and the Internet. He reaches out to him through his frequent writings and speaking engagements, but prefers to help companies deploy and manage their desktop computers. 2 and Introduction to Microsoft Windows 2000 Professional (Microsoft Press, 1999). He has other books on the register. Most of his books are sold internationally and are available in different languages. Jerry is also a columnist for the Microsoft Expert Zone, a site for Windows XP enthusiasts, regularly contributes to a variety of content areas on the Microsoft site: TechNet, and so on. He also contributes to various trade publications including Smart Business CNET. Jerry is also a frequent speaker at various public events including COMDEX, Days, Microsoft Exchange Conference and Microsoft Global Briefing, and occasionally on Microsoft's TechNet website. In addition to writing and speaking, Jerry has a long history of using his skills for another purpose: providing technical leadership to businesses. He specializes in desktop deployment management, specifically using the Windows family of products. Companies such as Capital Travelers, IBM, Nielsen North America, IRM, Howard Systems International and NCR have used his expertise. He continues to write, train, and consult to serve the community. Jerry graduated from the University of Texas at Dallas in 1992 with a Bachelor of Science degree in natural sciences. He also studied at Texas Tech University in Lubbock, TX. In his free time, he plays golf, engages in photography and travels. An avid rare book collector, Casino Jerry resides in Frisco, a suburb of Dallas, TX. Visit Jerry's website at www.honeycutt.com or email . 3 The registry is the heart and soul of Microsoft Windows XP. My other registry books say the same thing about the registry in every version of Windows since Microsoft Windows 95. Hopefully when you've finished reading this book you'll agree with me. The registry contains the configuration data that makes the operating system work. Registration allows developers to configure data in a way that is compatible with other mechanisms, such as B. INI files, is not possible. almost every feature in Windows XP that you think is cool. More importantly, it allows you to customize Windows XP in ways that aren't possible through the user interface. Windows XP and any application running on Microsoft's latest desktop absolutely won't work without first consulting the registry. When you double-click a file, Windows consults the registry to figure out what to do with it. When you install a device, Windows allocates resources to the device based on information in the registry, and then stores the configuration in the registry. When you run an application like Microsoft Word, your settings are looked up in the registry. If you were to monitor the registry's normal session, you would see that the registry provides thousands of values in a matter of minutes. In this book, you will learn how to customize the registry, but you must also learn how the registry works. You need to learn how to back up the registry so that you can restore it in an emergency. You must also learn the best practices for safely editing the registry.
However, registration is not just a hacker's dream. The registry is an invaluable tool for professional Windows XP deployment, management, and support. Did you know that most Group Policy and System Policy are actually settings in the registry? Teaches you Did you know that scripting registry changes is one of the best ways to deploy settings to the book, teaches you about guidelines, scripting, and more. For example, you will learn how to deploy registry settings during Windows XP and Microsoft Office XP installation. Some problems can only be solved using the registry, so I also describe the most common IT workarounds. For example, I show you how to prevent Windows XP from creating the Microsoft Express icon on the desktop when a user logs on to the computer for the first time.
This Book Is Different - Really This book contains information you won't find in any other book on the Windows registry. You will learn how to find out where Windows XP and other programs store the settings registry. You will learn how to write scripts to edit the registry. You will discover both unique and useful registry hacks. And you will read about my personal experience with registration and consider my best practices. For example, in Chapter 2, "Using the Registry Editor," you'll quickly document my changes to the registry—right in the registry itself. That's all power-user stuff, but more than half of this book is for IT pros. If you are a desktop engineer, deployment engineer or support engineer, you will learn that this makes your job easier. Much of the book focuses on how the registry affects Windows Office XP deployment. You will learn how to create and deploy effective default user profiles. Learn how to deploy settings with Windows XP and Office XP. You'll even learn how to own Windows Installer package files designed specifically for managing settings in the registry. That almost every tool I suggest in this book is either free or very inexpensive. 4 Even the most focused IT professional is a power user at heart, so this book is presented first for power users. So here are the first five chapters in Part I, "Registry Overview": Chapter 1, "Learning the Basics" This chapter provides an overview of Registry XP. It contains general terminology and an explanation of how Windows XP organizes the registry. You will learn important concepts such as B. the different types of data stored in the registry and the difference between little-endian and big-endian double-word values. What exactly is a GUID anyway? You can find out here. • Chapter 2, “Using Registry Editor” Registry Editor is your introduction to this chapter, where you will learn how to use it effectively. • Chapter 3, “Securing the Registry” Securing the registry protects your settings. Chapter shows quick and dirty methods for backing up settings as well as registry-wide methods. • Chapter 4, "Hacking the Registry" This chapter is a power user's dream and details some of the coolest hacks for Windows XP. For example, it shows that you can customize the Dickens from Windows Explorer. • Chapter 5, “Mapping Tweak UI” Microsoft now has an updated version of Tweak, this chapter describes it in detail. Not only do you learn how to use Tweak UI; there is
in this. You'll learn exactly where in the registry Tweak UI stores each setting to apply with your own scripts. • Part II, “Administrative Registration,” contains information useful for both experienced users and professionals. This section tells you how to manage the Windows XP registry. You will learn how to use the registry as a management tool: Chapter 6, "Using Registry-Based Policies" This chapter focuses on Group System Policies. You will learn the differences between them and how each policy can manage computers and users. It is important that you learn how to create your Group Policy templates. • Chapter 7, “Managing Registry Security” Windows XP security settings in This chapter shows you how to manage registry security. It also shows targeted registry vulnerabilities, allowing you to deploy apps and applications on Windows XP. • Chapter 8, “Locating Registry Settings” Locating the location where Windows settings are made in the registry is easy, as long as you know what tools to use. I give Microsoft Word 2002 is the second best registration tool. You will also learn about tools to monitor the registry remotely. • Part III, "Registration in Deployment," is intended primarily for IT professionals. This part of the book uses the registry to more effectively deploy Windows XP and Office XP. It consists of the following chapters: Chapter 9, “Scripting Registry Changes” A variety of methods are available for customizing registry changes. This chapter teaches the best of them, including REG files and Windows Installer package files. It also describes tools like the Console Tool for Windows that comes free with Windows XP. This is useful for editing batch files. • Chapter 10, “Providing User Profiles” Default user profiles are an effective way to provide default settings for users. This chapter not only describes standard user profiles, but also roaming user profiles. What is unique about this chapter is that it offers • 5 a better way to install applications. This chapter describes how Windows interacts with the registry. It will also help you to clean up the registry if you are having trouble with some Windows Installer based applications. Chapter 12, "Deploying with Answer Files" This chapter shows you how to install Windows XP and add registry settings. • Chapter 13, “Cloning Disks with Sysprep” Many organizations that managed Microsoft Windows 2000 disk images are now only able to use a single Windows XP. They do this by generalizing their disk images to work on a wide variety of hardware types. That is the subject of this chapter. This chapter also shows how to interact with the registry. • Chapter 14, “Microsoft Office XP User Settings” A big part of an Office XP project is deploying user settings. This chapter describes various ways to become familiar with tools included in the Office XP Resource Kit, such as B.
techniques for using them. • Chapter 15, “Working Around IT Problems” This is a special chapter that addresses comments and questions I often hear from IT professionals. How should coexistence issues between Microsoft Access 97 and Microsoft Access 2002 occur? one of many IT problems you can troubleshoot using the Windows XP registry. • Part IV, “Appendices”, is a reference that describes the content of the registration. It is impossible for me to describe every registry value in the information available in this book. But Part IV describes interesting shots. These appendices describe the relationships between different parts of the registry, including how different registry keys and values interact.
Some Terminology Most of the terminology I use in this book is fairly standard by now, but to avoid confusion I'll briefly describe how I use some of it. Instead of giving you hardcode paths, I'll use the standard environment variables that represent paths instead. This way, reading the instructions, you can apply the scenario regardless of whether you are using a dual-boot configuration or where your user profiles are located (C:\Documents and Settings or C:\Winnt\ Profiles). In addition, the folder that contains the Windows XP system files may be in a different location depending on whether you upgraded to Windows XP, installed a clean copy of the operating system, and customized the installation path in an answer file. Therefore, I use the following environment in this book. (You can view these environment variables by typing set at a command prompt.) %USERPROFILE% represents the current user profile folder. So if you log on the computer as Jerry and your profile folders are in C:\Documents and Settings, you would put %USERPROFILE% in C:\Documents and Settings\Jerry. • %SYSTEMDRIVE% is the drive that contains the Windows XP system files. That is drive C, but if you installed Windows XP on another drive, maybe in a configuration, it could be drive D, E, etc. • %SYSTEMROOT% is the folder that contains Windows XP. Normally C:\Windows for a fresh install, but if you upgraded from Windows NT or Windows 2000 it is C:\Winnt. • 6 make lines break in fun places. To make the book more readable I use the following HKCR HKEY_CLASSES_ROOT HKCU HKEY_CURRENT_USER HKLM HKEY_LOCAL_MACHINE HKU HKEY_USERS HKCC HKEY_CURRENT_CONFIG
I gotta love Windows XP Before we move on to the rest of the book, I wanted to tell you why I love Windows so much. It makes all my different jobs a lot easier; it even made writing this book easier, a book I've ever written. For example, one of my favorite features is Remote Desktop. Before I got Windows XP,
having multiple computers on my desk to test instructions, digging around in the registry, taking screenshots, and so on, or having to go back and forth between my lab and my office, which severely impacted productivity. For this book, I configured Remote Desktop on each Windows computer in my lab so I could connect to them from my production computer. This is how I open two or three remote desktop connections, each running a different experiment. Desktop has greatly reduced typing time. It also reduced the number of attempts to experiment on my production computer (which can result in a day of lost work ruining the computer's configuration). Remote Desktop was worth the cost of Windows XP. And did I mention wireless networks? Windows XP allows me to run about 10 computers out of my office with the attendant fan and hard drive noise. Thanks to the network, which Windows XP makes configuring a breeze, I was able to find a quiet house to hide out in while I wrote this book. no fans no noise And even if I hid in the bedroom, I could still connect to the computers in my lab. Regarding the registry itself, there are a couple of changes that immediately caught my eye. First, Microsoft frees the dueling registry editors. Windows 2000 had two editors: Regedit and Regedt32. Strengths and weaknesses and you had no choice but to switch back and forth between them. XP combines both editors into a single registry editor. Another new feature is Console Registration for Windows (Reg). Windows XP includes this tool by default, while in Windows 2000 the Support Tools install it. This makes it a more viable tool for scripting registry batch files. And it's free!
Conclusion This is the registration book I've waited two years to write. I hope it makes your XP experience even better. I also hope that this will make you more productive and effective. If you have any comments or questions, please send them my . I answer my email. You can also visit my website at http://www.honeycutt.com to download the examples you see in this book. You'll find mailing lists to join and additional articles I've written about Windows XP, the registry, and various deployment topics. 7
Chapter List Chapter 1: Learning the Basics Chapter 2: Using the Registry Editor Chapter 3: Securing the Registry Chapter 4: Hacking the Registry Chapter 5: Mapping Tweak UI
Partial overview Working with the registry is daunting when you know little about it. Therefore, this part provides you with the basic information you need to successfully use the registration. For example, you will learn the contents of the register and the types of data you will find in it. You will learn how to create backup copies and registries and edit the registry with the registry editor. This part is intended for IT professionals and power users. For example, in addition to learning the basics and securing the registry, it describes how to hack settings in the registry to customize Windows
Many of the settings you will learn about in this part are not available through the user interface. also describes one of the most popular downloads on the internet: Tweak UI. Instead, it tells you how to use this simple program, but describes where the program stores all of its settings in the registry. Read this part from start to finish. Don't skip it. If you know the basics and what you can do with the registry, you'll be better prepared to move on to the content of another book. 9
Overview The registry plays a subtle but important role in Microsoft Windows XP. On the one hand the passive voice - it's just a big collection of settings on your hard drive and you probably play with it a lot while editing a document, surfing the internet or searching for another site, it plays a key role in all these activities . The settings in the registry determine how Windows XP appears and behaves. They even control applications that computers run on. This gives the registry great potential as a tool for power users or IT professionals, allowing them to customize settings not available in the user interface. This chapter introduces you to the registration. First you will learn about the role of the registrar and your world. Then I'll explain some key terms to make sure we understand each other, and you'll see how Windows XP organizes the registry. Next, learn how to edit the registry. Finally, you'll see how Windows XP saves the registry to the In this chapter, you'll find some tidbits that are useful beyond the registry. As you learn about the two different architectures for storing numbers in memory, professionals will encounter so much both outside and inside the registry. This is all basic information, but don't skip this chapter. Read it once and you will be tuned into this book.
The Heart and Soul of Windows XP Windows XP stores configuration information in the registry. The registry is a hierarchical database, you can call it a central repository for configuration data (Microsoft's terminology) configuration database (my terminology). A hierarchical database has properties that are ideal for storing configuration data. Lay out the database in a diagram, as shown in Figure 1-1, and it looks like an outline or organization chart. This allows settings to use paths, similar to file paths in Windows XP. For example, in Figure 1-1, this refers to the shaded box. Also, each hire is an ordered pair that associates a value with its data, much like the IRS associates your social security number with records. Due to the hierarchical organization of the registry, all settings are easy to find. 10 Figure 1-1: The registry is a hierarchical database that contains most of Windows XP's settings. There is nothing you can do in Windows XP that does not access the registry. I use a tool to monitor access and often leave it running while I click around. The OS user almost never sees this monitor idle. With each click, Windows XP consults the registry. When you start a program, the operating system consults the registry. Each application I use settings in the registry. Registration is certainly the focus. I have written other books on the register and in them I refer to the register as the operational heart and soul. Aside from being a central location for storing settings, the registry enables complex relationships between different parts of Windows XP, applications, and user interfaces. For example, right-click on different file types and you'll see different shortcut settings in the registry that allow for this kind of context-sensitive UI. That
Each user who logs on to Windows XP is separate from those of other users - again, the registry. Windows XP's ability to use different configurations for laptops depending on whether they are docked or undocked is due in large part to the registry. Even Plug depends on the registry.
For power users So registration is important, but what good does it do power users to learn about it? Well, firstly, technology enthusiast (the high-profile way of saying geek) implies that you like to engage with technology to learn more about it. What better way to learn more about Windows XP than finding out how and where it stores settings? The process is analogous to disassembling your VCR. You can learn how it works. If you've ever wondered why the operating system behaves this way, the answer can often be found in the registry. However, mastering the registry has tangible benefits for power users. Because it's the system's configuration database, backing up your settings is a little easier than backing up the registry. And unlike the old days when settings were stored in .ini files, if you need to find a value, you'll always know when to start looking. But the biggest advantage of mastering is more exciting and very real: you can customize Windows XP and the applications of this 11 folder in another place, improve the performance of your Internet connection and add commands to any file type in the context menu. Chapter 4, "Hacking the Registry," describes many customization options.
For IT Pros IT Pros rely on the registry because it enables most administrative functions. Much of this book focuses on these features and how they use the registry. Policy management is the biggest feature. IT Pros use policies to configure computer user settings to a default, and users cannot change these settings. For example, I recently set up policies to configure users' screensavers to lock the desktop after 15 minutes, which secures users' computers if they leave their desks without logging on to Windows XP. Policy management is a great boon to any IT organization as it reduces costs and increases user productivity. IT pros can manage registry security, which allows users to run restricted accounts for legacy applications instead of logging on to their computers as administrators (a bad corporate environment). You can manage registry security directly or use the Security Configuration and Analysis tool to automate the process. (For more information, see "Managing registry security.") Additionally, IT pros can use a combination of scripts and the registry to automate customizations. An IT pro I worked with recently wrote scripts to clean up and configure computers after Windows XP was installed on them. You can meet most needs with a good solution. An indirect but important benefit of registering for IT professionals is application compatibility. Microsoft defines standards for where different types of settings belong in the registry. That has standards for file associations, plug and play configuration data, printer settings, preferences, and more. Applications that follow these standards are more likely to work with the operating system, let alone other applications, since they all look for settings in the same places. Incidentally, most applications that work well in Microsoft 2000 will work just fine in Windows XP because the overall registry structure changes a lot between operating systems.
The registry allows for too many other management functions for IT pros to neglect. Some of these features include the following (see Figure 1-2): Deployment Customization • Folder Redirection • Hardware Profiles • Offline Files • Performance Monitor • Roaming User Profiles • Windows Management Instrumentation • 12 Figure 1-2: The registry enables local and remote management. Brief History of the Registry MS-DOS obtained its configuration data from Config.sys and Autoexec.bat. The main purpose of Config.sys was to load device drivers, and the main purpose of Autoexec.bat was to prepare MS-DOS for use by running programs, setting environment variables, and so on. Each application running under MS-DOS was responsible for managing its own settings. None of these configuration files are useful in Windows XP. Microsoft Windows 3.0 eased the limitations of Autoexec.bat and Config.sys somewhat by providing .ini files to store settings. INI files are text files that contain one or more sections with one or more settings in each section. You've no doubt seen many of them. The problem with INI files is that they don't provide any hierarchy, they are cumbersome (though not impossible) to store binary values in them, and they don't provide a standard for storing similar types of settings. INI files have other subtle problems, all related to the configuration file's inability to establish complex relationships between applications and the operating system. A bigger problem with INI files and early versions of Windows was the sheer number of them floating around on the average computer. Each application had its own INI files. Windows 3.1 introduced the registry as a tool for storing Object Linking and Embedding (OLE) settings, and Windows 95 and Windows NT 3.5 extended the registry to the configuration database that Windows XP now uses. Even though .ini files are no longer necessary because applications now have a much better way of storing settings, you'll always find a handful on any computer, including Win.ini. A few years ago, the history of the register attracted more interest than today. The Register has been around since before 1995 and everyone takes it for granted these days, so I won't waste any more pages on its lineage. The history lesson is over; now
you live in the present 13
Registry Warnings and Myths For all its benefits, the registry is a major paradox. On the one hand, it is the central location for all Windows XP configuration data. It's the keystone. On the other hand, the fact that the registry is so critical also makes it one of the operating system's weaknesses. Take out the capstone and the arch crumbles. If registration fails, Windows XP will fail. Fortunately, total failure is less likely than winning the lottery before you've finished this book, and partial failure that doesn't prevent you from starting the computer is often easily overcome. The registry's key role is one of the reasons for its mythical status. Microsoft doesn't say much about it. You will not find the registry editor in the start menu. There is very little information about the registration in the help. Microsoft does not provide white papers to help users unravel its mysteries. And why should they? Do you really want the average user fiddling around in the registry? The lack of information from Microsoft resulted in homegrown registration websites and FAQs that are still quite popular. All of these factors contribute to the myth of registration as a magical configuration playland. woo hoo! I want to debunk this myth. Don't get me wrong: there's a lot of power in the registry. But there is no magic and there is nothing to fear. Simply put, the registry is nothing more than your computer's settings. Once you get used to working in the registry, you won't get excited about it anymore; it barely gets a yawn. The warnings you see in most documents that provide instructions for editing the registry are definitely overkill, especially for readers of this book who are either power users or IT pros. (I wouldn't say that if the book was for novice or advanced users.) There is very little damage you can do to the registry that you can't undo, provided you take the simple precautions of backing up settings before you change them, and back up your computer regularly. If this is not possible, use one of the many troubleshooting tools you will learn about in this book to troubleshoot problems. Chapter 3, "Backing Up the Registry," contains a lot of troubleshooting help. Use a little common sense and you'll be fine.
Must-Know Concepts
Learning the concepts in the following sections is important to your satisfaction with this book. These are the things you need to know to work efficiently with the registry. For example, the registry is filled with hexadecimal numbers, and if you don't understand hexadecimal numbers, they won't make sense to you. If you're a programmer, you can probably skip these sections; otherwise not The following sections walk you through the most important of these concepts, beginning with security and globally unique identifiers. You will learn to read hexadecimal numbers and convert them to binary and decimal notation and use them as bit masks. You will learn the difference between Unicode and ANSI character encoding. You'll even learn how Intel-based computers store numbers in memory. All of these topics are important to your ability to use the registry as a tool.
Security Identifiers Computer accounts, user accounts, groups, and other security-related objects are security principles. Security Identifiers (SIDs) uniquely identify security principles. Every time Windows XP or 14 security database. The Domain Security Authority generates SIDs for domain security and then stores them in Active Directory. SIDs are unique within their scope. The SID of each local principle is unique on the computer. And the SID of each domain security principle is unique for each domain in the enterprise. In addition, Windows XP and Active Directory never reuse the security principle that this SID was a part of, even if they delete it. So if you delete it and then add it back, the account will get a new SID. It's important to remember that every account has a SID. It's like having a number that uniquely identifies you to immigration. You can refer to an account by its name SID, but in practice you rarely use the SID because its format is cumbersome. However, the SIDs are often stored in the registry and that is why you will learn about them here. An example of a SID is S-1-5-21-2857422465-1465058494-1690550294-500. A starts with S-. The next number identifies the version of the SID - in this case the version number indicates the ID authority and is usually 5 which is NT authority. The numbers up to 500 are the domain identifier and the rest of the SID is a relative identifier, the account or group. This is a really high-level overview of the format of a SID, which is more complex than this short example of SIDs. Some SIDs are shorter than the previous example, e.g. e.g. S-1-5-18. These are wellSIDs and they are the same on every computer and in every domain. They're interesting, they keep popping up in the registry and other places. Table 1-1 describes the known SIDs of XP. I have italicized the names of SIDs that are of particular interest to you as you read this book. The wildcard domain is the domain identifier of the SID. Table 1-1: Known SIDs SID User or group name
S-1-0 Null Authority S-1-0-0 Nobody S-1-1 World Authority S-1-1-0 Everyone S-1-2 Local Authority S-1-2-0 Local S-1-3 Creator S-1-3-0 Creator Owner S-1-3-1 Creator Group S-1-3-2 Not used in Windows XP S-1-3-3 Not used in Windows XP S-1-4 Ambiguous Authority S-1-5 NT Authority S-1-5-1 Dialup S-1-5-2 Network S-1-5-3 Batch 15 S-1-5-4 Interactive S-1-5-5-X-Y Login Session S-1-5-6 Service S-1-5-7 Anonymous S-1-5-8 Not used in Windows XP S-1-5-9 Enterprise domain controller S-1-5-10 Self S-1 - 5-11 Authenticated Users S-1-5-12 Restricted S-1-5-13 Terminal Services Users S-1-5-14 Remote Interactive Logon S-1-5-18 LocalSystem or System S-1-5-19 LocalService S-1-5-29 NetworkService S-1-5-Domain-500 Administrator S-1-5-Domain-501 Guest S-1-5-Domain-502 krbtgt S-1-5-Domain-512 Domain Administrators S -1-5-domain-513 domain users S-1-5-domain-514 domain guests S-1-5-domain-515 domain computers S-1-5-domain-516 domain controller S-1-5 -dom ain-517 Cert Publishers S-1-5-root domain-518 Schema Admins S-1-5-root do main-519 Enterprise Admins S-1-5-root domain-520 Group Policy Creator-Owner S-1-5-domain- 553 RAS and IAS servers S-1-5-32-544 Administrators S-1-5-32-545 Users S-1-5-32-546 Guests S-1-5-32-547 Power users S-1 -5-32-548 account operators S-1-5-32-549 server operators S-1-5 -32-550 print operators
S-1-5-32-551 Backup Operators S-1-5-32-552 Replicator S-1-5-32-554 Pre-Windows 2000 Compatible Access S-1-5-32-555 Remote Desktop -User S-1-5-32-556 Network Configuration Operators S-1-6 Site Server Authority S-1-7 Internet Site Authority S-1-8 Exchange Authority S-1-9 Resource Manager Authority 16 Globally unique identifiers are better known as GUIDs (pronounced goo id). They are numbers that uniquely identify objects, including computers, program components, devices, and therefore objects often have names, but their GUIDs remain unique even if two objects are the same or their names change. In other words, an object's GUID is similar to a security principle's GUIDs scattered throughout the registry, so you should get used to them. All GUIDs have the same interesting format. They are 16-byte hexadecimal numbers in groups of 4, 4, 4, and 12 digits (0 through 9 and A through F). A hyphen separates each group of digits, and parentheses enclose the entire number. The GUID {127A89AD-C4E3-D411-BDC8-001083FDCE08} belongs to the computers in my lab. Programmers often use the Guidgen.exe tool to create GUIDs, but Windows XP also generates them. Regardless of the source, Microsoft guarantees that GUIDs are globally unique names). No matter how often Guidgen.exe or Windows XP generates a GUID, it is always unique. That makes GUIDs perfect for identifying objects like computers and whatever.
Hexadecimal Ninety-nine percent of the data you see in the registry is in hexadecimal. Computers use hexadecimal notation instead of decimal notation, which you'll learn in a moment, for a reason. You must learn and convert hexadecimal numbers to use the registry as an effective tool. And that's the section. Binary and decimal notations don't mix well. You learned decimal notation as a child. Notation, 734 is 7 x 102 + 3 x 101 + 4 x 100, which is 7 x 100 + 3 x 10 + 4 x 1. Simple enough, the digits are 0 through 9, and because you're multiplying each digit from right to left by 10 increments (100, 101, 102, etc.), this notation is called base 10. The problem is that decimal numbers don't translate well into the computer's system of ones and zeros. Binary notation does. Notation, 1011 is 1 x 23 + 0 x 22 + 1 x 21 + 1 x 20 or 1 x 8 + 0 x 4 + 1 x 2 + 1 x 1 or 11. The 0 and 1 and because you are multiplying each digit correctly to the left by increasing powers of 2 (20 etc.), this notation is called base 2. Converting a binary number to a decimal works, and binary numbers are too cumbersome for humans to read and write. This brings us to the hexadecimal notation. The hexadecimal notation is base 16, and since 16 is evenly divided by 2, the conversion between binary and hexadecimal is easy. The numbers 0 through 9 and A through F. Table 1-2 shows the decimal equivalent of each digit. In hexadecimal, A09C is 10x163 + 0x162 + 9x161 + 12x160, or 10x4096 + 0x256 + 9x16 + 12x1, in decimal notation. As with the other examples, multiply each hexadecimal digit to the right by raising powers of 16 (160, 161, 162, etc.).
Table 1-2: Hexadecimal digits Binary Hexadecimal Decimal 0000 0 0 0001 1 1 0010 2 2 17 0011 3 3 0100 4 4 0101 5 5 0110 6 6 0111 7 7 1000 8 8 1001 9 9 1010 A 11 1 01 00 C 10 10 1101 D 13 1110 E 14 1111 F 15 Converting between binary and hexadecimal notation may seem easy but tedious, so I'll offer you a trick. When converting from binary to hexadecimal, use to look up each group of four digits from left to right and write down their hexadecimal equivalent. For example, to convert 01101010 to hexadecimal, look for 0110 to get 6, and then look for A so you end up with hexadecimal 6A. If the number of digits in the binary is not evenly divisible by 4, just pad the left side with zeros. To convert hexadecimal to binary, use Table 1-2 to look up each hexadecimal digit from left to right and note the equivalent. For example, to convert 1F from hexadecimal to binary, find 1 to get 0001 to get 1111 and string them together to get 00011111. One last problem: is 12 a decimal number or a hexadecimal number? They have no information to know for sure. The solution is to always use the 0x prefix at the beginning of hexadecimal numbers. 0x12 is then a hexadecimal number, while 12 is a decimal number. is the standard format for hexadecimal numbers and is the format used in Microsoft documentation and in all of the tools you will use in this book. TipIf converting binary, hexadecimal, and decimal numbers is too much work for you, use the Windows XP calculator. Click Start, All Programs, Accessories and make sure you switch to Scientific view by clicking Scientific on the View menu. In one part of the calculator window you will see four buttons: Hex, Dec, Oct and Bin. Click on the corresponding case in which you want to enter a number, type the number, click on the button corresponding to the case in which you want to convert the number.
Bits and Bitmasks You've got binary and hexadecimal notations under your belt, and now you need bitmasks. Registry, Windows XP sometimes groups settings together into one number. Each bit number is a different setting. Thus you can store eight settings in one byte, 16 settings in and on. In this book and elsewhere you will see instructions telling you that a setting is 0x20, which simply means that you turn that setting on by turning on the bits that are 0x20. This will make more sense soon. You count the bits of a binary number from right to left, starting at 0. The number in the figure on the next page is 0x26. The top part shows the binary equivalent and the second part shows the number. The rightmost bit is bit 0. In this example, bits 1, 2, and 5 are 1, whereas
18 Figure 1-3: Playing around with bits, a binary 1 is the same as yes or true and 0 is the same as no or false. In other words, they are Boolean values. Often instructions you read aren't always kind enough to give you an exact bit number, you have to do a bit of math. Often all you see is a bitmask, and you need to figure out which mask is actually being rendered. For example, to turn on bit 0x40 in the number 0x43, convert numbers to binary, figure out which bits the mask represents, convert those bits to numbers, and then convert the number back to hexadecimal. Calculator in Scientific easiest way to perform these steps. You would do the same to disable the setting, except set the target bits to 0. However, after a while you get pretty good at figuring out which bits are a mask. From right to left, the mask of each bit is 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x80. The lower part of Figure 1-3 illustrates this. Note Turning bitmasks on and off is even easier if you use bitwise math. To convert a bitmask number, OR the two numbers together. To turn off a bit mask in a number, invert the mask and then AND it with the number: number AND NOT mask. The scientific mode of the calculator supports all these operations.
Little Endian and Big Endian In a hexadecimal number like 0x0102, 0x01 is the most significant and least significant byte. The left-most bytes are more significant because you're multiplying this higher power of 16. The rightmost digits are less significant, and the digits become more important as you move from right to left. Programs store numbers in memory in two ways: big-endian or little-endian. When storing a number using Big Endian storage (Big End First), the most significant storage is stored first, followed by the less significant bytes. When storing in memory using memory the number is 0x01020304 0x01 0x02 0x03 0x04. Makes sense right? The Intel-based processors do not store numbers in memory in this way. Intel-based processors use Little Endian (Little End First) architecture, which means they store the least significant bytes followed by the most significant bytes. Thus the number 0x01020304 0x04 0x03 0x02 is memory. Although most of the tools you will use will show all numbers - little-endian or big-endian - you have to be careful when looking at numbers in binary values, since tools don't automatically reverse the order of the bytes for you. So when you see the number 0x77 in a binary value, you have to remember to reverse the order of the bytes to get 0x7734. 19 The first prominent character encoding scheme was ASCII, and it is still in use today. Character encoding, each character is 8 bits or a single byte. Because ASCII were languages, its use was limited in European countries and regions whose language characters were not within the 256 characters supported by ASCII. As a limitation, the International Standards Organization (ISO) created a new character standard called Latin-1, which includes European characters dropped from the ASCII set. extended Latin-1 and referred to as standard ANSI. But ANSI is still an 8-bit character encoding that can only represent 256 unique characters. Many languages have thousands of symbols, Asian languages like Chinese, Korean and Japanese.
To overcome the limitations of an 8-bit character encoding standard, Microsoft, in collaboration with companies such as Apple Computer, Inc. and IBM, formed the non-profit consortium Inc. to define a new character encoding standard for international character sets. The Unicode work has been merged with work already in progress at ISO, and the result is the Unicode Standard Character Encoding. Unicode is a 16-bit encoding standard that provides 65,536 characters - more than enough to represent all the world's languages. It even supports languages like Sanskrit and Egyptian hieroglyphs, and includes punctuation marks, mathematical symbols, and graphic symbols. Unicode is the native character encoding of Windows XP, but also supports ANSI. Internally, the operating system represents object names, paths, and filenames as 16-bit Unicode. It also typically stores data in the registry using Unicode. When a program saves the text ANSI, it looks like this: 0x4A 0x65 0x72 0x72 0x79 in memory. However, when the program stores strings with Unicode, it looks like 0x4A 0x00 0x65 0x00 0x72 0x00 0x72 0x00 0x79 memory. Why? Because Unicode text is 16-bit, and Windows XP stores 16-bit little-endian format (see “Little-endian and big-endian storage” earlier in this chapter). writes the J to memory as 0x004A (with reversed bytes), followed by the e as 0x0065, then the remaining characters as 0x0072, 0x0072, and 0x0079.
Nulls and Empty Strings If you've written programs using a language like C, you're not unfamiliar with the concept of null, the null character, or 0x00. Windows XP terminates strings with the null character. Programs know where strings end. In the registry, a similar concept is that a value can have null data, meaning it contains it at all. It is empty. If you look at the null value in the registry, you usually see (value not set). This differs from a value containing an empty string - text characters in length or "". The following values are not the same: null • "" •
Registry Structure The structure of the Windows XP registry is so similar to the structure of its file system that there is an analogy. Figure 1-4 compares Registry Editor, the tool you use to edit it, and Windows Explorer. (For how to use Registry Editor, see Chapter 2, "The 20 is a registry key. In the right pane of the editor, called the Values pane, you see a key just like you see the contents of a folder in the right pane of Windows Explorer, Figure 1 -4: If you're familiar with Windows Explorer, and I bet you are, you won't understand the structure of the registry, which is similar to that of the file system 4. In Windows Explorer, you can see the My Computer of each computer Registry Editor the root keys of the registry Computer Although you can see the full name of each root key in Registry Editor, I use standard abbreviations see Table 1-3 The abbreviations are easier to type and a book like this usually prevents long names from being split in awkward places, that wrap over two lines Table 1-3: Root Keys Name Abbreviation 21 HKEY_CLA SSES_ROOT HKCR HKEY_CURRENT_USER HKCU
HKEY_LOCAL_MACHINE HKLM HKEY_USERS HKU HKEY_CURRENT_CONFIG HKCC
Keys Keys are so similar to folders (the Registry Editor even uses the same icon for keys as Explorer does for folders) that they have the same naming rules. You can nest one key or another as long as the names within each key are unique. A key's name is limited to ANSI or 256 Unicode characters, and you can use any ASCII character in the name except backslash (\), asterisk (*), and question mark (?). In addition, Windows XP reserves the right to any periods that begin for its own use. The similarities between the registry and the file system continue with paths. C:\ \System32\Sol.exe refers to a file named Sol.exe on the C drive in a subfolder of \Windows System32. HKCU\Control Panel\Desktop\Wallpaper refers to a value called Wallpaper key HKCU in a Control Panel subkey called Desktop. This notation is a fully qualified reference to a key and all of its subkeys as a branch. Note that I usually use the term key, but occasionally I use subkeys to indicate a parent relationship between one key and another. So if you see something that describes key software and its subkey Microsoft, that indicates Microsoft is ancillary software. The last thing to cover in this section is the concept of linked keys. Windows XP stores profiles under HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\. Each hardware profile nnnn, where nnnn is a sequential number starting with 0000. The subkey Current, whichever key is the current hardware profile, and the root key HKCC is a link to Current. It's terribly muddled until you see the relationship in Figure 1-5. Think of links as aliases, or if you want to continue the file system analogy. 22 Figure 1-5: When one key is linked to another, as in this example, the same subkeys and appear in both places.
Values Each key contains one or more values. In my Windows Explorer analogy, values are files. The name of a value is similar to the name of a file. A value's type is similar to the extension of a file and indicates its type. A value's data resembles the actual contents of the file. Click on the key area of a key editor and the program will display the values of the key in the value area. In the you will see three columns that correspond to the three parts of a value: Name. Every value has a name. The same rules for naming keys apply to values: ANSI or Unicode 256 characters except for the backslash (\), asterisk (*), and question (?), where Windows XP reserves all names beginning with a start point. Within each name must be unique, but different keys can have values with the same name. • Type. The type of each value determines the type of data it contains. For REG_DWORD, the value includes a double-word number and a REG_SZ value string. The Types section later in this chapter describes the different types that Windows XP supports in the registry. • Data. Each value can be empty, null, or contain data. The data maximum of a value is 32,767 bytes, but the practical limit is 2 KB. The data usually conforms to the type, except that binary values can contain strings, double words, or anything else that matters.
• Each key contains at least one value, and this is the default value. If you look through the registry editor you will see the default value as (Default). The default is almost a string, but poorly behaved programs can change it to other types. In most cases, the default value is null, and Registry Editor shows its data as (value not set). When statements need to change a key's default value, they usually say so explicitly: "Set the key's default value." NoteWhen looking at the fully qualified path of a key, you need to find out whether the path value is or not. It is usually clear in the text whether the path leads to or includes a key, but sometimes this is not the case. For example, does HKCR\txtfile\EditFlags refer to a key or 23 value names ending with a backslash (\)? If there is no backslash, pay close attention to the context to ensure you know whether the path is just a key or contains a value. a bit of common sense is all you need.
Types Windows XP supports the following types of data in the registry. Looking through this, REG_BINARY, REG_DWORD, and REG_SZ make up the vast majority of the entire registry: REG_BINARY. binary data. Registry Editor displays binary data in hexadecimal format, and you type binary data in hexadecimal notation. An example of a REG_BINARY is 0x02 0xFE 0xA9 0x38 0x92 0x38 0xAB 0xD9. • REG_DWORD. double-word (32-bit) values. Many values are REG_DWORD as boolean flags (0 or 1, true or false, yes or no). You will also see the time stored in REG_ values in milliseconds (1000 is 1 second). 32-bit unsigned numbers range from 4,294,967,295 and 32-bit signed numbers range from -2,147,483,648 to 2,147,483,647. You can view and edit these values in decimal or hexadecimal notation. Examples of REG_DWORD values are 0xFE020001 and 0x10010001. • REG_DWORD_BIG_ENDIAN. Double word values with most significant bytes first in memory. The order of the bytes is reversed from the order in which REG_ stores them. For example, the number 0x01020304 is stored in memory as 0x01 0x04. You don't often see this data type on Intel-based architectures. • REG_DWORD_LITTLE_ENDIAN. Double-word values stored in memory least significant first (reverse byte order). This type is the same as REG_DWORD because Intel-based architectures store numbers in memory in this format, the usual number format in Windows XP. For example the number 0x01020304 store as 0x04 0x03 0x02 0x01. Registry Editor does not allow REG_DWORD_LITTLE_ENDIAN values because this type of value is identical to REG_DWORD in the registry. • REG_EXPAND_SZ. Variable length text. A value of this type can contain environment variables, and the program using the value expands those variables before using, for example, a REG_EXPAND_SZ value that contains %USERPROFILE%\Favorites expanded to C:\Documents and Settings\Jerry\Favorites before program registration API (Application Programming Interface) relies on environment variables of the calling program in REG_EXPAND_SZ strings, so it's useless when the program expands them. See Chapter 10, "Providing User Profiles," to learn how to use value to fix some interesting problems. •
REG_FULL_RESOURCE_DESCRIPTOR. Resource lists for a device or device data type are important for Plug and Play, but don't play a major role in your working registry. Registry Editor does not provide a way to create this type of value, but you can view it. See HKLM\HARDWARE\DESCRIPTION\Description for examples of data types. • REG_LINK. A connection. You cannot create REG_LINK values. • REG_MULTI_SZ. Binary values containing lists of strings. Registry Editor displays a string on each line and allows you to edit these lists. In the registry, a null character separates each string, and two null characters end the list. • REG_NONE. Values without a defined type. • REG_QWORD. Quadword values (64 bits). This type is similar to REG_DWORD and contains 64 bits instead of 32 bits. The only version of Windows XP that • supports 24 REG_QWORD_BIG_ENDIAN. Four-word values, with the most significant bytes stored in memory first. The order of the bytes is reversed from the order in which REG_QWORD stores them. For more information about this value type, see REG_DWORD_BIG_ENDIAN. • REG_QWORD_LITTLE_ENDIAN. Quadruple word values, with least significant bytes stored in memory first (reverse byte order). This type is identical to REG_QWORD. For more information, see REG_DWORD_LITTLE_ENDIAN. Registry Editor does not provide a way to create REG_QWORD_LITTLE_ENDIAN values because this type of value is the same as REG_QWORD in the registry. • REG_RESOURCE_LIST. List of REG_FULL_RESOURCE_DESCRIPTION values. You can use the registry editor to view but not edit this type of value. • REG_RESOURCE_REQUIREMENTS_LIST. List of resources that a device requires. You can use the registry editor to view but not edit this type of value. • REG_SZ. Fixed length text. Unlike REG_DWORD values, REG_SZ values are the most common data types in the registry. An example of a REG_SZ value is Microsoft Windows XP or Jerry Honeycutt. Each string ends with a null character. Programs do not expand environment variables in REG_SZ values. • Data in Binary Values Of all the values in the registry, binary values are the least simple. When an application reads a binary value from the registry, it's up to the program to decode its meaning. This means applications can store data in binary values using their own data structures, and those data structures mean nothing to you or other programs. Also, applications often store REG_DWORD and REG_SZ data in REG_BINARY values, making it easier to find and decode this data
difficult, as you will learn in Chapter 8, “Locating Registry Settings.” In fact, some programs use REG_DWORD and 4-byte REG_BINARY values interchangeably; Considering that Intel-based computers use little-endian architecture, the binary value 0x01 0x02 0x03 0x04 and the REG_DWORD value 0x04030201 are exactly the same. Now I'll make it harder. The registry actually stores all values as binary values. The registration API identifies each value type by a number, which programmers call a constant, which I prefer to think of as a type number. You'll mostly notice this type number when exporting keys to REG files - something you'll learn in Chapter 2. For example, when you export a REG_MULTI_SZ value to a REG file, Registry Editor writes a binary value with type number 7. Usually, the type number associated with each value type doesn't matter because you refer to them by their names, but sometimes it does the information in Table 1-4 is useful: Table 1-4: Value Types Type Number REG_NONE 0 REG_SZ 1 REG_EXPAND_SZ 2 REG_BINARY 3 REG_DWORD 4 REG_DWORD_LITTLE_ENDIAN 4 REG_DWORD_BIG_ENDIAN 5 25 REG_LINK 6 REG_MULTI_SZ 7 REG_RESOURCE_LIST 8
Organization of the register Part IV, “Appendices”, describes the contents of the register in detail. The overview in this section will make it easier for you to navigate the registry until you get there. Of the five root keys you learned about earlier, HKLM and HKU are more important than the others. These are the only root keys that Windows XP actually stores on disk. The other root keys are links to subkeys in HKLM or HKU. HKCU is a link to a subkey in HKU. HKCR and HKCC are links to subkeys in HKLM. Figure 1-6 illustrates this relationship between root keys and their associations to keys. Figure 1-6: Three of the registry's root keys are links to subkeys in HKU and HKLM. In this book, you will use the terms "per user" and "per computer" to indicate this
whether a setting applies to the user or the computer. User-specific settings are user-specific - for example, whether a user prefers to show the Windows Explorer status bar or not. Computer-specific settings apply to the computer and each user who logs on to the computer, e.g. B. the network configuration. Per-user settings are in HKCU and per-machine settings are in HKLM. In Chapter 26
HKEY_USERS HKU contains at least three subkeys: .DEFAULT contains the user-specific settings that Windows XP uses to display before a user logs on to the computer. This is not the same as a default that Windows XP uses to create settings for users when they first log on to the computer. • SID, where SID is the security identifier of the console user (the console user sitting at the keyboard), contains user-specific settings. HKCU is linked to this key. contains settings such as the user's desktop settings and control panel settings. • SID_Classes, where SID is the console user's security ID, contains class registrations and file associations. Windows XP merges the contents of HKLM\SOFTWARE\Classes and HKU\SID_Classes into HKCR. • You will typically see other SIDs in HKU, including the following (see Table 1-1 for a refresher): S-1-5-18 is the well-known SID for the LocalSystem account. The Windows XP account profile when a program or service is running in the LocalSystem account. • S-1-5-19 is the well-known SID for the LocalService account. Service Control uses this account to run local services that do not need to run as LocalSystem. • S-1-5-20 is the well-known SID for the NetworkService account. Service Control uses this account to run network services that do not need to run as the LocalSystem account. • You can ignore these SIDs when working in HKU. All other subkeys in HKU are owned by secondary users. For example, when you use the Windows As command to run a program as a different user, the operating system loads those user settings into HKU. This feature, known as secondary login, allows users to run programs with elevated privileges without actually having to log in to a different account. Since I'm logged into the computer with the Jerry account, which is in the power users who need to do something in a program as an administrator, I hold down the Shift key, press the right program shortcut, click Run As, and then give the administrator account name and The program runs under the Administrator account and in this case HKU contains settings for the Jerry and Administrator accounts. This technique helps prevent opportunistic viruses caused by human error. Figure 1.7 shows a typical HKU and describes each of its subkeys. On your computer you will see the same service account settings as in the image. The rest
Subkeys have different SIDs depending on the SID of the console user account and whether accounts have logged on to Windows XP. 27 Figure 1-7: Each subkey in HKU contains an account's settings.
HKEY_CURRENT_USER HKCU contains the console user's per-user settings. This root key is a link to HKU\SID, the console user's security ID. This branch includes environment variables, settings, network connections, printers, and application settings. Here's a snapshot of the subkeys of this root key: AppEvents. Associates sounds with events. For example, it associates sounds with menus, window minimization, and Windows XP logoff. • Console. Stores data for the console subsystem that hosts all drawing applications, including the MS-DOS prompt. In addition, the console contains subkeys for custom command windows. • Switchboard. Includes accessibility, region, and desktop appearance settings. Configure most of these settings in Control Panel. However, this key contains useful settings that have no user interface; You can only configure them through the • Environment. Stores environment variables set by users. Each value maps the environment variable to the string that Windows XP substitutes for the variable. Default values for these entries are contained in the user's profile. • Identities. Contains a subkey for each identity in Microsoft Outlook Express. Express uses identities to allow multiple users to share a single email client. With XP's support for user profiles, one user's settings are separate from those of other users. This key is rarely required. • Keyboard layout. Contains information about the installed keyboard layouts. • Network. Stores information about mapped network drives. Each subkey on the network-mapped drive that Windows XP connects to each time the user logs in. The names of the subkeys are the drive letters that the drives are mapped to. Each contains settings used to reconnect the drive. • Printer. Stores user settings for printers. • Software. Contains user-specific application settings. Windows XP also stores many configurations in this key. Microsoft has standardized its organization to store settings in HKCU\Software\Vendor\Program\Version\. Provider is the publisher of the name program, program is the name of the program, and version is the version number. As with Windows XP, Version is often simply CurrentVersion. • Volatile environment. Contains environment variables defined when the user logged on to Windows XP. • Other subkeys you see in HKCU are usually legacy or uninteresting. See UNICODE program groups, session information, and Windows 3.1 migration status. 28 HKLM contains settings per computer, which means that the settings in this branch apply
Computer Configuration and affect every user who logs on to it. Settings run the gamut driver configurations to the Windows XP settings. HKLM contains the following subkeys, these subkeys are capitalized; I'll explain why later): HARDWARE. Stores data describing the hardware detected by Windows XP. The operating system creates this key at every boot and contains information devices and their associated device drivers and resources. This key information that IT pros will find useful during a network inventory can be found in Chapter 15, "Workaround IT Problems." • SAM. Contains the Windows XP local security database, the security accounts (SAM). Windows XP stores local users and groups in SAM. Access (ACL) of this key prevents even administrators from seeing it. SAM is a link HKLM\SECURITY\SAM. • SAFETY. Contains the Windows XP local security database in the SAM subkey, other security settings. The ACL on this key even prevents administrators from seeing that they are taking ownership. • SOFTWARE. Contains application settings per computer. Windows XP also saves this key. Microsoft has standardized the organization of this key so that programs are stored in HKLM\SOFTWARE\Vendor\Program\Version\. Vendor is the name of the publisher, Program is the name of the program, and Version is the number of the program. Version is often, as with Windows XP, CurrentVersion. HKCR to the HKLM\SOFTWARE\Classes key. • SYSTEM. Contains control records, one of which is current. The remaining sets are intended for use by Windows XP. Each subkey is a control set named ControlSetnnn, where the sequential number starts with 001. The operating system maintains at least sets to ensure it can always boot properly. These sets contain device driver configurations. HKLM\SYSTEM\CurrentControlSet is a link to ControlSetnnn, HKLM\SYSTEM\Select indicates which ControlSetnnn is used. •
HKEY_CLASSES_ROOT HKCR contains two types of settings. The first are file associations, which associate different files with the programs that can open, print, and edit them. The second is class registrations of COM (Component Object Model) objects. This root key is one of the most interesting to customize, since it allows you to change much of the behavior of the operating system. The key is also the largest in the registry and accounts for most of the space used. Before Windows 2000, HKCR was a link to the HKLM\SOFTWARE\Classes key, but that's more complicated now. To derive HKCR, the operating system merges HKLM\SOFTWARE\Classes, which contains standard file associations and class registrations; HKCU\Software\Classes, which contains user-specific file associations and class registrations. HKCU\Software\Classes is really a link to HKU\SID_Classes which you learned from the HKEY_USERS section. If the same value appears in both branches, the \Software\Classes value has higher priority and wins the value in HKLM\SOFTWARE. This new merging algorithm has several advantages: Programs can register per-computer and per-user program file associations and
classes. (A user can have file associations that affect other users sharing the computer. Because per-user file associations and class registries reside in user profiles, when you use roaming user profiles, you follow users from computer to computer. • 29 IT Pros can restrict access to HKLM\SOFTWARE\Classes without preventing modification of HKCU\Software\Classes, allowing for greater security in the registry and hindering users' ability to change associations • Create a new key in the root of HKCR and Windows XP it actually creates \SOFTWARE\Classes.Windows XP provides no user interface other than the registry, add class registries to HKCU\Software\Classes as the intent is to allow programs to add program classes per user register. If you edit an existing progra mmclass reflected in HKLM or HKCU depending on where the program class already exists. If the class exists in both places, Windows XP only updates the version in HKCU. Note HKCR is significant enough to get its own attachment. Appendix A, "File Associations," describes this root key in detail. You'll learn how it associates file extensions with it, how Windows XP registers COM objects, and which subkeys are the most interesting customizations.
HKEY_CURRENT_CONFIG HKCC is a link to configuration data for the current hardware profile, the key HKLM\\CurrentcontrolSet\Hardware Profiles\Current. Current, in turn, is a link to \SYSTEM\CurrentcontrolSet\Hardware Profiles\nnnn, where nnnn is an incremental number starting with 0000. See Appendix C, “Computer-Specific Settings” for more information.
Registry Management Tools Hundreds of third-party and shareware registry tools are available. In this book you will learn about many. However, some tools I use more than others, and here's an introduction: Registry Editor. For information about Registry Editor, see Chapter 2, "Using Registry Editor." is the primary tool for editing settings in the registry. • Console Registration Tool for Windows (Reg.exe). This command line registry tool offers most of the functionality of the registry editor. The importance of this tool is that it allows script edits in batch files. For more information on Reg.exe, see Chapter 9, Registry Changes.” • WinDiff. This tool is included with the Windows XP Support Tools, located on the Windows XP CD under \Support\Tools. It's the best program I've found Compare a useful technique for finding settings in the registry. See Chapter 8, "Finding Registry Changes" for more information on using this tool. • Microsoft Word 2002. This application may not appear like being a registry manager. I'm not available to compare files so I can find out where a setting is stored in the registry. I also use Word to edit scripts so I can take advantage of the built-in version control and revision tracking features.
• If you used the Windows 2000 Resource Kit tools, you will find that the Windows XP Resource Kit tools are missing. The CD includes a copy of the kit documentation and these are 30 kit tools that still work well in Windows XP and you can download many of them from the Microsoft website at http://www.microsoft.com/windows2000/ download techinfo/reskit/tools/default.asp. NoteIf you're looking for a specific tool that I don't discuss in this book, finding it is easy: open the ZDNet download site at http://downloads-zdnet.com.com in Internet Explorer, and then search for the registry in the Windows category. The result is a list of hundreds of registry tools with a variety of specialized features like search and replace. However, make sure you download a program that works with Windows XP.
Registry Hive Files In Registry Editor, you can see the logical structure of the registry. This is how Windows XP presents the registry to you and the programs that use it, regardless of how the operating system actually organizes it on the hard drive, which is much more complicated. Physically, Windows XP organizes the registry into hives, each of which resides in a binary file called a hive file. For each hive file, Windows XP creates additional supporting files that contain backup copies of each hive's data. These backups allow the operating system to repair the Hive during the installation and boot process if something goes horribly wrong. You can find hives in just two root keys: HKLM and HKU. (All other root keys are shortcuts to keys within those two.) The hive and supporting files for all hives except those in HKU reside in %SYSTEMROOT%\System32\config. Hive files for HKU reside in users' profile folders. Hive files do not have a filename extension, but their supporting files do, as described in Table 1-5. Table 1-5: Hive filename extensions Extension Description Not a Hive file .alt Not used in Windows XP. In Windows 2000, System.alt is a backup copy of the System hive file .log Transaction log of changes to a hive file .sav Copy of a hive file created at the end of the text-mode phase of the Windows XP setup program The Windows XP setup program has two phases: text-mode and graphics mode. The setup program copies each hive file to a .sav file at the end of the text mode phase so that it can be restored if the graphics mode phase fails. If the graphics mode phase fails, the setup program repeats this phase after restoring the hive file from the sav file.
Beehives in HKLM
Table 1-6 shows the relationship between each registry hive and its hive file. Note that each hive's name is capitalized in the registry, which is sometimes a useful reminder when editing. What you should be able to tell from this table is that each hive in the first column comes from the files in the second column. Therefore, Windows XP loads the Hive HKLM \SOFTWARE from the Hive Software file located in %SYSTEMROOT%\System32\config. It loads the Hive HKLM\SYSTEM from the Hive filesystem located in the same location. To view the Hive files loaded by Windows XP see HKLM\SYSTEM\CurrentControlSet\Control\hivelist\. 31 Hive Hive supporting files HKLM\SAM SAM, SAM.LOG HKLM\SECURITY SECURITY, SECURITY.LOG HKLM\SOFTWARE Software, Software.log, Software.sav HKLM\SYSTEM System, System.log, System.sav Did you notice that? ? Can't find a hive file for HKLM\HARDWARE in Table 1-6? That is this hive is dynamic. Windows XP creates it every time the operating system starts and saves the hive as a hive file when it shuts down. NoteOther files in %SYSTEMROOT%\System32\config appear to be conspicuously out of place. AppEvent.Evt, SecEvent.Evt, and SysEvent.Evt are the Windows XP event logs—Application, Security, and System, respectively. You can see where Windows is in the registry for each event log by looking at the HKLM\SYSTEM\ControlSet001\Services\Eventlog subfolder. Userdiff is a file that Windows uses to convert user profiles from earlier versions of Windows (particularly versions of Microsoft NT) so that Windows XP can use them. The last misplaced file is Netlogon. remains a mystery to me.
Hives in HKU Each subkey in HKU is also a hive. For example, HKU\.DEFAULT is a Hive and its %SYSTEMROOT%\System32\config\default. However, the remaining subkeys come from two sources. The Hive HKU\SID is in the Hive file %USERPROFILE%\Ntuser.dat while HKU\SID_Classes is in the Hive file %USERPROFILE%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat. Each time a new user logs on to Windows XP, the operating system creates a new profile user using the default user profile. The profile includes a new Ntuser.dat hive file that contains the profile hive. You can find out much more about user profiles and their provision in the chapter “Providing user profiles”. To see what profiles Windows XP has loaded and the Hive file that corresponds to each, the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList key. This key is a subkey for each profile the operating system has ever loaded, past or present. The subkey name is the name of the hive in HKU and the ProfileImagePath value contains the hive file, which is always Ntuser.dat. However, ProfileList does not mention the SID_Classes; it contains only user profile hives. Note Windows 2000 limited the size of the registry, but Windows XP did not. This means that the operating system no longer limits the space that the registry hives consume in memory or on the hard disk. Microsoft made an architectural change to the way Windows maps the registry into memory, removing the need for the size limit you may have
had problems with Windows 2000. 32
Overview Registry Editor is the tool that allows you to directly edit the registry. You change the registry that you use to log on to the computer, but you do so indirectly through Control Panel or Run, which updates the registry list of programs you've recently run. With the registry, settings take effect without the help of a user interface. This makes Registry Editor one of the most powerful and dangerous tools on the system. On the one hand, you can customize Microsoft XP in ways that aren't possible through the user interface. On the other hand, you don't change anything about the settings you change for sanity. Every version of Windows since 3.1 has had a registry editor. Notepad in Microsoft Windows can search the registry and has an easy-to-use interface. Microsoft Windows NT 4.0 has an editor that cannot search and is more difficult to use than the editor in Windows 95, features that only apply to a secure operating system, e.g. B. the ability to set permissions to edit extended data types like REG_MULTI_SZ. Microsoft Windows 2000 provides editors, so you have to switch back and forth to take advantage of each editor's unique abilities. On Windows XP, you get the best of both editors in a single program (insert developer applause here). The Registry Editor in Windows XP is the tool you will learn about in this chapter. It is the basis for all the instructions you will see in this book. It's also the basis for many solutions, the Microsoft Knowledge Base, the solutions people post on UseNet, and so on. However, this contains more than just instructions on how to use the editor. You will find useful information drawn from my own experience with this program such as: B. how to search and how to quickly save settings before changing them, which hopefully will be a great experience with the most powerful tool in Windows XP.
Running Regedit There is no shortcut to Registry Editor (Regedit) in the Start menu. You don't want a shortcut to regedit in the start menu. Imagine what life as an IT pro or power support friend and relative would be like if Microsoft announced this program to every XP user on the planet. That's one reason you'll find so little documentation on Regedit or anywhere else. For this reason, Windows XP also provides policies that you can use to restrict Regedit. However, IT professionals and power users have a great need for Regedit - it's often a way to troubleshoot a problem or adjust certain settings. For example, I recently used a program that changed critical settings while it was running and then restored them when the program was running. Unfortunately, the program crashed without restoring the settings, and the only way to restore the original values was to edit the registry. Sometimes it's the only tool for the job. Note Regedit and Registry Editor are one and the same. Regedit.exe is Registry Editor's executable and is easier to type, say, and read, so I'll refer to Registry Editor as Regedit for the remainder of this book. Regedit is located in %SYSTEMROOT%, C:\Windows on most computers. Click Start, Run, regedit to run regedit. You don't have to enter the path. If you want to launch Regedit, even drag Regedit.exe to your quick launch bar or to the Start button to add it to the top of the menu. 33 message stating "Registry editing has been disabled by your administrator." While preventing the setup program from installing Regedit.exe is probably not a good idea, you must
the permissions of the Regedit.exe file to prevent users from running it, or better yet, use restriction policies to prevent users from running Regedit.exe, regardless of the rights of the file or users. I will cover these topics in detail elsewhere in this book. Note For more information about Group Policy and Software Restriction Policies, see Chapter 6, "Using Registry-Based Policies." See Chapter 7, "Managing Registry Security" for information on the best way to obtain registry permissions. Note Administrators should not rely on any of these methods to secure the registry. These simple barriers do not prevent determined users from gaining access to the registry. For example, stubborn users can download shareware registry editors, most of which include the policy to disable registry editing tools. Shareware registry editors also bypass restriction policies and permissions that you apply to Regedit.exe. In reality, users will always find a way to hack into the registry, so part of the solution's corporate IT policy that you clearly communicate to users.
Exploring Regedit For all its power, Regedit is still a simple program with a straightforward interface. Menus are simple. It has a status bar that shows the name of the current key. The window consists of two windows separated by a divider that you can drag left or right to resize both windows. on the left is the keypad; The value area is on the right-hand side. The key pane displays the registry's subkeys, analogous to folders and subfolders. This is the registry hierarchy. This displays the settings each key contains. Click on a key in the key pane and you will see values in the value pane. This is so similar to Windows Explorer that I'll say that if you know how to use one, you know how to use the other. Figure 2-1 is a snapshot of Regedit. Figure 2-1: Regedit is much easier to use if you maximize its window, which allows you to see the full names of the subkeys and the dates of each value in their entirety. Regedit saves its settings every time you close it. However, the next time you start Regedit, the 34 will forget about these settings, especially if you write a book about the registry and take screenshots. Chapter 9, "Scripting Registry Changes," shows you how to do just that. You create a script that will automatically remove the HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Registry key. However, you cannot simply remove this key with Regedit, because Regedit creates this key every time you close it, using the current settings. The following sections describe each area in more detail, including specific tips for working on each page of the Regedit window. Regedit just got better Regedit in Windows XP includes several improvements over the Windows 2000 version: Access the features of both Regedit and Regedt32 (the second registry editor in Windows 2000) in a single editor. You no longer need to switch back and forth between both registry editors to complete most tasks. • Find keys, values, and dates faster. • Add the keys you use most often to the Favorites menu, then return to them simply by clicking their display names in the menu.
• Revert to the last selected key the next time you run Regedit. • Export any portion of the registry to a text file that is much easier to read than anything provided in previous versions of either registry editor. • In addition, Windows XP makes significant improvements to the registry itself. Windows XP supports much larger registries than previous versions of Windows; It is now only limited by the available storage space. Second, registration in Windows XP is faster than in previous versions of Windows. Windows XP keeps related keys and values closer together in the database, preventing page faults that result in hard drive swaps. Finally, Windows XP reduces fragmentation by allocating memory for large values in 16K chunks. All in all, the registry can be queried much faster in Windows XP than in Windows 2000.
Key Pane The key pane shows the hierarchy of the registry. It is organized similar to an outline, with each key's subkeys or subkeys indented directly below it. At the top you see My Computer, which represents the local computer. If you connect to another computer's registry over the network, you will also see that computer's name at the top level of the key panel. Immediately below "My Computer" you will see all the root keys of the local registry. Each root key is followed by its subkeys. The term branch refers to a key and all of its subkeys. Click the plus sign (+) next to a key to expand that branch. Click the minus sign (-) next to a key to close that branch. Click any button to view its values in the Values pane. You can use the mouse pointer to browse the registry, but using the keyboard is much more efficient if you know the keyboard shortcuts available. Table 2-1 describes the keyboard shortcuts you can use. Of all the available keyboard shortcuts, I use the right arrow and left arrow the most. These are quick ways to move around the registry while expanding and collapsing entire branches. The other keyboard shortcut I find most helpful is Ctrl+F, which quickly opens the Find dialog. 35 Key Description Find Ctrl+F Opens the Find dialog box. F3 Repeats the last search
Keypad * Expands all subkeys of the selected branch Up Arrow Selects the previous key Down Arrow Selects the next key Left Arrow Expands the selected branch if not collapsed; Otherwise, the parent key is selected. Right Arrow Expands the selected branch if not already expanded; Otherwise, the first subkey of the key is selected Home Selects "My Computer" End Selects the last key visible in the key pane F6 Toggles between the key and value panes. Other Delete Deletes the selected branch or value. F1 Opens Regedit Help. F2 Renames the selected key or value. F5 Updates the key and value area. F10 Opens the Regedit menu bar. Shift+F10 Opens the context menu for the selected key or value Alt+F4 Closes Regedit As you learned in Chapter 1, "Introduction to the Basics," Windows XP stores different parts of the registry in different hive files. However, Regedit shows all Hive files together to show a single, unified registry. In Regedit, you can see when a branch is its own hive because its name is capitalized. For example, all subkeys under HKLM are hives, so their names are capitalized. You can find each subkey's hive file in %SYSTEMROOT%\System32\config. Notice in Figure 2-1 that all subkeys under HKU are capitalized because they are also hives. Most of these Hive files can be found in %USERPROFILE%\Ntuser.dat. When you change a value in Regedit, Windows XP updates the corresponding Hive file. However, while editing, you don't care which Hive file a particular setting belongs to. Refer to Chapter 1 if you need a refresher on how Windows XP stores the registry on disk.
Value area The value area shows the values of the selected key. In this area you will see three columns: Name, Type and Data. You can resize each column by dragging the dividers left or right. I usually use about half of the range to show the Name and Type columns and the rest of the 36
See Chapter 1, “Learning the Basics” for values. The Name column contains the name of the value. Next to the name you will see one of the symbols 2-2, which indicates the type of the value: string or binary. The Type column indicates the type of this value. Unlike previous versions of Regedit, Windows XP Regedit correctly displays and lets you edit various types of data that Windows XP supports in the registry. These are not only REG_SZ, REG_DWORD and REG_BINARY, but also REG_EXPAND_ REG_MULTI_SZ and so on. The Data column shows the content of the value. You'll easily find REG_DWORD and REG_SZ values in this column, but REG_BINARY and other types are much more difficult to display in their entirety. To get a better look at binary values, view binary data. Table 2-2: Binary and String Symbols Symbol Description Binary values, including REG_DWORD and REG_BINARY String values, including REG_SZ and REG_MULTI_SZ
Searching for data You will spend a lot of time searching through the registry. I promise. This is especially true for IT professionals who are responsible for supporting users, deploying Windows XP, and so on. This is true if you're a power user trying to figure out why a program is doing something particularly good. For example, you might want to find out why a program runs every time Windows XP runs. If you don't already know the Run key, you need to browse the registry program filename. I spend a lot of time finding the settings of programs in the registry, looking for their names and filenames. You can search for key names, value names, and string data. You can also search for partial (searching for Windows matches C:\Windows and Windows XP) or full matches. It may take a long time before the first hit is displayed. So be patient. It takes even longer if you are registering a remote computer. After Regedit finds a match, it selects the found key or value. searches to the end of the registry without a match, a message is displayed stating that the registry is being searched.” To search using Registry Editor: On the Edit menu, click Find Figure 2-2, type the text to search for enter the field 2. 37 To find keys whose name contains the text, check the box Keys To search for values whose name contains the text, check the box Values REG_SZ values contains the text, check the box Data 3. Click Find Next 4. Press F3 to repeat the search if necessary 5. You can significantly reduce the time to search the registry by restricting the keys and values or data. For example, if you know you only want to search for specific characters in their names, limit your search to value names. If you know how to search for data, limit your search to value data. In the Find dialog box. , as shown in Figure , the Keys, Values, or Dates checkboxes to prevent Regedit from searching these ranges s. The Match Whole String Only checkbox does not improve turnaround time, but it will reduce the number of hits you get and since you don't need to display as many hits, you need to enable search. Check this box only if you are 100 percent sure about the name or the dates for the
Seek; Otherwise you won't find it.
Incremental Search Incremental search significantly speeds up finding subkeys and values in long lists. It's when you're trying to find a subkey in HKCR because the search takes too long and scrolling through the long list is annoying. Here's how it works: Select the first item in a long list and start typing the item you want to find. Regedit selects the first item that matches your input. So if you click the first subkey under HKCR and then type wm, Regedit will select wmafile. (without delaying too long so as not to restart the incremental search) and Regedit WMDFile. you have the idea Remember that it doesn't find any keys or values that are collapsed. The incremental search only finds keys that you can see by scrolling up or down in the keys pane.
Searching in binary values Regedit cannot search for REG_DWORD or binary values. It only looks for key names, names or string values. This means that you cannot use regedit to find numeric REG_DWORD or REG_BINARY values, and you certainly cannot find text containing Windows XP REG_BINARY values, which is very common. However, the solution is simple. Export the branch you want to search in (See "Export Settings" later in this chapter to learn how to create a .reg file.) Then .reg file in Notepad and search for the number or binary string, you want to find. However, like Regedit, you need to format values in REG files to find them. Chapter 9, "Scripting Changes," describes the format of REG files in detail. First you need to know what value types look like in a .reg file, which Table 2-3 describes. For example, to find the word Jerry in a REG_BINARY value, you would convert its letters to their Unicode task, which is easy if you know that a capital A has a hexadecimal value of 0x0041, a lowercase letter of 0x0061, and the number 0 a hex value of 0x0030. So Jerry as binary 4A 0x00 0x65 0x00 0x72 0x00 0x72 0x00 0x79 0x00. If you're not familiar with reverse bytes and Unicode, see Chapter 1.) How to find binary strings in a .reg file that contain the word jerry for 4a,00,65,00,72,00,72,00 ,79. Table 2-3: Data formats of REG files Type In Regedit In REG files 38 REG_SZ Microsoft Windows XP "Microsoft Windows XP" REG_DWORD 0x00000009 dword:00000009 REG_BINARY 0XC2 0X00 0X02 0X9E 0X00 0X00 0X3D hex:c2,00,02,9e, 00, 00,3d Table 2-3 contains only examples for REG_SZ, REG_DWORD and REG_BINARY. That is, Regedit uses a variation of REG_BINARY to represent all other value types. In a REG instance, a REG_MULTI_SZ looks like hex(7):4a,00,65,00,72,00,72,00,79,00,00,00. describes the format of each value type and how they look in .reg files.
Bookmarking Favorites Buttons Regedit, including the versions that ship with Windows 2000 and Windows XP, inherits Microsoft Internet Explorer's most useful feature: Favorites. This allows you to bookmark subkeys that you edit most often and return to them quickly. Clicking a subkey in the menu is certainly a better alternative than clicking through the key pane or, worse, remembering where Windows XP stores the Run key in the registry. Adding a key to
easy, and after adding it, you can click its name in the Favorites menu (Figure 2directly to this key , and then click Favorites, Add to Favorites. In the Favorites dialog box, type a Enter a descriptive name for your shortcut. I usually name shortcuts using the root key and the last few subkeys, e.g. shortcut is in HKCU or HKLM (they have similar structures).Using HKCU\Software\Microsoft\Windows\CurrentVersion is not handy as this is getting too broad.You might want some help getting your favorites menu working So this is what I usually put on mine: HKCR\CLSID • HKCU\Control Panel\Desktop • HKCU\Software\Microsoft\ Active Setup\Installed Components • HKCU\Software\Microsoft\Internet Explorer • 39 HKCU\Software\Policies • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components • HKLM\SOFTWARE\Microsoft\Windo ws \CurrentVersion • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer • HKLM\SOFTWARE\Policies • HKLM\SYSTEM\CurrentControlSet\Control • Removing a key from Favorites is also easy. On the Favorites menu, click Remove Favorite, and then click the keys you want to remove. If you want to rename keys to Favorites, you can edit the HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites key and rename shortcuts or change their targets. Tip Regedit displays keys in the order you added them; it doesn't sort them alphabetically. If you really want this list in alphabetical order, export HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites to a .reg file. Edit the .reg file to sort the keys in alphabetical order or some other preferred order, and then import the .reg file back into the registry after removing the favorites key. The favorites menu is rearranged. By the way, save this REG file so that you can use your favorites elsewhere.
Using Better Techniques After a while, you'll know enough about the registry in Windows XP to make searching much faster. You know where to start and where to end your search, so you don't waste your time looking through parts of the registry where you can't find what you're looking for. Click a subkey near where you want to start, then search. If you repeat your search by pressing F3, keep an eye on the status bar and note the key that contains the current match. After passing the branch that you think should contain the value, stop the search. Here's an example of how to focus a search. If you create a standard user profile, learn it
As in Chapter 10, “Deploying User Profiles,” load the Hive file you're creating and check for references to the current user profile folder that you don't want to deploy to desktops across the organization. To narrow your search to that hive, select the hive's first key in the registry, and then browse for the path. In doing so, you decide what to do with any references to it that you find. However, after you leave this hive, stop searching lest you waste your time and accidentally change values you don't want to change. Other examples of focusing searches to find data faster include: Restrict your search to HKCR if you want to find values related to file associations. In this case, do an incremental search to speed things up. • Look for program settings only in the HKCU\Software and HKLM\SOFTWARE branches. And if you know the vendor and program names, you can go straight to the key that contains its settings, because you know that programs store their settings in HKCU and HKLM in the Software\Company\Program\Version branch. • Search HKCU if you know you are looking for user-specific settings, and search HKLM if you know you are looking for machine-specific settings. • Browse the HKLM\System branch if you are looking for device driver and service settings. • Shareware Search Tools 40 can download trial versions of these tools from any share w aresite. Try http://www.zdnet.com/downloads or http://www.tucows.com. Here are some of the most popular: Registry Crawler 4.0 by 4Developers at http://www.4developers.com • Registry Toolkit by Funduc Software at http://www.funduc.com • Resplendent Registrar by Resplendence Sp at http://www. resplendence.com • Registry Detective from PC Magazine at http://www.pcmagazine.com • Registry Crawler is my personal favorite, but the other tools work well too. Registry Crawler not only crawls the registry faster than Regedit, but it also has features that make the task easier. You can quickly access it from the taskbar. It shows a list of matches that you see all at once instead of jumping from hit to hit, and you can export the results to a .reg file. It also allows you to search the registries of multiple computers at the same time if you can access them over a network. However, its most powerful feature is the find and replace function, which allows you to replace all instances of one value with another.
Editing the Registry Assuming a key or value's permissions don't prevent you from doing so, you can add, delete, and rename keys and values in Regedit. You can also change most values. As you might guess, there's more than one way to do almost anything in regedit. You will
you will find three different ways to change a value: via the main menu, via the context menu or with a key combination. Use whichever method is right for you, but I prefer keyboard shortcuts because I regret touching the desktop rodent for no reason. You can edit any value by selecting it and pressing Enter. The following sections describe the functions that Regedit provides for editing the registry. These are the basic steps that you will rely on in this book.
Changing Values I promise you that 99.999 percent of the time (if you had to fit the five nines) when you're working in Regedit, you'll double-click a value to change it. However, that won't stop me from telling you about other ways you can change a value. One way to change a value is to click Edit, Change. Another option is to right-click the value and then click Change on the context menu. Regedit displays a different editor depending on the value type. For example, Regedit opens the Edit String dialog box when you edit a REG_SZ value. It displays the Edit DWORD Value dialog box when you edit a REG_DWORD value. Unlike the version of Regedit that ships with Windows 2000, the version in Windows XP doesn't throw you into the Binary Edit dialog box for values like REG_MULTI_SZ. This release includes dialogs for almost all value types supported by Windows XP. The graphics below show what the different editors look like, with a description of each. Use the Edit String dialog box to edit the REG_SZ and REG_EXPAND_SZ values. Enclosing the value in quotes is not required unless you intend to include the quotes in your value. You can copy values from this dialog box to the clipboard, which is a convenient way to include values in scripts and documents. 41 Use the Edit DWORD Value dialog box to edit REG_DWORD values. By default you are a hexadecimal value, but you will not include prefixes like 0x in the value; They only use hexadecimal digits. You can edit the value as a decimal by selecting the decimal. Note that Regedit displays REG_DWORD values in the Value Data field using either case. Use the Edit Binary Value dialog to edit REG_BINARY values. The first column of this dialog box is the offset, starting from zero. The second column of numbers contains strings in hexadecimal notation. The last column shows the text representation of the binary. You can edit either the second or the third column. You can enter hexadecimal digits or simple 42 characters. Use the Edit Multiple Strings dialog to edit REG_MULTI_SZ values. Each string is on with no blank lines. To change a value, click Edit, Change, and then enter the value's new data in the Value field
When you change a value with Regedit, Notepad applies that change immediately, but that doesn't mean Windows XP or other programs noticed the change. Go unnoticed until the program or operating system has a reason to load or reload the registry. For example, if you change Windows Explorer settings in the registry, Windows doesn't pick up those changes—you'll have to close and reopen those windows. If you are using Microsoft Office XP, you must shut it down and restart it before it recognizes your changes. that Windows XP only loads when you log into the operating system, and user-specific settings, since the location of shell folders such as Favorites requires you to log out of the Windows 43 system and log back in, only loads these settings at startup. Chances are you're going to screw something up. Unless you have access to a test lab, you'll probably be experimenting on your production computer (Read Production as essential). If things get out of hand, don't panic, and certainly don't make things worse by repeatedly restarting your computer or hacking at the registry until nothing is left. Instead, read Chapter 3, "Backing Up the Registry" to learn how to easily restore your last working configuration. Stupid Clipboard Tricks When you write scripts, documentation, deployment plans, and so on, you have to type a lot of key names and values. This is an error-prone and painful process that you can do much more easily with the clipboard. For example, instead of trying to type a fully qualified key name, flipping back and forth between regedit and your text editor, and trying to memorize every subkey in the branch, just copy the key name to your clipboard, and then paste it into your document : In the Keys pane, right-click a key, and then click Copy Key Name. You can also copy value names and dates to the clipboard. Value names are typically not long, but using the clipboard is the only way to ensure that the value's data is correct. In the Values pane, right-click the value whose name you want to copy to the clipboard and click Rename. Press Ctrl+C to copy the name to the clipboard, then press Esc so you don't accidentally change the name. If you prefer a less risky method of copying a value's name, edit the value, select the value's name, and then press CTRL+C to copy it to the clipboard. Copying a value's data to the clipboard is useful and simple: edit the value, select the value's data, and then press Ctrl+C to copy it to the clipboard. This is a great way to back up data before you change it. Before changing a value, copy its data to the clipboard and create a new value from
of the same type and paste the data from the clipboard into it. For example, if I wanted to change a REG_SZ value called Stubpath, I would copy its data to the clipboard and then paste that data into a new REG_SZ value called StubpathBackup. Then if the change doesn't work, I could revert to the original value and fix the problem I was causing with my random changes.
Adding Keys or Values The only reason you would create keys and values is when prompted; That means you know that adding the value will have some effect. For example, Microsoft's knowledge base often directs you to add a value that fixes a specific problem. This book tells you all about values you can add to the registry to customize Windows XP. Otherwise, adding a value that no program reads won't do anything. If you're dying to add something to the registry, check out some of the tips in Chapter 4, "Hacking the Registry" or Chapter 15, "Fixing IT Problems." To create a new key, first click on the key under which you want to create a subkey; Click Edit, New and Key; and then enter a name for the new key. When you create a new key, Regedit names it New Key #N, where N is a serial number starting with 1, and then selects the name so you can change it. 44 In the key pane, click the key to which you want to add a value. 1. On the Edit menu, click New, and then click the type of value you want to create: Value, Binary Value, DWORD Value, Multi-String Value, or Expandable String Value. 2. Enter a name for the new value. 3. Regedit names the new value New Value #N and then selects it so you can enter one. Windows XP requires all names contained in a key to be unique. No two subkeys can have the same name, and no two values can have the same name. For this reason, Regedit names New Value #1, New Value #2, and so on. In any case, the default data for binary values is zero. The default for strings is the empty string. The default value for REG_ values is 0. After you create a new value, edit it to change its default value.
Deleting a key or value Click the key or value that you want to delete, and then click Edit, Delete. I don't delete often, but there are a few circumstances that recur. The first is when I want to reset settings. For example, to reset Regedit's view settings, you must remove the value that contains them. You can clear most programs' settings by deleting them from the registry. You know where to look: the Software\Company\Program\Version branch under HKCU. While this works well for programs that recreate missing settings, it doesn't work for those that drop dead when their settings are missing. Another circumstance is when I want to clean up the registry a bit. Often the registry references files that don't exist (orphan files) or settings that simply shouldn't be in the registry, especially after removing a program. With a little thought and a bit of luck, this is possible
Settings from the registry. Chapter 3, "Securing the Registry," is a helpful resource scenario. Tip There is a better and safer way to remove keys and values than simply overwriting the settings you want to remove so that you can rename them, which hides them from the search. Just add your initials at the beginning of the key or value example. I can hide a value called Session by renaming it JH-Session. If something goes horribly wrong (and it sometimes happens when browsing the registry), I can remove the current version of Session and give it the original old name.
Renaming Keys or Values Regedit does not allow you to click on a selected file to rename it like you can in Windows Explorer. Click the key or value that you want to rename, and then click Rename on the Edit menu. Also click the key or value that you want to rename, and then press F2. In the previous section, "Deleting Keys and Values," you learned that one of the most important renaming keys and values is to hide them from Windows XP and other programs that permanently delete them. Then, only after I'm satisfied with the result, do I hire permanently. Sometimes I don't even bother, since renamed keys serve as good documentation of the changes I'm making in the registry. To rename a key or value, select the key, click Edit, and enter a new name. 45 Regedit has a function that prints all or part of the registry. I confess that I have never printed in the register; I just couldn't find a good reason for it. You can certainly print a subkey backup before making changes, but I tend to use Hive files for this purpose, which doesn't get me re-entering keys, values, and dates to restore the old settings. You may not know much about this feature, but this chapter wouldn't be complete without describing how to use it. To open part of the registry, follow these steps: Click on the key you want to print and remember that you will print every value under it. 1. On the File menu, click Print to display the Print dialog box shown in Figure 2-4. Figure 2-4: The format of Regedit's printer output is the same as the format used when exporting portions of the registry to a text file. 2. Do one of the following: To print the entire registry, click All. → To print the selected branch, click Selected branch. → 3. Click Print. 4. The following listing shows what Regedit's printer output looks like. Useful, as you can see, except maybe as a temporary way to remember values. However, Microsoft has heavily regedited Windows XP's printer output. Regedit now prints REG_DWORD values so that they are REG_DWORD values instead of printing them as little-endian binary values (Chapter 1, “Learning the Basics”). It also prints binary values along with their ASCII equivalent. Lastly, this version of regedit actually prints the type of each value instead of relying on /2/2002 - 1:16 AM value 0
Name: SetupType Type: REG_DWORD Data: 0x0 Value 1 Name: SystemSetupInProgress Type: REG_DWORD Data: 0x0 Value 2 Name: CmdLine Type: REG_SZ Data: Value 3 Name: SystemPrefix Type: REG_BINARY Data: 00000000 cd 03 00 00 00 80 3c d2 - Í.....= 4 EXPLAIN "These are sample policies that do nothing."
#endif POLICY "Example Policy" #if Version >= 4 SUPPORTED "At least Microsoft Windows XP Professional" #endif EXPLAIN "This is an example policy that doesn't do much." KEYNAME "Software\Policies" VALUENAME Example VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY END CATEGORY
Note The #if and #endif directives enclose directives that only work with specific versions of System Policy or Group Policy. Using these instructions, the developer can write an Administrative Template that works with various versions of Windows, including Windows NT, Windows 2000, and Windows XP. System Policy in Windows NT is version 2. Windows 2000 is version 3. Windows XP is version 4. To ensure that the Group Policy Editor in Windows 2000 ignores keywords that only Windows XP supports, the developer encloses these keywords between #if version >= 4 and #endif. To ensure that only the System Policy Editor in Windows NT sees a block of keywords, enclose them between #if version = 2 and #endif. These conditional statements show that Microsoft was already thinking far into the future back then.
Comments Comments are useful and necessary to document the content of your policy templates. You can add comments to template files in two different ways. Precede the comment with a semicolon (;) or two forward slashes (//). You can also place comments at the end of each valid line. This chapter shows examples of comments; I documented every example with them. Each line in the following example is a valid comment. I prefer using // for comments. Listing 6-2 example.adm ; This is a comment // This is also a comment CLASS USER // User specific settings CLASS MACHINE ; Settings per computer
Strings Feel free to hard code strings in a one-off quick-and-dirty template file. That means adding the string where you need it and repeating the same string as many times as needed. The listing you saw in the "Extending the registry-based policy" section uses hard-coded strings. If you use enterprise-class template files or manage the files over time, use string variables. Using 137 Define strings at the end of your template file in the [Strings] section. The format of each string is name="string". You must enclose the string in double quotes. To use string variables in your template file, use the !!name format. Every time the Group Policy Editor !! name, it replaces the string for the name. By the way the !! does the search for template files
Strings made easy - just search the file for the double exclamation marks. The following listing is an example of how strings and string variables are used in a template file: Listing 6-3: example.adm POLICY !!Sample // Defined in the [strings] section SUPPORTED "At least Microsoft Windows XP" // Hard - encoded string EXPLAIN !!Sample_Explain // Defined in section [strings] ... [strings] Sample="Sample Policy" Sample_Explain="This sample policy doesn't do much."
Note For the sake of clarity, I do not use any string variables in this chapter. Avoiding string variables avoids having to look up each string while wading through the listings. Remember that you should use string variables if you plan to localize your files.
CLASS The first entry in a template file is the CLASS keyword. It defines whether the following policies are per user or per computer, ie it indicates where in the Group Policy Editor you see the policy: User Configuration or Computer Configuration. You can use multiple CLASS keywords in a template file. When the Windows XP client-side extensions process the file, the settings defined in the CLASS USER sections are merged and the same is done for the settings defined in all CLASS MACHINE sections. Then it loads the settings defined in the CLASS USER sections in HKCU and the settings defined in the CLASS MACHINE sections in HKLM. Syntax CLASSNAME
Name This must be MACHINE or USER. MACHINE indicates that the policies after the CLASS keyword are per-machine policies, and USER indicates that the policies after the keyword are per-user policies. This keyword persists until you change it with additional CLASS keywords. Example Listing 6-4: example.adm CLASS MACHINE // policies here are per-machine policies CLASS USER // policies here are per-user policies
138
CATEGORY After using the CLASS keyword to determine whether your policy appears under the Computer Settings or User Settings branch of the Group Policy editor, use the CATEGORY keyword to create subfolders in that branch. Notepad will display your settings in this folder. Just as you can create subkeys within keys in the registry, you can create subcategories within categories by nesting the CATEGORY keyword. Just remember that all CATEGORY
creates folder. Categories can contain zero or more policies. Categories that do not contain policies typically contain at least one or more subcategories. You define a registry key in which the Group Policy Editor creates settings for that category using the KEYNAME keyword, which you learn about in the next section. Using the KEYNAME keyword here is optional if you define the key elsewhere. Finally end a category with END CATEGORY. Syntax CATEGORY name KEYNAME subkey policies END CATEGORY
Name This is the folder name you want to see in Group Policy Editor. Use a string variable or a quoted string. Subkey This is an optional subkey of HKLM or HKCU to use for the category. However, do not include either root key in the path because the preceding CLASS keyword specifies which of these root keys to use. If you specify a subkey, all subcategories, policies, and parts use it unless they explicitly provide their own subkey. Enclose names containing spaces in double quotes. Example Listing 6-5: example.adm CLASS USER // Settings are per user in HKCU CATEGORY "Desktop Settings" KEY NAME "Software\Policies\System" // Add policies for category "Desktop Settings" here CATEGORY "Custom Application Settings" KEY NAME "Software\Policies\CustomApps" // Add policies for the Custom Applications subcategory here END CATEGORY END CATEGORY
139 Keywords The valid keywords that you can use within a CATEGORY section are the following: CATEGORY • END • KEYNAME • POLICY •
KEYNAME Use the KEYNAME keyword within a category to define which subkey of HKCU or HKLM (depending on the CLASS keyword) contains the value you are changing. Do not include a root key in the path because it is defined by the CLASS keyword. If the name contains spaces, you must enclose the string in double quotes. The example in the previous section, "CATEGORY," shows how to use the KEYNAME keyword.
POLICY Use the POLICY keyword to define a policy that the administrator can change. The policy editor displays the policy and its controls in a dialog box that the administrator uses to modify it
the status and settings of the policies. You can include multiple POLICY keywords in a single category, but you do not have to specify the KEYNAME keyword before each POLICY keyword. The latest KEYNAME keyword applies to each policy. You end a policy with END POLICY. Each policy contains a VALUENAME keyword to associate it with a registry value. By default, the policy editor assumes it is a REG_DWORD value and stores 0x01 in it when you enable the policy. The policy editor also removes the value if you disable the policy. You must use the VALUEON and VALUEOFF keywords if you do not want the policy editor to remove the value when you disable the policy. You do not need to use any keywords other than VALUENAME to achieve this behavior. However, you can include optional PART keywords that specify additional options, such as For example, drop-down list boxes, check boxes, text boxes, etc. You see these controls at the bottom of the policy dialog box (see Figure 6-3). Syntax POLICY name [KEYNAME subkey] EXPLAIN help VALUENAME value [parts] END POLICY
Name This is the name of the policy as you would like it to appear in the Group Policy Editor. Use a meaningful but short name. Subkey This is an optional subkey of HKLM or HKCU to use for the category. However, do not include either root key in the path because the preceding CLASS keyword specifies which of these root keys to use. If you specify a subkey, all subcategories, policies, and parts use it unless they explicitly provide their own subkey. Enclose names containing spaces in double quotes. 140 Help This is the string that the Group Policy Editor displays on the Explain tab and on the Advanced tab of the policy dialog box. Value This is the registry value to change. Enabling the policy sets the REG_DWORD value to 0x01. Select the Not configured option or disable the policy and the policy editor will remove the value from the registry. To specify values other than the default 0x01, use the VALUEON and VALUEOFF keywords immediately after the VALUENAME keyword: VALUEON [NUMERIC] Enabled VALUEOFF [NUMERIC] Disabled
When you use these keywords, the policy editor sets the registry value to Enabled when you enable the policy and to Disabled when you disable the policy. The default value type is REG_SZ, but you can change it to REG_DWORD by prefixing the value with the NUMERIC keyword. Regardless, the value is completely removed when the policy is set to Not Configured. Example Listing 6-6: example.adm
CLASS MACHINE CATEGORY "Disk Quota" KEY NAME "Software\Policies\MS\DiskQuota" POLICY "Enable Disk Quota" EXPLAIN "Enables and disables disk quota management." VALUENAME "Enable" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY END CATEGORY
Keywords Valid keywords in a POLICY section include: ACTIONLISTOFF ACTIONLISTON END KEYNAME PART VALUENAME VALUEOFF VALUEON HELP POLICY Note Additional keywords are available for policies, but they are intended for developers who want policy 141 create
EXPLAIN The EXPLAIN keyword provides help text for a specific policy. In Windows 2000 and Windows XP, each policy's dialog box includes an Explain tab that provides details about the policy settings. You can also see this help text on the Advanced tab in the right pane of the editor in Windows XP. Each policy you create for Windows 2000 and Windows XP should contain an EXPLAIN keyword followed by a full description of the policy and its settings. Although I don't show this in my examples (to keep them simple), you should enclose this keyword between #if version >=3 and #endif to prevent earlier versions of the policy editor from choking on these keywords: Listing 6-7 : example.adm #if Version >= 3 EXPLAIN "Enables and disables disk quota management." #endif
VALUENAME The VALUENAME keyword identifies the registry value that the policy editor changes when you enable or disable the policy. The syntax is VALUENAME name. You saw an example of this keyword in the POLITICS section. Unless you set the VALUEON and VALUEOFF keywords described in the next section, the policy editor creates the policy as a REG_DWORD value: Enabled. Sets the value to 0x01 • Disabled. Removes the value •
Not configured. Removes the value • VALUENAME, VALUEON, and VALUEOFF describe the value that enables and disables the policy. If you want to define additional settings that allow you to capture additional values to refine the policy, you must use the PART keyword. The settings in a PART section are located in the lower part of the policy dialog box.
VALUEON and VALUEOFF You can use the VALUEON and VALUEOFF keywords to write specific values based on the status of the policy. The POLICY section provides an example of how these keywords are used. The syntaxes are VALUEON [NUMERIC] Enabled and VALUEOFF [NUMERIC] Disabled. By default, the policy editor creates the value as a REG_SZ value; If you want the value to be created as a REG_DWORD value, precede it with the NUMERIC keyword. Example: VALUEON 0 // Created as a REG_SZ value with "0" VALUEOFF NUMERIC 1 // Created as a REG_DWORD value with 0x01
ACTIONLIST The ACTIONLIST keyword allows you to group settings. Think of it as a list of values you want the policy editor to change when you change a policy. The following two variants of the ACTIONLIST keyword are most commonly used: Syntax ACTIONLIST [KEYNAME subkey] VALUENAME value VALUE data END ACTIONLIST
Subkey This is an optional subkey of HKLM or HKCU to use for the category. However, do not include either root key in the path because the preceding CLASS keyword specifies which of these root keys to use. If you specify a subkey, all subcategories, policies, and parts use it unless they explicitly provide their own subkey. Enclose names containing spaces in double quotes. Value This is the registry value to change. Enabling the policy sets the REG_DWORD value to 0x01. Select the Not configured option and the policy editor will remove the value from the registry. To specify values other than the defaults of 0x00 and 0x01, use the VALUE keyword. Data This is the data for which you want to set the value. The default value type is REG_SZ, but you can change it to REG_DWORD by prefixing the value with the NUMERIC keyword. If you follow the VALUE keyword with the DELETE (VALUE DELETE) keyword, the policy editor removes the value from the registry. Regardless, the value is completely removed when the policy is set to Not Configured. Example Listing 6-8: example.adm POLICY "Example Action List" EXPLAIN "This illustrates action lists" ACTIONLISTS VALUENAME Example1 VALUE 1 VALUENAME Example2 VALUE 1
END ACTIONLISTON ACTIONLISTOFF VALUENAME Sample1 VALUE 0 VALUENAME Sample2 VALUE 0 END ACTIONLISTOFF END POLICY
PART The PART keyword allows you to specify various options at the bottom of a policy's dialog box, including drop-down lists, text boxes, and check boxes. Figure 6-5 shows an example of the settings you want to collect in addition to enabling or disabling the policy. For simple policies that you only need to enable or disable, you don't need to use this keyword. In fact, relatively few policies in Windows XP use the PART keyword at all. 143 Figure 6-5: Use the PART keyword to collect additional data that further refines the policy. You start a part with the keyword PART and end it with END PART. The syntax of the PART keyword is PART Name Type. name is the name of the part and type is the type of the part. Each policy can contain multiple PART keywords, and the policy editor displays them in the dialog box in the order in which they were found in the administrative template. This section gives you the overall syntax of the PART keyword, and the following sections describe how to create the different types of parts. Syntax PART Name Type Keywords [KEYNAME Subkeys] [DEFAULT Default] VALUENAME Name END PART
Name This specifies the name of the setting as you want it to appear in the policy dialog box. Enclose the name in double quotes if it contains spaces. This is the setting prompt. Type This can be one of the following types: CHECKBOX. Displays a check box. The REG_DWORD value is 0x01 if you select the check box or 0x00 if you clear it. • COMBINATION BOX. Displays a combo box. • DROPDOWN LIST. Displays a combo box with a drop-down list. The user can only select one of the provided entries. • EDIT TEXT. Displays a text box that accepts alphanumeric input. The value is either REG_SZ or REG_EXPAND_SZ. • LISTBOX. Displays a list box with Add and Remove buttons. This is the only • 144 type that can handle multiple values in a key.
NUMERIC. Displays a text box with an optional spin control that accepts a numeric value. The value is a REG_DWORD value. • TEXT. Displays a line of static text. It does not store any data in the registry and is useful for adding help to the dialog box. • Keywords This is information specific to each part type. See the following sections for more information about these keywords. Subkey This is an optional subkey of HKLM or HKCU to use for the category. However, do not include either root key in the path because the preceding CLASS keyword specifies which of these root keys to use. If you specify a subkey, all subcategories, policies, and parts use it unless they explicitly provide their own subkey. Enclose names containing spaces in double quotes. Default This is the default value for the part. When you enable the policy, the policy editor fills the control with the default value. Use a default value that is appropriate for the type of part. Value This is the registry value to change. The value type and data is entirely dependent on the part type. Example Listing 6-9: example.adm POLICY "Sample part" EXPLAIN "This illustrates parts" KEYNAME "Software\Policies" POLICY "Sample policy" EXPLAIN "This is a sample policy with parts." VALUENAME "Example" PART test EDITTEXT DEFAULT "This is the standard text" VALUENAME Example END PART END POLICY
Keywords The valid keywords within a PART section are the following: CHECKBOX • COMBOBOX • DROPDOWNLIST • EDITTEXT • END • LISTBOX • NUMERIC • PART • TEXT •
CHECKBOX The CHECKBOX keyword indicates a check box. In the registry it is a REG_SZ value. By default, the check box is unchecked, and the settings it writes to the registry for each of its states are as follows: 145 Include the DEFCHECKED keyword in the part if you want the check box to be enabled by
Originally. Otherwise, the check box is cleared by default. Syntax PART Name CHECKBOX DEFCHECKED VALUENAME Value END PART
Name This specifies the name of the setting as you want it to appear in the policy dialog box. Enclose the name in double quotes if it contains spaces. The name is displayed next to the checkbox. Value This is the registry value to change. Enabling the policy sets the REG_SZ value to 1. Set the Not configured option and the policy editor will remove the value from the registry. To specify values other than the defaults of 0 and 1, use the VALUEON and VALUEOFF keywords after the VALUENAME keyword: VALUEON [NUMERIC] Enabled VALUEOFF [NUMERIC] Disabled
When you use these keywords, the policy editor sets the registry value to Enabled when you enable the policy and to Disabled when you disable the policy. The default value type is REG_SZ, but you can change it to REG_DWORD by prefixing the value with the NUMERIC keyword. Regardless, the value is completely removed when the policy is set to Not Configured. You can also use the ACTIONLISTON and ACTIONLISTOFF keywords to assign multiple values to a check box. Example Listing 6-10: example.adm CLASS USER CATEGORY "Example Policies" EXPLAIN "These are example policies that illustrate parts." “ KEYNAME "Software\Policies" PART Sample1 CHECKBOX VALUENAME Sample1 END PART PART Sample2 CHECKBOX DEFCHECKED VALUENAME Sample2
146 END POLICY END CATEGORY
Keywords Valid keywords in a CHECKBOX section include: ACTIONLISTOFF • ACTIONLISTON • DEFCHECKED • END • KEYNAME • VALUENAME • VALUEOFF • VALUEON •
COMBINATION BOX
The COMBOBOX keyword adds a combo box to the policy's dialog box. It has an additional keyword that you must use, SUGGESTIONS. This creates a list of suggestions that the policy editor will add to the drop-down list. Separate items in this list with spaces, and enclose items that contain spaces in double quotes. End the list with END SUGGESTIONS. A few keywords change the behavior of the combo box: DEFAULT. Specifies the default value of the combo box • EXPANDABLETEXT. Constructs the value as a REG_EXPAND_SZ value • MAXLENGTH. Specifies the maximum length of the value • NOSORT. Prevents the policy editor from sorting the list. • NECESSARY. Indicates that a value is required • Syntax PART Name COMBOBOX SUGGESTIONS Suggestions END SUGGESTIONS [DEFAULT Default] [EXPANDABLETEXT] [MAXLENGTH Max] [NOSORT] [REQUIRED] VALUENAME Value END PART
Name This specifies the name of the setting as you want it to appear in the policy dialog box. Enclose the name in double quotes if it contains spaces. You will see the name next to the combo box. Suggestions 147 This is a list of items to include in the drop-down list. Separate each suggestion with spaces (newlines, tabs, spaces, etc.) and enclose any suggestion that contains a space in double quotes. Default This is the default value for the part. When you enable the policy, the policy editor fills the control with the default value. Use a default value that is appropriate for the type of part. Max This is the maximum length of the value's data. Value This is the registry value to change. The policy editor creates this in the registry as a REG_SZ value and fills it with whatever text you typed or selected in the combo box. Example Listing 6-11: example.adm CLASS USER CATEGORY "Example Policies" EXPLAIN "These are example policies that illustrate only parts." Partly illustrated.” KEYNAME "Software\Policies" PART Sample COMBOBOX SUGGESTIONS Sample1 Sample2 "Another Sample" END SUGGESTIONS VALUENAME Sample
END PART END POLICY END CATEGORY
Keywords The valid keywords within a COMBOBOX section are the following: DEFAULT • END • EXPANDABLETEXT • KEYNAME • MAXLENGTH • NOSORT • REQUIRED • SUGGESTIONS • VALUENAME •
DROPDOWNLIST The DROPDOWNLIST keyword adds a drop-down list to the policy's dialog box. It has one additional keyword that you must use and that is ITEMLIST. This creates a list of items that policy 148 lists with the END ITEMLIST. A few keywords change the behavior of the drop-down list: DEFAULT. Specifies the default value of the drop-down list • EXPANDABLETEXT. Creates the value as a REG_EXPAND_SZ value • NOSORT. Prevents the policy editor from sorting the list. • NECESSARY. Indicates that a value is required • Syntax PART Name DROPDOWNLIST ITEMLIST NAME Item VALUE Data END ITEMLIST [DEFAULT Default] [EXPANDABLETEXT] [NOSORT] [REQUIRED] VALUENAME Value END PART
Name This specifies the name of the setting as you want it to appear in the policy dialog box. Enclose the name in double quotes if it contains spaces. The name is displayed next to the drop-down list. Element This is the name of each element in the list. This is the text that will appear in the drop-down list. However, this is not the value that Policy Editor stores in the registry. Data This is the data you want the policy editor to store in the value when you select the associated item. Default This is the default value for the part. When you enable the policy, the policy editor fills the control with the default value. Use an item defined in ITEMLIST. Value This is the registry value to change. The policy editor creates this in the registry as a REG_SZ value and fills it with the value of Data associated with the selected item. Example Listing 6-12: example.adm CLASS USER CATEGORY "Example Policies" EXPLAIN "These are example policies that illustrate parts."
POLICY "Sample Policy" SUPPORTS "At least Microsoft Windows XP Professional" EXPLAIN "This is a sample policy that demonstrates how to create a part." VALUE 2 END ITEM LIST
149 END CATEGORY
Keywords The valid keywords within a DROPDOWNLIST section are the following: DEFAULT • END • EXPANDABLETEXT • KEYNAME • NOSORT • REQUIRED • ITEMLIST • VALUENAME •
EDITTEXT The EDITTEXT keyword allows you to enter alphanumeric text in a text field. The policy editor stores the text in a REG_SZ value. A few keywords change the behavior of the text box: DEFAULT. Specifies the default value of the text field • EXPANDABLETEXT. Constructs the value as a REG_EXPAND_SZ value • MAXLENGTH. Specifies the maximum length of the value • REQUIRED. Indicates that a value is required • Syntax PART Name EDITTEXT [DEFAULT Default] [EXPANDABLETEXT] [MAXLENGTH Max] [REQUIRED] VALUENAME Value END PART
Name This specifies the name of the setting as you want it to appear in the policy dialog box. Enclose the name in double quotes if it contains spaces. The name is displayed next to the text box. Default This is the default value for the part. When you enable the policy, the policy editor fills the control with the default value. Use a default value that is appropriate for the type of part. Max This is the maximum length of the value's data. Value This is the registry value to change. The policy editor creates this in the registry as a REG_SZ value and fills it with whatever text you typed. Example Listing 6-13: example.adm CLASS USER
150 POLICY "Sample Policy" SUPPORTS "At least Microsoft Windows XP Professional" EXPLANATION "This is a sample policy that demonstrates creating a part." KEY NAME "Software\Policies"
PART example EDITTEXT VALUENAME example END PART END POLICY END CATEGORY
Keywords The valid keywords within an EDITTEXT section are the following: DEFAULT • END • EXPANDABLETEXT • KEYNAME • MAXLENGTH • REQUIRED • VALUENAME •
LISTBOX The LISTBOX keyword adds a list box with add and remove buttons to the policy's dialog box. This is the only part type that allows you to manage multiple values in a key. You can't use the VALUENAME option with the LISTBOX part because it doesn't just assign it a single value. Use the following options with the LISTBOX item type: ADDITIVE. By default, the contents of list boxes override values already set in the registry. This means that Windows XP client-side extensions remove values before setting them. When you use this keyword, the client-side extensions don't delete existing values before adding the values specified in the list box. • EXPRESS VALUE. Use this keyword to specify the value name and data. The list box shows two columns, one for the name and one for the data. You cannot use this keyword with the VALUEPREFIX keyword. • VALUE PREFIX. The prefix you specify determines the value names. If you specify a prefix, the policy editor adds a sequential number. Example: The prefix "Sample" generates the value names "Sample1", "Sample2", etc. The prefix can be empty (""), resulting in the value names being 1, 2, etc. • By default, without using the EXPLICITVALUE or VALUEPREFIX keywords, only one column is displayed in the list box. For each entry in the list, the policy editor creates a value using the entry's text for the value's name and dates. For example, the Sample entry in the list box creates a value named Sample whose data is Sample. The default behavior is rarely the desired result. 151 PART Name LISTBOX [EXPANDABLETEXT] [NOSORT] [ADDITIVE] [EXPLICITVALUE | VALUEPREFIX prefix] END PART
Name This specifies the name of the setting as you want it to appear in the policy dialog box. Enclose the name in double quotes if it contains spaces. Prefix This is the prefix to use for incremental names. If you specify a prefix, the policy editor adds a sequential number. Example: The prefix "Sample" generates the value names "Sample1", "Sample2", etc. The prefix can be empty (""), resulting in the value names being 1, 2, etc. Example Listing 6-14: example.adm CLASS USER CATEGORY "Example Policies" EXPLAIN "These are example policies that demonstrate parts." KEY NAME "Software\Policies" PART Sample LISTBOX EXPLICITVALUE END PART END POLICY END CATEGORY
Keywords The valid keywords within a LISTBOX section are the following: ADDITIVE • END • EXPANDABLETEXT • EXPLICITVALUE • KEYNAME • NOSORT • VALUEPREFIX •
NUMERIC The NUMERIC keyword allows you to enter alphanumeric text with a spinner control that adjusts the number up and down. The policy editor stores the number in a REG_DWORD value, but you can change the type of the value to REG_SZ using the TXTCONVERT keyword. A few other keywords 152 DEFAULT. Specifies the initial value of the text field • MAX. Specifies the maximum value. The default value is 9999 • MIN. Specifies the minimum value. The default is 0. • REQUIRED. Indicates that a value is required • SPIN. Specifies the increment to use for the spinner control. The default is 1, and using 0 removes the spinner control. • TXT CONVERT. Writes values as REG_SZ values instead of REG_DWORD • Syntax PART Name NUMERIC [DEFAULT Default] [MAX Max] [MIN Min] [REQUIRED] [SPIN] [TXTCONVERT]
VALUENAME Wert END PART
Name This specifies the name of the setting as you want it to appear in the policy dialog box. Enclose the name in double quotes if it contains spaces. The name is displayed next to the text box. Default This is the default value for the part. When you enable the policy, the policy editor fills the control with the default value. Use a default value that is appropriate for the type of part. Max This is the maximum value. The default value is 9999. Min This is the minimum value. The default value is 0. Value This is the registry value to change. The policy editor creates this in the registry as a REG_DWORD value and sets it to the value you specify in the dialog box. Use the TXTCONVERT keyword to change the type of the value to REG_SZ. Example Listing 6-15: example.adm CLASS USER CATEGORY "Example Policies" EXPLAIN "These are example policies that demonstrate parts." KEYNAME "Software\Policies" PART Sample NUMERIC DEFAULT 11 MIN 10 MAX 20 VALUENAME Sample END PART END POLICY
153 Keywords The valid keywords within a NUMERIC section are the following: DEFAULT • END • KEYNAME • MAX • MIN • REQUIRED • SPIN • TXTCONVERT • VALUENAME •
TEXT The TEXT keyword adds static text to the bottom of the policy dialog box. Syntax PART Text TEXT END PART
Text This is the text you want to add to the dialog box. Example Listing 6-16: example.adm CLASS USER CATEGORY "Example Policies" EXPLAIN "These are example policies that demonstrate parts." illustrated.”
KEYNAME "Software\Policies" PART "This is sample text added to the dialog box." TEXT END PART END POLICY END CATEGORY
To use an Administrative Template, whether you created it or it is provided by an application such as Office XP, you must load it into the Administrative Templates extension. You load template files into any GPO where you want to use them. Because we're talking about the local GPO in this chapter, you only need to load template files once. However, if you use a template with Active Directory, you must load it into each GPO where you want to use it. To load a template into the local GPO: Right-click Administrative Templates under Computer Configuration or User Configuration, and then click Add/Remove Templates. 1. In the Add/Remove Templates dialog box, click Add. 2. In the Policy Templates dialog box, enter the path and file name of the administrative template that you want to load into the local GPO. 3. Windows XP Group Policy Improvements Windows XP includes improved policy management that allows IT pros to tweak, manage, or simply disable features they don't want users to have access to. IT pros can also deploy all policy settings in Windows XP through Active Directory without fear of destroying their Windows 2000 configurations. Here is a short list of the improvements you will find in Windows XP: Windows XP supports all 421 Windows 2000 policies. • Windows XP adds 212 new policy settings and Windows 2000 ignores them. • The Group Policy Editor uses the web view to display useful information about policies that IT pros use to evaluate and review settings. • The Group Policy Editor includes built-in help that makes policies easier to learn and locate. • Windows XP does not wait for the network to fully initialize before presenting the desktop, uses cached credentials in the meantime and allows users to get to work faster. It applies policies in the background when the network is ready. • These improvements are great benefits. However, you'll be pleased to know that the overall picture doesn't change much. They use roughly the same tools in the same way to configure and manage user preferences. If you are already familiar with Windows 2000 Group Policy, you are also familiar with Windows XP Group Policy.
Windows 2000 Server-based networks The Windows XP policy templates are fully compatible with Windows 2000 Server and its version of Active Directory. By default, Microsoft Windows .NET Server includes the Windows XP Administrative Templates. However, you must load them into each GPO where you want to use them, and the steps to do this are the same as you learned in the previous sections. You can avoid having to load the Windows XP administrative templates into each GPO by copying them to %SYSTEMROOT%\Inf on the server. Simply copy all the .adm files from %SYSTEMROOT%\Inf on a Windows XP computer to the same folder on the server. The server operating system automatically updates each GPO when you open it for editing. If you're uncomfortable replacing your Windows 2000 Administrative Templates, you should go ahead because you haven't felt any pain. Consider these best practices when using Windows XP Administrative Templates in Windows 2000 Server: In a mixed environment, use Windows XP template files to manage your GPOs. Windows 2000 ignores Windows XP-specific settings. • Apply the same policy settings to both Windows XP and Windows 2000 to provide a consistent experience for roaming users. • Test the interoperability of the different settings before deployment. • Configure policy settings only on client machines with GPOs. Do not attempt to create these registry values using any other method. •
Windows NT-based and other networks Like Group Policy, System Policy configures and manages settings for computer groups and user groups. I am assuming that you are familiar with the System Policy Editor if you are facing this problem. Table 6-2 describes the differences between the two technologies. The policy file created by the System Policy Editor, typically Ntconfig.pol, contains the registry settings for all users, groups, and computers that use those settings. To deploy this file on a network, place it in the domain controller's NETLOGON share. Unlike Group Policy, separate policy files are not required. Table 6-2: Group Policy vs. System Policy Group Policy System Policy Tool Group Policy Editor System Policy Editor Number of settings
620 registry-based settings 72 registry-based settings Applied to users and computers in a specific Active Directory container, e.g. B. Sites, domains, and organizational units Users and computers in a domain Security Secure Non-secure Extensions Microsoft Management Console and Administrative Templates Administrative Templates Persistence Does not make permanent changes to the registry. Makes permanent registry changes that you must manually remove Internet Explorer maintenance • Implementing registry-based policy settings Windows XP behaves differently depending on what type of server is authenticating the user and looking for system policies. (It uses the Ntconfig.pol file in NETLOGON. This can be used to your advantage if you have not deployed Active Directory but are configuring policies. To configure system policies, use the System Policy Editor. You load the Windows XP policy in the System Policy Editor before using them. System Policy allows you to configure and define the registry-based policies that define these templates. Note that Windows XP does not have a System Policy Editor, but Windows 2000 Server does. Also see System Policy Office XP Resource Kit, Create Ntconfig.pol file and place it in the NETLOGON share.When Windows XP authenticates the account through this Windows NT-based server, it downloads and parses the Ntconfig policies.pol file that it finds in the NETLOGON share. If you are not using Active Directory or a Windows NT domain, you can use Sys tem You configure Windows XP to look for the Ntconfig.pol file in each share by specifying a policy file. However, you must make this change on each individual computer, which is labor intensive unless you configure it on your disk images. Set the UpdateMode REG_DWORD value to 0x02, which changes Windows XP from automatic (0x01) to manual
(0x02). (Set this value to 0x00 to disable the system policy.) Then set the NetworkPath REG_SZ value to the UNC path and name of the policy file you want to use. These values are HKLM\SYSTEM\CurrentControlSet\Control\Update. You may have to create them.
Customize Windows XP The main reason power users want to create Administrative Templates is to customize templates without a user interface. By creating an administrative template, you give these settings an interface and prevent human error. The following listing is an example of an administrative template that does just that. It defines a handful of custom settings that Tweak UI includes (see Chapter 5, "Tweak UI"). Figure 6-6 on page 170 shows what this Group Policy Editor administrative template is. Figure 6-6: Note the warning , which specifies the setting Listing 6-17: Tweakui.adm CLASS USER CATEGORY "Tweak UI Settings" EXPLAIN "These are settings of Tweak UI." CATEGORY "Mouse" EXPLAIN "Settings that customize the mouse." POLICY "Menu Show Delay " EXPLAIN "Delay before Windows XP opens a menu when you hover over it." KEYNAME "Control Panel\Desktop" PART "Menu Delay (milliseconds)" NUMERIC MIN 0 MAX 65534 DEFAULT 400 TXTCONVERT VALUENAME MenuShowDelay END PART END POLICY POLICY "Drag Height and Width" EXPLAIN "Number of pixels the mouse moves before Windows XP thinks KEYNAME "Control Panel\Desktop" PART "Height" NUMERIC MIN 0 MAX 16 TXTCONVERT VALUENAME DragHeight END PART PART "Width" NUMERIC MIN 0 MAX 16 TXTCONVERT VALUENAME DragWidth END PART END POLICY END CATEGORY CATEGORY "Taskbar" EXPLAIN "Taskbar customization settings." POLICY "Balloon Tips" EXPLAIN "Enable or disable Balloon Tips." KEYNAME Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced VALUENAME EnableBalloonTips VALUEOFF NUMERIC 0 VALUEON NUMERIC 1 END POLICY POLICY "Taskbar Grouping" EXPLAIN "Control how buttons are grouped on the taskbar." KEYNAME Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced PART Grouping DROPDOWNLIST ITEML IS NAME "Group least used applications first" VALUE 0 NAME "Group applications with mouse windows first" VALUE 1 NAME "Group applications with at least 2 windows" VALUE 2
NAME "Group applications with at least 3 windows" VALUE 3 NAME "Group applications with at least 4 windows" VALUE 4
158 END ITEMLIST NOSORT VALUENAME TaskbarGroupSize END PART END POLICY END CATEGORY END CATEGORY
This administrative template does not contain appropriate policies. The settings are not in an official policy branch in the registry, so Windows XP cannot manage them. That is, if you remove the policy, the setting remains. The change is permanent. By default, Group Policy Editor doesn't show unmanaged settings because they're tattooing the registry — a negative side effect you don't typically want. In this case, I deliberately chose to do this in order to provide a UI for user settings that typically don't have a UI. In the Group Policy Editor, unmanaged settings have red icons instead of the normal blue icons. To view these settings, you must view unmanaged settings in Group Policy Editor: right-click Administrative Templates under Computer Configuration or User Configuration, point to View, and click Filter. 1. In the Filter dialog box, clear the Show only policy settings that can be fully managed check box. 2.
Using the Group Policy Tools The Group Policy tools in Windows XP contain many improvements. The following sections describe each of these tools and how to use them. However, some of these improvements deserve special mention. The first is the Group Policy Update Tool (Gpupdate.exe). By default, Group Policy updates policies every 90 minutes. On Windows 2000, if you want to change a policy and see the results immediately, you had to use the secedit /refreshpolicy user_policy and secedit /refreshpolicy machine_policy commands. Gpupdate.exe replaces these two commands into one easy to use command. However, you don't need to use this tool when updating the local GPO because changes to the local GPO are instantaneous. Second is the resulting policy set (RSoP). Windows XP includes new tools that let you see what policies the operating system is applying to the current user and computer, and where they originated. One of the hardest parts of managing Group Policy on a large network is
Detect behaviors resulting from combinations of GPOs that you did not intend or knew were occurring. These tools help you track down these behaviors much faster than with Windows 2000 because they give you a snapshot of how the operating system is applying them and where they are coming from.
Gpresult Group Policy Result Tool shows the effective policies and RSoP for the current user and computer. This section describes the command line options. 159 gpresult [/s computer [/u domain\user /p password]] [/user target username [/ realm {user|computer}] [/v] [/z]
/s computer This specifies the name or IP address of a remote computer (do not use backslashes). The local computer is used by default. /u domain\user This runs the command with the account privileges of the user specified by user or domain\user. The default is the permissions of the current console user. /p password This specifies the password of the user account that the /u option specifies. /user TargetUserName This specifies the username of the user for whom you want to show RSoP. /scope {user|computer} This displays either user or computer results. Valid values for the /scope option are user or computer. If you omit the /scope option, Gpresult.exe displays both user and computer settings. /v This specifies that the output shows detailed policy information. /z This specifies that the output shows all available group policy information. Because this option provides more information than the /v option, redirect the output to a text file when using this parameter: gpresult /z >policy.txt. /? This indicates help. Examples gpresult /user jerry /scope Computer gpresult /s camelot /u honeycutt\administrator /p password /user jerry gpresult /s camelot /u honeycutt\administrator /p password /user jerry /z >policy.txt
The Gpupdate Group Policy Update Tool (Gpupdate.exe) updates local and network policy settings, including registry-based settings. As mentioned earlier, this command replaces the deprecated secedit /refreshpolicy command. Syntax gpupdate [/target:{computer|user}] [/force] [/wait:value] [/logoff] [/boot]
/target:{computer|user} This only processes the computer settings or the current user settings. By default, both computer and user settings are processed. /force This ignores all processing optimizations and reapplies all settings.
/wait:value This is the number of seconds policy processing will wait to complete. The default value is 600 seconds. 0 means don't wait and -1 means wait forever. /logoff This logs the user out after the update is complete. This is required for the client-side group policy extensions that are not processed in a background update cycle, but are processed when the user logs in, e.g. B. User Software Installation and Folder Redirection. This option has no effect if no extensions are being called that require the user to log off. /boot This restarts the computer after the update is complete. This is required for client-side Group Policy extensions that are not processed on a 160 background refresh cycle but are processed at computer startup, e.g. B. in computer software installation. This option has no effect if no extensions that require a computer restart are invoked. /? This indicates help. Examples gpupdate gpupdate /target:computer gpupdate /force /wait:100 gpupdate /boot
Simulating Folder Redirection IT pros often ask me about folder redirection. In particular, they want to know how to simulate this policy if they haven't already deployed Active Directory. Finally, Active Directory is a requirement for this policy. Not so fast! Although you can't achieve automatic folder redirection without Active Directory, you can simulate it. Configure the main user shell folders to redirect My Documents and other folders to a network location. This key is located in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer and contains a value for each of the special folders that Windows XP supports. They are REG_EXPAND_SZ values, so you can use environment variables like %USERNAME% and %HOMESHARE% in the path. This means that you can use redirected folders even on a Windows NT-based network. I suggest that you script this customization so that you can apply it consistently. Chapter 4, "Hacking the Registry," describes the main user shell folders in great detail, and also includes a sample script that automatically redirects folders.
Help and Support Center Although it is of limited use for IT pros because they cannot use it remotely, users can run the Help and Support Center's policy results report on their own computers to review policy settings. This tool provides an easy-to-use, printable report of most applicable policies for computer and console users. Figure 6-7 on the next page shows an example of this report. To use this tool: Click Start, and then click Help and Support Center. 1. Under Select a task, click Use tools to view your computer information and diagnose
problems. 2. Click Advanced system information, and then click View applied group policy settings. 3. 161 Figure 6-7: The Help and Support Center RSoP report contains the same type of information as Gpresult.exe, but is more readable and better suited for printing.
Resulting Policy Set Although the Help and Support Center RSoP report is not appropriate for use by IT Pros, the RSoP snap-in is appropriate because you can use it to view RSoP data for remote computers. this tool to predict how policies will work for a specific user or computer, as well as for whole users and computers. Sometimes Group Policy Objects are applied to each other at different levels in Active Directory. Without a tool like this snap-in, it's difficult to track down these conflicting settings. The RSoP snap-in checks the software installation for applications connected to the computer. It also reports all other policy settings, including registry-based policies, folders, Internet Explorer maintenance, security settings, and scripts. You have already seen this RSoP report data: Gpresult.exe and Help and Support Center. Easy to use RSoP snap-in (Your account must be in the computer's local Administrators group to use this. Click Start, Run and type mmc. 1. Click File, Add Snap-in /remove and then click Add 2. In the Available Standalone Snap-ins dialog box, select Resultant Set of Policy and click Add 3. In the Resultant Set of Policy Wizard, click Next and then click again Next" that you want to review, and then click Next. 5. On the User Selection page, select the user that you want to view RSoP for, and then click Next. 6. Click Next, and then click Next Click Finish to close the wizard. 7. Figure 6-8 shows the results. In this example, you can see the password policies applied to the computer. For each setting, you can see the GPO that is the source of it. 162 Ab Figure 6-8: The RSoP Snap-in is the Best Tool for Finding the Source of Policy Settings Multiple GPOs apply to a computer.
Finding More Resources This chapter focused on local registry-based policies. After all, this is a register book. If you want to learn more about Group Policy, the Microsoft website has a wealth of information. You don't even have to buy a book to learn more about it. Here's a list of resources I found valuable when I first learned about Group Policy: http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppol wp. This is the Windows 2000 Group Policy white paper and is the best place to start to understand how GPOs are created and applied to containers in Active Directory. Paper is long but worth reading. • http://www.microsoft.com/Windows2000/techinfo/howitworks/management/rbppaper. This is the white paper on implementing registry-based group policies. Most of it
Information on creating Administrative Templates for Windows XP. It's the paper I used to write this chapter because it describes the syntax for each of the keywords you use in Administrative Templates. • http://www.microsoft.com/WINDOWSXP/pro/techinfo/administration/policy/ This guide to administering Windows XP in a Windows 2000 server environment is a bit long and really just says that Windows 2000 Windows XP ignores policies, can copy the Windows XP Administrative Templates to %SYSTEMROOT%\Inf on a 2000-based server to use these templates for both Windows 2000 and Windows. It's interesting reading as it details Windows XP's Group Policy improvements. Note that this webpage contains a table of guidelines. You can use it as a starting point for your own specification and record what guidelines are provided. • 163
Overview Security is not the most interesting nor the most popular topic related to the registry. I don't talk about it for pages because there's just not much to tell. You can change the access control list (ACL). You can check keys. You can also take ownership of keys. However, you have all these things with individual values. Power users generally don't care about registry security, but IT pros often have no other choice. However, just because you can edit the ACLs of keys doesn't mean you should. It is not a good idea to tamper with registry security unless you have a specific reason to do so. At best, make an irrelevant change, but at worst, you can prevent Microsoft Windows XP from running properly. Why am I including security in this book at all? There are cases when professionals need to change the default registry permissions to deploy software. This is a different story than tinkering with the security of your registry out of curiosity. For example, use an application that users can run only if they log on to the operating system as a member of the Administrators group. Ouch. In a corporate environment, you don't want to dump users in this group. The solution is to deploy Windows XP with custom permissions, so run these programs as a member of Power Users or Users group. This is the most common scenario and is the main focus of this chapter. You have two methods for providing custom permissions. First you can do it manually. For the sake of completeness, I'll show you how to change the permissions of a key in the registry editor (Regedit). You can also create a security template with custom registry permissions and then push it to a computer manually. However, you wouldn't run from desktop to desktop applying templates; You would apply this template to your disk images before deployment. method is to use Group Policy. You create a Group Policy Object (GPO) and then create a security template within it to create a security policy for your network. Windows XP automatically applies the custom permissions in your template to the computer and user when this GPO Resultant Set of Policy (RSoP) is used. I don't talk much about Group Policy in this book, 6, "Using Registry-Based Policy" points to many good, free resources to learn more. Note: If you are interested in learning more about the new security features in Windows XP, see the What's New in Security for XP Professional and Windows XP Home Edition white paper. You can find this on the Microsoft website at http://www.microsoft.com/technet/treeview/default.asp?url=/
/TechNet/prodtechnol/winxppro/evaluate/xpsec.asp
Setting Permissions on Keys Registry security is similar to file system security except that you can only set permissions on keys and values. Other than that, the dialog boxes look similar; the permissions are so on. If you don't understand basic security concepts, take a moment and review them in the Support Center before messing with permissions. I'm not including the basic concepts in because I'm assuming you're an IT pro and already have this information at If you have full control over or own a registry key, you can edit its permissions for users and its ACL: figure 164 7-1: This dialog is almost identical to the File System Security dialog. In the Group or user names list, click the user or group for which you want permissions, and then select the check box in the Allow or Deny column to grant the following permissions: Full control. Grants the user or group permission to open, edit, and remove the key. There is literally full control over it. → reading. Grants the user or group permission to read the contents of the key, but the changes made to it. Read this as read-only. → Special Authorizations. Grants the user or group a specific set of permissions. To grant special permissions, click Advanced. You learn about this permission setting in the “Assigning Special Permissions” section of this chapter. → 3. Sometimes the checkboxes in the Permissions section for names are shaded. You can not change. This is because the key inherits this permission from the parent key. You can prevent 165 tip. OK, you had your fun. You've tinkered with the security of your registry and satisfied your curiosity; but what now? You can easily restore the setup security template to its original permissions. To learn how to use this template, see “Changing a Computer's Configuration” later in this chapter.
Adding Users to ACLs You can add users or groups to an existing ACL on a key: In Regedit, click the key with the ACL you want to edit. 1. On the Edit menu, click Permissions, and then click Add. 2. In the Select Users, Computers, or Groups dialog box, click Locations, and then click the computer, domain, or organizational unit where you want to search for the user or add the key's ACL. 3. In the Enter the object names to use box, type the name of the user or group to add to the key's ACL, and then click OK. 4. In the Permissions for Name list, configure the permissions you want to grant to the group by selecting the Allow or Deny check box. 5. The only real world scenario I can think of for adding users to a key's ACL is to allow
You can access a computer's registry over the network, see “Restricting Registry Access” later in this chapter. Otherwise, adding a user or group to a key is sometimes useful as a quick fix when an application can't access the necessary settings to run it. In general, adding users or groups to a key's ACL does little harm, but beware, you can open up security holes in Windows XP large enough for users and hackers to slip through. And if the change you make affects more than one computer or user, deploy it as a security template. (See “Distributing Security Templates” later in this chapter.) Tip In step 4, enter all or part of the user or group name that you want to add to the key. If you have no idea what the name is, you can search for it. If possible, first narrow down a location as I described in Step 3. Then click Advanced and then Find the name of the user or group you want to add and click OK. You can further refine by clicking object types and then clearing the Built-in security principals check box.
Removing Users from ACLs To remove a user or group from a key's ACL: In Regedit, click the key with the ACL you want to edit. 1. On the Edit menu, click Permissions. 2. Click the user or group you want to remove and click Remove. 3. Caution Use caution when removing groups from key ACLs. In general, Windows XP's post-installation (setup security) ACLs are the bare minimum for users to start and use the operating system. If you remove the Users group from a key, users in those groups will not be able to read the keys, likely breaking the operating system or an application. If you remove the Administrators group from a key, you might not be able to use the computer at all. However, removing individual users from a key's ACL is not removing users from their profile hives' ACLs. This prevents them from accessing their own settings, which they should have full control over.
Assigning Special Permissions Special permissions give you more granular control over a key's ACL than basic read-full permissions. You can allow or deny users to create subkeys, set values, values, etc. They can get very detailed. Here's how: In Regedit, click the key with the ACL you want to edit. 1. On the Edit menu, click Permissions. 2. In the Group or user names list, click the user or group for which you want permissions. Add the user or group if needed. Then click Advanced. 3. Double-click the user or group that you want to give special permissions to. The Permission Entry for Name dialog box shown in Figure 7-2. 4. 167 In the Apply to drop-down list, click one of the following: This key only. Applies the permissions to the selected key only. → This key and subkeys. Applies the permissions to the selected key subkeys. In other words, it applies them to the entire industry. → Only subkeys. Applies the permissions to all subkeys of the key, but not to itself. → 5.
In the Permissions list, select the Allow or Deny check box for each Grant or Deny: Full Control permission. All of the following permissions. → Query value. Read a value from the key. → Set value. Set a value in the key. → Create subkey. Create subkeys in the key. → List subkeys. Identify the subkeys of the key. → Notify. Receive notification events from the key. → Create shortcut. Create symbolic links in the key. → Delete. Delete the key or its values. → Write DAC. Write the key's discretionary access control list. → Write owner. Change the owner of the key. → Read controller. Read the key's discretionary access control list. → 6. A word about inheritance is necessary here. When inheritance is enabled, subkeys inherit permissions from their parent keys. In other words, if a key gives full control to a group, all subkeys of that group also give full control. When you view the ACLs of the subkeys, the box next to Full Control for that group is shaded because you can't change inherited permissions. There are a few things you can do to configure inheritance. First, you can prevent a subkey from inheriting the permissions of its parent key: In the Advanced Key Security Settings dialog box, select the Inherit permission entries on child objects from parent key check box. can replace the ACLs of a key's subkeys, effectively resetting an entire branch to match the ACL. Select the Replace permission entries on all child objects with entries that apply to child objects check box.
Mapping Default Permissions Understanding the default registry permissions is helpful if you are an IT professional. Knowing whether members of the user group can change a specific setting tests applications before deployment and determines whether the application works with permissions. If you find that an application works correctly with the default permissions, you're good to go. If you find that an application with permissions is not working properly, you must either repair the program or change the permissions of the bad key. Of course, the easiest way to do this is by using security templates. First you need to understand the three basic groups in Windows XP: Users, Power Administrators. Through these groups, Windows XP provides different levels of access to meet the needs of each group: Users. This group has the highest level of security, as the default permissions assigned allow its members to modify operating system data or other users' settings. In general • 168 computers. Finally, this group gives its members full control over everything in their user profile, including their profile hives (HKCU). What often prevents IT pros from assigning users to this group is the fact that members typically cannot run legacy applications. Instead of assigning users to another group, solve this problem by applying a compatible security template, as you learn in the “Distributing Security Templates” section later in this chapter. power user. This group provides backward compatibility for running programs that are not certified for Windows XP. The default permissions give this group the ability to change
many operating system and program settings per computer. If you have legacy applications that users cannot run as members of the Users group, and you do not want to use security templates, adding these users to the Power Users group allows those users to run. However, this group does not have enough permissions to install most applications; Members cannot change operating system files or install services. The permissions granted to the Power Users group are somewhere in the middle of the Users and Administrators groups. It is similar to the Users group in Microsoft Windows NT 4.0. And no, members of this group cannot add themselves to the Administrators group. • Administrators. This group provides complete control over the entire computer. Its members can modify all operating system and application files. You can change any setting in the registry. They can also take ownership of keys and change a key's ACL. IT pros are often tempted to add users to this group to avoid problems deploying applications that would otherwise be difficult to install or run. Not. Because users in this group can install anything they want or change any settings, viruses can do their damage and users can expose their configurations to the inevitable human error. Reserve this group for actual administrators to secure your organization's desktops and reduce downtime. If you are a power user, do not add your account to this group for the same reasons. If you need to perform an administrative task, use a secondary login to start a program as an administrator instead: hold down Shift while right-clicking the program's shortcut, click Run As, and type then enter the account name and password you want to use to run the program. • Table 7-1 on the next page describes the default registry permissions after reinstalling Windows XP. Note that the resulting permissions are different if you upgrade to Windows XP from an earlier version of Windows. I got these permissions from the security template you use to restore Windows XP to default security. I've focused on the "Users" and "Power Users" groups because that's the main issue. In most of these cases, the Administrators group has full control, as do the built-in Creator Owner and System accounts. In most cases - but not all - the permissions of each key supersede the permissions of all subkeys. It does this through the magic of inheritance, which you learned about in the last section. Table 7-1: Default permissions in the registry branch Users Power hklm\software Read Special hklm\software\classes Read Special hklm\software\classes\hlp Read Read hklm\software\classes\helpfile Read Read
hklm\software\microsoft\ads\providers\ldap\extensions read read hklm\software\microsoft\ads\providers\nds read read 169 hklm\software\microsoft\ads\providers\nwcompat read read hklm\software\microsoft\ads\ provider\winnt Read Read hklm\software\microsoft\command processor Read Read hklm\software\microsoft\cryptography Read Read hklm\software\microsoft\cryptography\calais None None hklm\software\microsoft\driver signing Read Read hklm\software\microsoft \ enterprisecertificates Read Read hklm\software\microsoft\msdtc None None hklm\software\microsoft\netdde None None hklm\software\microsoft\non-driver signing Read Read hklm\software\microsoft\ole Read Read hklm\software\microsoft\protected storage system provider None None hklm\software\microsoft\rpc Read Read hklm\software\microsoft\secure Read Read hklm\software\microsoft\systemcertificates Read Read hklm\software\microsoft\upnp device host Read None hklm\software\microsoft\windows nt\current version \Z Accessibility Read Read hklm\software\microsoft\windows nt\currentversion\aedebug Read Read hklm\software\microsoft\windows nt\currentversion\asr\commands Read Read hklm\software\microsoft\windows nt\currentversion\classes Read Read hklm\ software\microsoft\windows nt\ current version\drivers32 read read hklm\software\microsoft\windows nt\current version\efs read read hklm\software\microsoft\windows nt\current version\font driver read read hklm\software\microsoft\windows nt \currentversion\fontmapper read read hklm\ software\microsoft\windows nt\currentversion \image file execution options read read hklm\software\microsoft\windows nt\currentversion\inifilemapping read read hklm\software\microsoft\windows nt\currentversion\perflib none none hklm\ software\microsoft\windows nt\current version\perflib\009 none none hklm\software\microsoft\windows nt\current version\profilelist read read hklm\software\microsoft\windows nt\current version\secedit read le sen hklm\software\microsoft\windows nt\current version\setup \ recovery console read read hklm\software\microsoft\windows nt\current version\svchost read read hklm\software\microsoft\windows nt\current version\terminal server\install\software \microsoft\windows\currentversion\runonce read read hklm\software\microsoft\windows nt \currentversion\time zones read read hklm\software\microsoft\windows nt\currentversion\windows read read hklm\software\microsoft\windows nt\current Version\winlogon Read Read hklm\software\microsoft\windows\currentversion\explorer \user shell folders Read Read hklm\software\microsoft\windows\currentversion\group policy None None hklm\software\microsoft\windows\currentversion\installer None None hklm \software\microsoft\windows\currentversion\policies None None hklm\software\microsoft\windows\ current version\reliability read read hklm\software\microsoft\windows\current version\runonce read read 170 hklm\software\mic rosoft\windows\currentversion\runonceex Read Read hklm\software\microsoft\windows\currentversion\telephony Read Special
hklm\software\policies Read Read hklm\system Read Read hklm\system\clone None None hklm\system\controlset001 None None hklm\system\controlset001\services\dhcp\configurations Read Read hklm\system\controlset001\services\dhcp\parameters Read Read hklm\system\controlset001\services\dhcp\parameters\options Read Read hklm\system\controlset001\services\dnscache\parameters Read Read hklm\system\controlset001\services\mrxdav\encrypteddirectories None None hklm\system\controlset001\services \netbt\parameters Read Read hklm\system\controlset001\services\netbt\parameters\interfaces Read Read hklm\system\controlset001\services\tcpip\linkage Read Read hklm\system\controlset001\services\tcpip\parameters Read Read hklm\system \controlset001\services\tcpip\parameters\adapters Read Read hklm\system\controlset001\services\tcpip\parameters\interfaces Read Read hklm\system\controlset002 None None hklm\system\controlset003 None None hklm\system\controlset004 None None hk lm\ system\controlset005 None None hklm \system\controlset006 None None hklm\system\controlset007 None None hklm\system\controlset008 None None hklm\system\controlset009 None None hklm\system\controlset010 None None hklm\system\currentcontrolset\control\ class None None hklm\system\currentcontrolset\control\keyboard layout Read Read hklm\system\currentcontrolset\control\keyboard layouts Read Read hklm\system\currentcontrolset\control\network Read Read hklm\system\currentcontrolset\control\securepipeservers\winreg None None hklm\system\currentcontrolset\control \session manager\executive None Specific hklm\system\currentcontrolset\control\timezoneinformation None Specific hklm\system\currentcontrolset\control\wmi\security None None hklm\system\currentcontrolset\enum None None hklm\ system\currentcontrolset\hardware profiles None None hklm\system\currentcontrolset\services\appmgmt\security None None hklm\system\currentcontrolset\services\clipsrv\security Ke ine None hklm\system\currentcontrolset\services\cryptsvc\security None None h klm\system\currentcontrolset\services\dnscache Read Read hklm\system\currentcontrolset\services\ersvc\security None None hklm\system\currentcontrolset\services\eventlog\ security None None hklm\system\currentcontrolset\services\irenum\security None None 171 hklm\system\currentcontrolset\services\netbt Read Read hklm\system\currentcontrolset\services\netdde\security None None hklm\system\currentcontrolset\services\netddedsdm \security None None hklm\system\currentcontrolset\services\remoteaccess Read Read hklm \system\currentcontrolset\services\rpcss\security None None hklm\system\currentcontrolset\services\samss\security None None hklm\system\currentcontrolset\services\scarddrv \security None None hklm\system\currentcontrolset\services\scardsvr\security None None hklm\system\currentcontrolset\services\stisvc\security None None
hklm\system\currentcontrolset\services\sysmonlog\log queries None None hklm\system\currentcontrolset\services\tapisrv\security None None hklm\system\currentcontrolset\services\tcpip Read Read hklm\system\currentcontrolset\services\w32time\security None None hklm\system\currentcontrolset\services\wmi\security None None hku\.default Read Read hku\.default\software\microsoft\netdde None None hku\.default\software\microsoft\protected storage system provider None None hku\. default\software\microsoft\systemcertificates\root\protectedroots None None If you see the word Special in the Power User column, it means the group has special permissions on that key (and subkeys in most cases). , and that permission is usually the ability to change values. However, the Power Users group is never given Full Control, Create Shortcut, Change Permissions, or Take Ownership permissions to any key in the registry. The interesting thing about this table is that Windows XP gives the user group read permission and the power user group special permissions for the entire HKLM\SOFTWARE. The remaining entries in the table are exceptions to this rule, restricting access to specific keys in HKLM\SOFTWARE. Figuring out which keys an application uses is part science, but mostly art. Sometimes I just open the program's binary in a text editor and look for strings that look like keys. Most of the time, I use a tool like Winternal's Registry Monitor, which you'll learn how to use in Chapter 8, "Locating Registry Settings," to monitor registry activity while I run the program I'm testing. Then I record the various keys that the program references and verify that the user or power user groups have the required permissions for those keys. Finally, well-behaved applications report errors when they can't read or write a value in the registry. I wouldn't rely on this behavior, however, as misbehaved programs happily hop on even after a registry error.
Taking Ownership of Keys By default, Windows XP assigns ownership of HKLM and HKCU as follows: Administrators own every subkey in HKLM. • Users own each subkey in their profile hives, HKCU. • If you have full control over a key (which administrators usually do), you can take ownership if you don't already own it: 172 On the Owners tab, click the new owner. 3.
Registry Access Auditing Registry access auditing is a great way to track down registry settings, and it's one of the
I discuss that in Chapter 8, "Finding Registry Settings." It's also a reasonable way to monitor sensitive settings. The problem with registry monitoring is that you either need to be very specific about what key you are monitoring, or pay a serious performance penalty by monitoring the registry. There's a fine line between getting the information you need and grinding the computer. Auditing a key is a three step process. First you need to enable the audit policy. You can run the network using Group Policy, but that seems silly given the power you're using to monitor as a troubleshooting tool or to sniff out a setting. Enable audit policy. Click Start, Control Panel, Performance and Maintenance, Administrative Tools. , and Local Policy. In the left pane, under Local Policies, click Audit Policy. DoubleObject Access in the right pane, and then select the Success and Error check boxes. After you enable policy, use Regedit to check individual keys: In Regedit, click the key you want to check. 1. On the Edit menu, click Permissions; Then click Advanced. 2. On the Monitoring tab shown in Figure 7-3, click Add. Figure 7-3: Monitor keys sparingly as it can severely impact performance. 3. In the Select Users, Computers, or Groups dialog box, click Locations, and then click the computer, domain, or organizational unit in which you want to search for the user or 4. 173 to add it to the key's checklist, and then click OK . In the Audit Entry for Name dialog box, in the Access list, select the two Failed Success check boxes next to the activities for which you want to audit successful attempts. These correspond to the permissions you learned about in the “Setting Permissions on Keys” section earlier in this chapter: Full Control → Query Value → Set Value → Create Subkeys → Enumerate Subkeys → Notify → Create Link → Delete → Write DAC → Write Owner → Read Control → 6. After enabling audit policy and monitoring specific keys, check the results with Event, open Event Viewer, click Start, Control Panel, Performance and Maintenance, Administrative Tools and Event Viewer. In the left pane of Event Viewer, click Security. You see each hit on the right, the most recent hits are at the top of the list. Double-click any entry to see more details. The Properties dialog tells you what type of access Windows XP detected, the type of object, the process that accessed the key or value. Chapter 8, "Locating Registry Settings," shows how to use this information to find out where Windows XP or a program stores specific registry settings.
Preventing access to the local registry
Whenever I mention registry security, the inevitable question is how to prevent access to the registry. You can not. Remember that the registry contains settings that you can read to keep Windows XP working properly. Users must also have full control over OS and application hives to save their settings. You can't access it - and you don't want to prevent it either. The best you can hope for is to limit what users can do with the registry using Regedit or other registry editors. The most elegant way to prevent access to Regedit is to enable the Prevent access to editing tools policy. When users launch Regedit, they only see an error message stating that editing has been disabled by your administrator. The problem with this policy is that editors do not comply with this policy. Nothing prevents a determined user from downloading a registry editor, of which there are many, and using it. That's the kind of user that you either hire or hire for your IT department. Another option is to use software restriction policies, which you can learn more about in the Help and Support Center. Again, this doesn't discourage users from shareware registry editors unless you limit them entirely to a short list of applications. Securing local access to the Windows XP registry is one thing; Securing Remote Access Windows XP grants registry access to members of the local Administrators and Backup Operators groups. Because the Domain Admins group is a member of each computer's Administrators group, any domain administrator can connect to the registry of any computer that is joined to the domain. So far so good, and Windows XP limits remote access to the registry than previous versions of Windows. There may be limited scenarios where you want to open remote computer access. For example, in Active Directory, you could create an administrators group for each OU and give it the ability to edit the registries of computers if they belong to that OU. To allow this group to edit a computer's registry remotely, add this group to the HKLM\SYSTEM\CurrentcontrolSet\Control\SecurePipeServers\winreg key. The problem we will run into is that while adding a group to winreg allows remote access, it still determines which keys the group can change. So, to allow a remote user or group setting on the computer, add that user or group to the local users, power users, or administrators group. Caution Do not overdo it and open each computer's registry for security threats by adding groups to the ACL of the winreg key. This leaves a big hole for many Trojan viruses to hook into Windows XP predators to hack your infrastructure. The best practice is to be alone enough and limit remote registry access to domain administrators.
Deploying Security Templates You use security templates to create a security policy for your computer or network. If you use the techniques you learned in this chapter to find and select security on security templates, you have a single place where you can configure a variety of security settings and those settings for numerous computers. It's a little-used, often misunderstood tool that offers many of the available security settings in one place to make managing security much easier. It saddens me when admins tell me about their security problems and yet have never heard templates that would solve most of the problems admirably. The best friend of security templates for professionals. Already sold? Hopefully.
You use a variety of tools to create and apply templates. First, you use security templates and edit templates. Then use either security configuration and analysis or group application templates. This section walks you through the process of using these tools, starting with creating the Microsoft Management Console (MMC) that you use to edit templates, deploying templates on a network. First, here is an explanation of the various security settings in a template. The following are the different categories of settings you'll see in a security template. After each category, the settings that you can define within it are described. Account Policies. Password Policy, Account Lockout Policy, and Kerberos Policy • Local Policies. Audit Policy, User Rights Assignment and Security Options • Event Log. Application, System, and Security Event Log Settings • Restricted Groups. Membership in security-related groups • 175 file system. File and Folder Permissions • Security templates are nothing more than text files with an .inf extension. You can edit it etc. The file looks like an INI file. You can create your own templates from scratch, which I don't recommend as it's too much work with so much work that you can customize one of the predefined templates that come with Windows XP. Customizing predefined templates is definitely the way to go since most of the work is already done. Note that only Administrators can edit security templates because only the Administrators group has permissions to change the default templates folder, %SYSTEMROOT%\Security\Templates.
Creating a Security Management Console To make your job easier, create an MMC console that contains all the tools you need to analyze and apply security templates: Click Start, Run; Then type mmc and click OK. 1. On the File menu, click Add/Remove Snap-in. 2. In the Add/Remove Snap-in dialog box, click Add. 3. Click Security Templates and then click Add. 4. Click Security Configuration and Analysis, and then click Add. 5. After creating your console, save it to a file for quick access. On the File menu, click Save. call the Templates.msc file. MMC saves your file in your administration folder. Again, quickly click Start, All Programs, Administrative Tools, and then Templates (or whatever it was called). Figure 7-4 shows the console I created as described in this section. Figure 7-4: You create templates with security templates and analyze and apply templates to security configuration and analysis. 176 Windows XP comes with a small set of predefined security templates. You almost never create a new template, as you can usually just customize one of the predefined templates and save it in a different file. They provide starting points for applying security policy scenarios, whether those scenarios involve one, hundreds, or thousands of computers. The following predefined security policies are located by default in %SYSTEMROOT%\Security\Templates: Default Security (Setup security.inf). This template contains the default security that the setup program applies when you install Windows XP. It contains a file
also registry permissions. If you need information about operating system permissions, you can find that information here. You can use this template to provision computers with the original Windows XP security settings, which you would do by applying Security Configuration and Analysis, but do not provision them using Group Policy. • Compatible (Compatws.inf). This template contains security settings that are relaxed enough for the user group to allow legacy applications to run. These are preferable users from the user group over the power users or, oh my god, the administrators. Specifically, this template modifies the file system and registry permissions granted to the user group to be consistent with legacy and other non-Windows applications, such as XP. This template also assumes that the admin doesn't want the power users group, so power users' users will be moved to the user template, which only applies to workstations, and you shouldn't apply it to servers. • Secure (Secure*.inf). These templates tighten security settings that are least likely to cause application compatibility. Securedc.inf is for domain controllers and securews. jobs. For example, it applies strong passwords, locks, and monitoring settings. restricts the user of LAN Manager and NTLM authentication protocols by configuring XP to only send NTLM version 2 responses and configuring servers to reject LAN responses. Finally, this template restricts anonymous users by preventing enumeration of account names, enumeration of shares, and translation of SIDs (see "Learn the basics"). Test this template carefully before deploying it. • Highly secure (hisec*.inf). These templates are supersets of the previous templates, they apply even more restrictions. Hisecdc.inf is for domain controllers and hisecws. for jobs. For example, this template specifies the levels of encryption that Windows XP requires for authentication and for transferring data over secure channels. requires strong encryption and signing. Finally, it removes all power group members and ensures that only the domain admins group and local admins are members of the local admins group. Test these templates to ensure your infrastructure and applications are compatible, as only certified applications are likely to use them. • System Root Security (Rootsec.inf). This template defines root permissions in the Windows XP file system. It does not include registration permissions. It applies permissions to the root of %SYSTEMDRIVE%. You can apply this template to a computer to restore permissions to the root of the system drive or apply the same permissions to volumes. ? No Terminal Server user SID (Notssid.inf). This template removes unnecessary server SIDs from the file system and registry when Terminal Server is running in compatibility mode. If possible, run the terminal server in full security mode instead, which does not use the terminal server SID at all. • Most of these security templates are incremental. You are changing the default settings or existing settings if those settings are already configured on the computer. Unlike the setup template, they do not configure the default security settings before changing the computer's settings. 177 You can view these templates in your new MMC console. Doublesecurity template in the left pane of the console to open it. By default, the templates are located in C:\Windows
\Security\Templates Security templates. However, you can add a new path. Right-click Security Templates, click New Template Search Path. You see both paths in security templates. If you want a path from security templates, right-click it and then click Delete.
Creating a Custom Security Template The tricky way to create a custom security template is to start from scratch: In Security Templates, right-click the folder where you want to create the new template, and then click New Template. 1. Under Template Name, enter the name of the new template under Description, enter a brief description of your new template and click OK. 2. In the left pane, double-click the new security template to open it. In the left pane, select a security, e.g. B. the registry and configure the area with the security settings of this area. 3. This is the hard way and definitely not the way I recommend. First, it is too labor intensive. it is error prone. The best way to create a security template is to start with one of the templates, save it to a new file, and then edit it carefully. Most of the time I've done this using the Compatws.inf template file and adjusted it as needed to give a legacy enough room to work. Here's how: In Security Templates, double-click C:\Windows\Security\Templates. 1. Right-click the predefined template you want to customize, click Save As, enter a name for the security template, and click Save. 2. In the left pane, double-click the new security template to open it. In the left pane, select a security, e.g. B. the registry and configure the area with the security settings of this area. 3. Since this is a registration book, I will give you a little more details about configuring the registration template. In the left pane of Security Templates, double-click your template and then click You will see a list of registry keys in the right pane. To add a key to the list, right-click Registry and then click Add Key. Since the list already covers all of HKLM, add exceptions to the template definitions for HKLM\SOFTWARE and HKLM\SYSTEM. To edit a key, double-click it, and then choose one of the following options: Then configure that key. After selecting this option, select one of the following options: Propagate inheritable permissions to all subkeys. The security settings of the key's subkey, assuming that the security settings of the subkeys are inherited. In the event of a conflict, the subkey's explicit permissions override the permissions they inherit from the parent key. → Replace existing permissions for all subkeys with inheritable permissions. The key's permissions override any permissions on its subkey. In other words, the subkey's permissions are the same as the parent key's permissions. If you select this option and apply the template, the change is permanent unless you change the application of a different template to the registry. → • 178 To edit the actual permissions you want the template to apply to the key, click Edit
You do this in the same Security for Name dialog box that you saw earlier in this chapter. Add and remove groups. You can allow or deny permissions for different users and perform different tasks. You can monitor user and group access to the key. You can also own the key. When you apply the template to a computer or deploy the template group policy, the key gets the permissions you define here.
Analyzing a Computer's Configuration Once you have your custom template at hand, you can use it to analyze a computer's security configuration. Security Configuration and Analysis allows you to compare the current security configuration status with the settings defined in the template. With this tool, you can instantly make changes to the computer configuration, e.g. B. when troubleshooting a problem. You can also use it to track and ensure a certain level of security as part of your enterprise management program and identify security vulnerabilities as they emerge over time. To analyze the security of a computer using Security Configuration and Analysis: Right-click Security Configuration and Analysis, which you added to your console section titled "Creating a Security Management Console" earlier in this chapter, and click open database. 1. In the Open Database dialog box, do one of the following: To create a new analysis database, enter the name of your new database and click Open (you don't have a database to begin with). Then in the Template dialog box, click a template, and then click Open. → To open an existing analysis database, enter the name of an existing database and click Open. → 2. Right-click Security Configuration and Analysis, click Analyze Computer Now, accept the default path for the log file or provide a new one. 3. Security Configuration and Analysis compares the computer's current security against the database. If you import multiple templates into the database, which you can do by right-clicking Security Configuration and Analysis and then clicking Import Template, the tool templates will be merged into one template. If a conflict is detected, the last template is given priority (Last In, First Out). After analyzing the security configuration and analysis, the displayed results are available for you to browse. The organization of these results is the same as for templates. The difference is that Security Configuration and Analysis shows indicators whether a current setting matches or does not match a setting defined in the template: Red X. The setting is in the analysis database and on the computer, but the two are correct not match. The trick is to go through the settings that have a red X next to them to isolate the specific problem. • Green tick. The setting is in the analysis database and on the computer, two match. • Question mark. The setting is not in the analysis database and has not been analyzed. can also mean that the user who performed the security configuration and analysis has the necessary permissions to do so. •
exclamation mark. The setting is in the analytics database but not on the computer. • 179 What do you do if you find discrepancies between the analysis database and the settings? First, you can update the database by double-clicking the annoying Edit Security setting (see Figure 7-5). This updates the database but not the template. does not change the settings of the computer. See the next section. You can also reanalyze a more suitable template for this computer or an updated template in the database. To avoid problems resulting from merging templates, you should create a database when using a new or updated template. Figure 7-5: This dialog allows you to view and edit settings.
Changing a computer's configuration After you have created a security template and verified it by analyzing computers with Configuration and Analysis, you can apply it to the computer: right-click Security Configuration and Analysis, and then click Open Database. 1. In the Open Database dialog box, do one of the following: To create a new database, type the name of your new database in File click Open. Then, in the Import Template dialog box, click a template and → To open an existing database, enter the name of an existing database and click Open. If you changed a database without updating the underlying template, make sure you open the existing database. → 2. Right-click Security Configuration and Analysis, click Configure Computer Now, accept the default path for the log file or specify a new one. 3. 180 In “Changing the configuration of a computer” you learned how to manually apply a computer security template. This is fine for one-off scenarios, but it's not the way to deploy templates to multiple machines on the network. To deploy templates on a network: Policy: Create a new GPO and then edit it. In the Group Policy Editor, right-click Security, and then click Import Policy. Click the template you want to apply, and then click Open. It's so simple, but I don't want to take it lightly. Deploying security templates on your requires careful planning. You must first identify the templates that your network requires. must identify which organizational units receive which security templates. For example, the department uses a legacy application that requires the user group to have full control registry keys, documents and tests the security template, and then imports the template that you assign to the Sales department OU. Ideally, consider templates early in the deployment planning process. What is really happening is carefully planned IT pros using security templates like a big fire hose that arises from lack of foresight and planning. 181 This chapter shows you how to associate a setting in the user interface with a value in the registry. Users can use this information to find their own registry hacks. IT pros get this stick though; You can use the information to find settings in the registry for purposes. For example, after they find settings, they can create administrative templates and deploy the settings to their network. You can write scripts that automatically find settings that they find. You can even use this information to create and provide better profiles.
There are three basic techniques for finding settings. The first, and often the most important, is comparing two snapshots of the registry. Take a snapshot before you change a setting, the second after you make a change. The second method monitors the registry changes that a program makes. Monitoring is often difficult due to the way Microsoft XP and programs destroy the registry. Nonetheless, with a good tool and the tips you read is an occasionally useful technique. The last is monitoring, which is the most difficult to use and results in performance degradation. Since the first method is often the most effective, this is the start.
Comparing REG Files Comparing two REG files is often the easiest way to find out where in the registry Windows stores a setting. Create these .reg files before and after changing a setting that is interface and that you know is somewhere in the registry. That's how I found the location settings that Tweak UI includes, which I documented in Chapter 5, "Mapping Tweak exported HKCU to a REG file." I changed a setting in Tweak UI and exported the same second REG file. Then I compared the two files to find out which value changed when the setting in Tweak UI changed. You can use this method to trace just about any setting that goes through the interface to its location in the registry. The only downside to comparing two registry files is that the process requires a file tool. However, Windows XP includes such a tool, which I will tell you about later in this section. The advantages of this method are manifold. First, it's quick and easy. Second, the results are accurate. If you don't let much of the time pass between each snapshot, the differences between them should only include the settings you've changed. Also, REG files are easy to read, so you'll have trouble deciphering the results. Now for some details. Remember Remember that the Registry Editor (Regedit) can export all or part of the text t files with the extension .reg (.reg files). A REG file looks similar to an INI file. one or more sections; the name of each section is the path of a registry key. Each section the values of the key. The format of each value is name = value. If the value is a string space, the value must be quoted. The default value of each key looks like @= value. Chapter 9, "Registry Modifications," describes REG files in all their glory, including how to interpret the types of values they contain. To export the registry to a REG file, click on the desired key. Then on the File menu, click Export. In the Export Registry File dialog box, click Registry Files (*.reg) to export them to an ANSI version 4 .reg file. Comparison tools only work with the first one, so you need to create version 4 ANSI for them. However, the tools I talk about in this chapter support Unicode text files. If you are familiar with ANSI and Unicode character encodings, read Chapter 1, "Learning the Basics." 182 user interface and, more importantly, the speed at which very large text files are compared. Another option is probably already installed on your computer: Microsoft Word 2002. It's slower than WinDiff, but you're probably already familiar with using this word processor. Either way, the overall process is the same: export the registry to a .reg file. Name the file something like Before.reg. If you know roughly where the setting is in the registry, export that branch. Otherwise, export the
entire registry, including HKCU and HKLM. 1. Change a setting in the user interface or perform another action that you want to trace back to the registry. For example, if you want to see where a program saves its settings during installation, install the program. 2. Export the registry to a second .reg file. Rename it after.reg. Make sure you export the same branch with the same file format as in step 1. If you don't duplicate the process exactly, the files will not match and it will be difficult to spot the difference. 3. Compare Before.reg and After.reg with your favorite file comparison program. The differences between the two files are your changes. The file comparison tool will only point out the changed values as only the values under each section heading will change, but if you look a little further up the file you will see the key containing the values. 4. All-in-One Solutions LastBit Software creates a program called RegSnap that performs the process outlined in this section. You don't need to create .reg files or compare two .reg files with a file comparison tool. RegSnap does all of this for you, which makes it a cool program if you do something like this on a regular basis. You can download the shareware version of RegSnap from http://www.webdon.com. Try it; if you like it, it's very cheap. It is available in a Standard Edition and a Professional Edition. The Professional Edition allows you to work with remote registers; Otherwise, the Standard Edition is enough to find a setting in the registry. The only problem I have with RegSnap is that the user interface is very clunky. This leads me to RegView by Vincent Chiu. This program is available at http://home.xnet.com/~vchiu/regview.shtml. I like this program because it has a cleaner interface. You can use it to edit and search the registry and compare different versions of it. RegView doesn't have a setup program, but it really doesn't need one. Figure 8-1 shows the result in RegView when comparing a snapshot to the current registry. RegView's output is slightly easier to read than RegSnap's output, but RegView is slightly slower to create. Figure 8-1: RegView is an advanced registry editor. If turnaround time is important to you, use RegSnap. If you are looking for an advanced registry editor that can compare search and replace and registry snapshots, you should consider this
RegView. Both shareware programs are inexpensive, but if you don't want to shell out the cash, stick with the methods you'll learn in this chapter. 183 There are a few ways to make this process more efficient. Comparing two large REG files can take a while - even with WinDiff. If you're reasonably sure you know the general environment of a setting in the registry, export only that branch. For example, if you know a setting is a custom setting, export only HKCU. If you suspect it's somewhere in HKLM\SOFTWARE\Microsoft, search that very branch. You can always resort to exporting the entire registry if your guess is wrong. Another way to streamline the process is to ignore irrelevant differences. Some settings change whether you do something or not. For example, Plug and Play values change frequently, as does the configuration of some services. The easiest way to eliminate the confusion these inherent changes cause is to exclude HKLM\SYSTEM in your REG files. The less time between snapshots, the less noise you will have in your comparison results.
Using WinDiff WinDiff is the ultimate tool for comparing two versions of a text file. Its roots are as a developer tool to compare different versions of source files to see changes before committing them to version control. It was also useful as a debugging tool to find out what changes in a source file might have caused a problem. WinDiff was originally available in the Windows Software Development Kit (SDK). Microsoft included it in recent Windows resource kits. It comes with Windows XP as part of the Windows XP Support Tools. Install the tools from \Support\Tools on your Windows XP CD. Type windiff in the Run dialog box to start it. After you start WinDiff, you can use it to compare two .reg files: On the File menu, click Compare Files. 1. Enter the path and name of the first file and click Open. 2. Enter the path and name of the second file and click Open. 3. On the View menu, click Expand, or double-click the files in the list. 4. After comparing the two files, you will see similar results as shown in Figure 8-2. WinDiff combines both files and highlights the differences in red and yellow. Differences relate to the second file, which is why I let you open the second file after the first. Deleted lines that are present in the first file but not in the second are red. Inserted lines missing from the first file but present in the second are yellow. White lines are the same in both files. You will also see arrows indicating whether a row has been deleted
or inserted. A left arrow () indicates a line inserted into the second file. WinDiff represents changed rows as deletions followed by insertions, as shown in Figure 8-2. Because WinDiff compares files line by line instead of character by character, you must judge for yourself whether a deleted line followed by an inserted line represents a changed line of text. Press F8 to move to the next block of differences that WinDiff found; Press F7 to go to the previous block with differences. 184 Figure 8-2: The two columns you see on the left side of the window represent the two files you are comparing. These columns are a roadmap of the differences between the files.
Using Word 2002 In the rare event that you don't have WinDiff available (for example, if you can't support tools on a customer's computer), you can use the comparison features of Word .reg files. You may also prefer to use Word if you're already familiar with word processing and don't want to install WinDiff or learn how to use it. The only downside is that using Word REG files is often a slow and tedious process as they are not designed for this purpose. When using Word to compare .reg files, first open the second .reg file and compare the .reg file. This order ensures that Word correctly displays insertions and deletions. To compare two .reg files using Word: On the File menu, click Open, type the path and name of the first .reg file in the box, and click Open. 1. When the File Conversion dialog box appears, select the encoding method that makes the preview area readable, and then click OK. You can choose between Windows (default), MS-DOS and Other encoding. (Default) conforms to ANSI, which is what version 4 REG files use. If the file is 5 REG file, select the Other encoding option and then click Unicode in the list. 2. On the Tools menu, click Compare and Merge Documents, enter the path and the second .reg file, and then click Merge. 3. When the File Conversion dialog box appears, select the encoding method that makes the preview area readable. 4. Word will display the results as shown in Figure 8-3. To view the next change, click Next on the Reviewing toolbar. To view the previous change, click the Back button. Word displays results differently depending on the view: Normal view. To switch to normal view, click Normal on the View menu. This is shown in Figure 8-3. By default, insertions are underlined. Deletions are ticked • Print layout view. To switch to Print Layout view, click Print Layout in the Show This View view. In the right column you will see bubbles describing the differences between the files. This view is often the easiest to read. •
185 Figure 8-3: Word is effective at comparing large REG files, but much slower than WinDiff. Tip When comparing two .reg files in Word, make sure you turn off grammar spell checking. Word probably won't find many correctly spelled words because it uses a lot of resources to check them. To disable both features, click Options on the menu. In the Options dialog box, click the Spelling And Grammar option, clear the Check Spelling As You Type and Check Grammar As You Type check boxes.
Comparison with Reg.exe As you have already learned, the Windows XP Support Tools, of which WinDiff is a part, install the Registry Tool for Windows (Reg.exe). This program can compare two branches of and has a useful feature that allows you to track settings in the registry. Copy the branch contains the value to the temporary key (this is your first snapshot), change the setting tracking, and then compare the current key to the temporary key. The advantage of using Reg.exe in this way is that it is fairly simple. It has the downside of relying on a command rather than a graphical user interface, and if you don't remove the temporary keys you can end up with an oversized registry containing a bunch of data you don't need. Chapter 9, "Scripting Registry Changes," describes all Reg.exe command-line options. For now, finding a registry setting requires the following steps: At the MS-DOS prompt, type reg copy source destination /s /f where the key you want to copy to the temporary key destination is located . First make sure the target doesn't exist; Otherwise you will get a lot of when you compare the two keys. Also, if a key's name contains spaces, the entire key is enclosed in double quotes. Don't use the full names of root keys; Use 1. At the MS-DOS prompt, type reg Compare key temp /s, where key is key and temp is the temporary key. 3. The following listing is an example of the output that Reg.exe generates. Reg.exe indicates that the current key is missing with a right arrow (>) and a left arrow ( next to deleted and < next to new or changed values. < value: HKEY_CURRENT_USER\control panel\desktop ActiveWndTrkTimeout REG_DWORD > value: HKEY_CURRENT_USER\backup ActiveWndTrkTimeout REG_DWORD 0x400 < value: HKEY_CURRENT_USER\control panel\desktop DragFullWindows REG_SZ 1 > value: HKEY_CURRENT_USER\backup DragFullWindows REG_SZ 0 < value: HKEY_CURRENT_USER\control panel\desktop DragHeight REG_SZ 4 HKEY_CURRENT_USER\control panel\desktop DragWidth REG_SZ 4 Result in comparison: different The operation completed successfully
After you're done with the temporary key, make sure you delete it; Otherwise you'll fill the registry with junk and you won't be able to use the same temporary key comparisons. To quickly remove the temporary key, at the MS-DOS prompt, delete the /f key, where key is the name of the temporary key. The Reg.exe command line option prompts you to confirm that you want to remove the key. Tip An alternative method is to save a branch as a Hive file and load the Hive file to change a setting in the UI and compare the original branch to the Hive loaded into HKU. Don't forget to unload the hive file when you're done. This advantage is not to overload the registry with temporary keys. Chapter 9, "Scripting Changes," shows you the Reg.exe commands that you can use to save, load, and save files.
Checking the registration
As I mentioned before, comparing snapshots of the registry is just one method to find the monitor is another. The first registry auditing method I'm going to show you in Windows XP is auditing. However, only use auditing if you don't have other monitoring tools available, as its disadvantages far outweigh the benefits for tracking. The first disadvantage is that auditing the registry for changes requires that you know in advance what environment a setting resides in, since auditing the entire registry is impractical. Deciphering the results of an audit is quite cumbersome. It relies on the Security Event Viewer display and the output is not user-friendly. Checking the registry for changes is a three-step process. First you need to enable audit by editing the local security policy. After that, check branches in the registry where the setting is located. You can't just scan the entire registry because that would freeze even the fastest computer running Windows XP. On average, operating system applications access the registry thousands of times during a session, so it's just not practical to record every one of those hits. Lastly, after changing the setting or running the performance you're tracking, check the Event Viewer to see what values have changed. The following sections each step. The first step in scanning the registry is to enable the scanning policy: click Start, Control Panel, Performance and Maintenance, Administrative Tools, Security Policy. 1. In the left pane under Local Policy, click Audit Policy. 2. In the right pane, double-click Audit Object Access, and then select both Success Failure check boxes. 3.
Audit Registry Keys After enabling the audit policy, monitor the specific keys that you think you will find. In Regedit, click the key that you want to monitor. 1. On the Edit menu, point to Permission, and then click Advanced. 2. On the Monitoring tab of the Advanced Security Settings dialog box, as shown in figure, click Add. Figure 8-4: Auditing the registry helps you find settings in the registry. 3. In the Select Users, Computers, or Groups dialog box, click Sites. Then computer, domain or organizational unit in which you want to search or audit for the user. 4. In the Enter the object names to use box, type the name of the user or group to add to the key's checklist, and then click OK. 5. In the access list, select the Success and Failed check boxes next to the activities you want to monitor. The following list of permissions corresponds to the permissions in Chapter 7, "Managing Registry Security." 6. Set 188 value → create subkeys → list subkeys →
Notify → Create Shortcut → Delete → Write DAC → Write Owner → Read Control → Tip Audit carefully to avoid excessive performance degradation. If you're trying to find the location where an application saves a setting, set the value, change the value in the UI, and then check yours
Analyzing the Results The final step after enabling the audit policy and auditing specific keys is to examine the results in Event Viewer. To open Event Viewer, click Start, Control Panel, Performance and Maintenance, Administrative Tools and Event Viewer. In the left pane of Event Viewer, click Security. They are in the right pane and the most recent hits are at the top of the list. Double click for more details. The Event Properties dialog box tells you how the object type was accessed and the process that accessed the key or value.
Monitoring the registry Monitoring the registry for changes differs from comparing snapshots in that you are directly tracking registry access. This is how you can change a setting in the user interface and monitor to see what value Windows XP has written to the registry. I tend to monitor snapshots rather than compare them when looking for a large number of settings. It helps to keep the noise to a minimum. I show you how to reduce noise later in this chapter under "Filtering for Better Results." My favorite monitoring tool is Regmon by Winternals. You can download this tool as freeware from http://www.sysinternals.com. Regmon Enterprise Edition is available at http://www.winternals.com and is inexpensive. The difference between the two is that the edition allows you to monitor a remote registry, making the process a little easier to work on one computer and view the results on another. Although the freeware Regmon includes all the other features of the Enterprise Edition, I bought the Enterprise Edition and use it to make remote monitoring easier. Download one of the versions of Regmon. The freeware version has no setup program, just run it from the directory you unzipped it to. Regmon Enterprise Edition comes with a program that adds a shortcut for Regmon to the Start menu. The following sections show how to use this hot product.
Using Winternals Regmon Figure 8-5 shows the freeware version of Regmon. Each time Windows XP or the registry programs, Regmon adds a line to the window. The first two columns are a row number. Column 189 contains additional information, e.g. B. the content of a value. Most of the information here is the type of access, the path to the key, and the Other column. If the column is too narrow to show the entire contents of a row, you can hover over the data and see its full contents in a balloon. Refined. Figure 8-5: Regmon's window quickly fills up with uninteresting information. This is Regmon's window seconds after startup. Two columns, Request and Other, require more attention. Request tells you what the Windows program was trying to do. The requirements you see in the Requirement column are various API (Application Programming Interface) functions and are shown in Table 8-1. The most
Type of request is of course SetValue. The Other column contains different information depending on the type of request. See also Table 8-1. For example, if the request is QueryValue, the Other column contains the data in the value. If the request is OpenKey, Other contains the handle of the key. Table 8-1: Regmon request types and data request type Data in the Other column CloseKey Handle of closed key CreateKey Handle of new key CreateKeyEx Handle of new key DeleteKey None DeleteValue None DeleteValueKey None EnumerateKey Name of next subkey EnumKeyEx Name of next subkey 190 EnumerateValue None FlushKey None OpenKey Open key handle OpenKeyEx Open key handle QueryKey Key name QueryValue Data from Value QueryValueEx Data from Value SetValue Data stored in value SetValueEx Data stored in value
Filtering for Better Results If you start Regmon and change some settings in the Windows XP user interface, you won't have much luck searching through Regmon's output to find the setting. For example, opening Explorer accesses the registry about 5,000 times. When you click Options on the Windows Explorer menu, the registry is called a few hundred times. Sorting all this output is impractical. The experience improves dramatically as you learn how to use filters. The first thing you can do, especially if you're interested in finding the value that Windows stores a setting in, is to filter out everything except write requests. From Regmon's Edit menu, click Filter/Highlight. Then uncheck all the boxes except Log Successes and Log Writes. Regmon only reports successful writes to the registry. This alone greatly reduces the amount you see. Get more specific, however, and Regmon will almost give you the setting you're looking for. The asterisk (*) in the Include field is a wildcard that matches anything; this is filter. To be more specific, restrict regmon to specific processes. For example, when looking for settings in Windows Explorer, look only for registry access by the explorer.exe process. Look for settings in Tweak UI, just look for registry access through the Tweakui process. From the Regmon Edit menu, click Filter/Highlight. In the Include field, enter the name of the process you want Regmon to display in the window. Include multiple processes separated by a semicolon. The easiest way to find out the name of a process is to look in the Windows Task Manager. Ctrl+Shift+Esc, and then look at the Processes tab. If in doubt, you can also look inside
Output for the process name as I usually find it. You may see the Rundll32 process. This is a special program that runs APIs in Dynamic Link Libraries (DLL). Because there are many different instances of this process running at any one time, it is difficult to filter this process. My final tip on how to limit Regmon's output is to filter by specific keys. If you know where Windows XP stores a setting in the registry, filter the output for only lines that contain that key. For example, if you know that a setting resides somewhere in HKLM\SOFTWARE\Microsoft, filter Regmon's output to show only SetValue requirement keys. You'll see very little output in Regmon's window when you change this value interface, and one of the lines is probably the value you're looking for. Tip You can combine subkeys and process names in your filter. Separate each with a regmon to compare your criteria against all columns you see in the window, allowing you to use multiple columns at once. For example, you can filter the results by process, request type, and concurrent time. 191
Chapter List Chapter 9: Scripting Registry Changes Chapter 10: Deploying User Profiles Chapter 11: Associating Windows Installer Chapter 12: Deploying with Answer Files Chapter 13: Cloning Disks with Sysprep Chapter 14: Microsoft Office XP User Settings Chapter 15: Bypassing IT Problems
Sub-overview There are two ways to deploy Windows XP and other applications: throw them out what sticks, or carefully plan and design configurations. I prefer the second option and the point of this part. You will learn how the registry fits into the deployment of Windows XP. This part starts with creating and deploying user profiles. Then you will learn Windows Installer registry and how to troubleshoot Windows Installer based settings failure from three chapters in this part how to deploy settings with windows xp and office problems having solution registry. This part of the book is primarily intended for IT professionals. 192
Overview Imagine what the life of an IT professional would be like without any kind of automation. settings, you would have to get up from your desk, take the 10-minute elevator ride to the 12th, and find the user's computer in the maze of cubicles. And at the end of this maze there is a user who is angry that you are interrupting his or her Spider game. Life is better when you don't have to deal with real users face to face (wink). Scripting is a more efficient way to deploy and change settings. Note that I didn't use manage, which applies to policies better than scripting. If you need to manage settings, see 6, “Using a registry-based policy”. Scripting is useful on many levels. You can write changes to a group of settings and then test them in the lab before deploying them. And when you update the script, you can easily regression test it to see how your changes play out. Simply put, I enjoy writing registry changes because scripts are repeatable without human error each time I use them to change settings. You can also deploy scripts without desktops. You can use your software management infrastructure or something more shady
methodology, you don't have infrastructure to deploy scripts without having to interrupt users' work. This chapter describes five of my favorite scripting methods. The first are INF files. I like those of INF files and the fact that there isn't a registry setting they can't edit, so I describe them as a second, REG files, which can be created simply by exporting settings from the registry editor, and also describe how to use the console registry tool for windows (reg.exe) to edit the registry MS-DOS prompt which is a great tool for changing settings from batch describe how to write scripts that change settings. Microsoft Windows XP comes with Script Host and this chapter shows you how to write scripts using JScript and languages. Finally, I describe how to create a Windows Installer package file to deploy settings. Engineering is great because you can deploy these settings through Active Directory policy. Because I cover so many different techniques, the first section, Choosing a Technique, will help you choose the scripting method that works best for you.
Choosing a Technique Table 9-1 shows the major differences—as I see them—between the scripts discussed in this chapter. Each column represents one of the five scripting methods I've covered in this chapter. For example, the "Batch" column describes the use of "Reg.exe" in a batch file. Column describes Windows Installer package files that contain registry settings. First, all five methods allow you to change values, as well as add keys or values. Also, Windows supports all five methods without installing any third-party tools or resource kits. Table 9-1: Script Method Comparison Functions INF REG Batch Script MSI Difficulty Medium Low Medium High Medium Access to the operating system Basic None Full Full Basic Built-in support Yes Yes Yes Yes Yes Change values Yes Yes Yes Yes Yes 193 Add keys/values Yes Yes Yes Yes Yes Delete keys/values Yes Keys only Yes Yes Yes Query for values No No Yes Yes No Value type support High Medium Medium Low Medium Bitwise support Yes No No Yes No Nine times out of ten I prefer writing an INF file. You will find that most of the contents of this book are INF files. I chose this method because I am familiar with INF files, they are created and easy to read. I only use scripts when I need to query values from the INF files. The power of INF files is that they give me the flexibility to do whatever I want in the registry and I have to put on a programmer's hat for the weekend. Choose the best method, but give more weight to INF files and scripts. However, you will not use just one of them. In fact, you will find that you will use a combination of these methods depending on the scenario. After you start using the scripting methods I describe in this chapter, you'll master the time. Now I describe the differences. As the table shows, using REG files is the easiest method, and Windows Installer package files are the most difficult, and the rest falls somewhere. Whichever method you choose, they all become pretty easy once you learn how to access the operating system is only important if you're trying to do more than just the registry. For example, if you want to read values from the registry and then print them out
You need access to the operating system. The main difference is that files and scripts have strong support for the many different types of values you can register. However, the remaining methods support the basic value types, and this is often required. However, if you need to edit more esoteric types, you'd better write an INF file. Likewise, INF files and scripts are the only two methods you can use to set and clear bits. For example, the bits in the UserPreferencesMask value indicate a different user interface, and you enable or disable them by setting or clearing the appropriate bit. If required, INF files or scripts are left as the preferred method.
Installing INF Files Setup information files have an .inf extension; I call them INF files. The Windows XP (Application Programming Interface) uses INF files for scripted installations. Most people associate files with installing device drivers, but applications often use them as well. Most of the actions related to device driver and application installation are available through INF files. Copy, remove and rename files. You can add, change, and delete registry values. You and start services. You can install almost anything with INF files. For example, you can customize registry settings - obviously. You can also create INF files that users can uninstall by adding or removing programs. INF files look similar to INI and REG files. They are text files containing sections named [section]. Each section contains elements, sometimes called properties, which look like Name. Windows XP happens to come with the perfect editor for INF files: Notepad. When creating an INF file with Notepad, make sure to enclose the filename in quotation marks or files in the Files of type list in the Save As dialog box. That way, your file will have the extension instead of the .txt extension. Installing an INF file is easy: right-click the file and click Install. To deploy an .inf file and prevent users from having to install it, use the following command, replacing filename with the name of your .inf file. (Command line that maps Windows XP to the .inf file extension in the registry.) 194 Listing 9.1 shows a simple INF file. The first section, [Version], is required. The name of the second section is arbitrary, but it's usually [DefaultInstall] so users can right-click the file to install it. The link to this section is through the command line you saw just before this paragraph. The command is rundll32.exe which runs the API in Setupapi.dll called InstallHinfSection. The next item on the command line, DefaultInstall, is the name of the section to install. The 132 you see in front of the file name tells the setup API to prompt the user before restarting the computer if necessary. The last item on the command line is the name of the INF file to install. Because this is the command that Windows XP associates with the .inf file extension, as I mentioned earlier, you should normally name this section [DefaultInstall]. In this section you will see two directives, AddReg and DelReg. The AddReg=Add.Settings directive adds the settings contained in the [Add.Settings] section. Listing 9-1 Example.inf [version]
Signature=$CHICAGO$ [DefaultInstall] AddReg=Add.Settings DelReg=Del.Settings [Add.Settings] HKCR,regfile\shell,,0,"edit" [Del.Settings] HKCU,Software\Microsoft\Windows\CurrentVersion\ Applets\Regedit
The DelReg=Del.Settings directive deletes the settings listed in the [Del.Settings] section. The names of these sections are arbitrary; You should adopt names that make sense to you and stick with them so you don't get confused later. Now you've had my two dollar tour of an INF file. The following sections describe how to write the different parts of an INF file. I'll focus on using INF files to edit the registry, but you can do a lot more with this website. This is the INF File Sections and Directives section of the Windows Driver Development Kit (DDK). Don't be put off by the fact that this information is in the DDK; It's really easy and useful for a lot more than just installing device drivers.
Starting from a template I never start INF files from scratch. I can't be bothered to memorize the format of the sections and instructions, so I use a template. I'm lazy enough (or efficient enough) to add the template you see in Listing 9.2 to the Templates folder in my user profile, so I right-click in a folder and click New, Setup Information File” can click. The easiest way is to first create the file Setup Information File.inf with the contents from Listing 9-2. Then use Tweak UI, which you will learn more about in Chapter 5, "Mapping Tweak UI," to add the template. It's a real time saver. Listing 9-2: Setup Information File.inf [Version] Signature=$CHICAGO$
195 AddReg=Reg.Uninstall CopyFiles=Inf.Copy [DefaultUninstall] BitReg=Bits.Clear DelReg=Reg.Settings DelReg=Reg.Uninstall DelFiles=Inf.Copy [Reg.Settings] ; ROOT,SUBKEY[,NAME[,FLAG[,DATA]]] ; ; FLAGGE: ; ; 0x00000 - REG_SZ ; 0x00001 - REG_BINARY; 0x10000 - REG_MULTI_SZ ; 0x20000 - REG_EXPAND_SZ ; 0x10001 - REG_DWORD ; 0x20001 - REG_NONE
[Bits.Set] ; ROOT,SUBKEY,NAME,FLAG,MASKE,BYTE ; ; FLAG: ; ; 0x00000 - clear bits in mask ; 0x00001 - Set bits in mask [Bits.Clear] ; ROOT,SUBKEY,NAME,FLAG,MASKE,BYTE ; ; FLAG: ; ; 0x00000 - clear bits in mask ; 0x00001 - Set bits in mask [Reg.Uninstall] HKCU,Software\Microsoft\Windows\CurrentVersion\Uninstall\%NAME% HKCU,Software\Microsoft\Windows\CurrentVersion\Uninstall\%NAME%,DisplayName\ ,,"%NAME% " HKCU,Software\Microsoft\Windows\CurrentVersion\Uninstall\%NAME%,UninstallString\ ,,"Rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132"\ " %53%\Application Data\Custom\FILENAME" ; ROOT: ; ; HKCU ; HKLM [Inf.Copy] FILENAME [DestinationDirs] Inf.Copy=53,Application Data\Custom
196 ; 11 - %SystemRoot%\System32 ; 17 - %SystemRoot%\Inf ; 53 - %userprofile% ; 54 - %systemdrive% ; -1 - Absolute path [SourceDisksNames] 55=%DISKNAME% [SourceDisksFiles] FILENAME=55 [Strings] NAME = "Jerry's NAME" DISKNAME = "Setup Files"
The reason this template makes creating INF files so easy is because I've added comments to it. Comments begin with the semicolon (;) and add descriptive information to the file. In this case, for each section, I have described the format of the various instructions. For example, in the [Reg.Settings] section, you can see the syntax for adding values to the registry. The [Bits.Set] section shows the format for setting individual bits in a number. I often write INF files that users can uninstall using Add or Remove Programs; The template in Listing 9.2 shows you how to do this. If you do not want users to uninstall the file and its settings, remove the [DefaultUninstall], [Reg.Uninstall], [Inf.Copy], [DestinationDirs], [SourceDisksNames], and [SourceDisksFiles] sections and all links to them sections. In this template, capitalized words are placeholders that I substitute when creating an INF file. For example, I replace FILENAME with the actual name of the INF file. The first two lines in Listing 9.2 are the only ones that are required. The [Version] section and the signature
property identifies the file as a valid INF file. You must include these two lines above in all your INF files. Incidentally, Chicago was Microsoft's code name for Microsoft Windows 95, so version=$CHICAGO$ identifies the file as a Windows 95 INF file. Nowadays, $CHICAGO$ specifies an INF file compatible with all Windows versions. Use $Windows 95$ if you want to specify that your INF file is only compatible with 16-bit versions of Windows. Use $Windows NT$ to specify that your INF file is only compatible with 32-bit versions of Windows. I generally leave the signature set to $CHICAGO$.
Linking sections together The [Version] section is usually followed by the [DefaultInstall] section. As I said, the name of this section is arbitrary, but you should use [DefaultInstall] if you want users to be able to install your INF file by right-clicking on it. The command associated with the INF file extension refers to this section by name. This is the section that ties your INF file together. You fill it with directives that tell the setup API which sections in the INF file to handle and what to do with them. You saw this section in Listing 9.2. Each line in this section is a directive. The Setup API supports a number of different directives, but the ones we're interested in in this book are AddReg, DelReg, and BitReg. In the listing you will see a line that says AddReg=Reg.Settings. This will add the settings listed in the [Reg.Settings] section. The BitReg=Bits.Set line sets the bit masks listed in the [Bits.Set] section. Also, you can list more than one section for each policy. For example, you can duplicate a directive across multiple lines or assign it multiple sections: AddReg= Section1, Section2, SectionN. See Listing 9.3 for an example. 197 [Version] Signature=$CHICAGO$ [DefaultInstall] AddReg=Reg.Settings1,Reg.Settings2,Reg.Settings3 AddReg=Reg.Settings4 AddReg=Reg.Settings5 DelReg=Reg.Settings6 [Reg.Settings1] ; Registry settings to add or change [Reg.Settings2] ; Registry settings to add or change [Reg.Settings3] ; Add or change registry settings [Reg.Settings4] ; Registry settings to add or change [Reg.Settings5] ; Registry settings to add or change [Reg.Settings6] ; Registry keys and values to remove
Note The order of the AddReg and DelReg directives does not matter. The setup API handles all of them
DelReg directives first, followed by the AddReg sections.
Adding Keys and Values As you just saw, the AddReg directive in [DefaultInstall] specifies the names of the sections that contain settings you want to add to the registry. These are the sections [add-registry-section]. You can add new keys, set default values, create new values, or modify existing values using an [add-registry-section]. And each section can contain multiple entries. Each [add-registry-section] name must be unique in the INF file. Syntax [add registry section] root key, [sub key], [value], [flags], [data]
rootkey This is the root key that contains the key or value you are changing. Use the abbreviations HKCR, HKCU, HKLM, or HKU. Subkey This is the subkey to create or the subkey in which to add or change a value. This is optional. If it is absent, all operations are on the root key. value This is the name of the value to create or modify, if any. This value is optional. If the value is omitted and the flags and data parameters are specified, the operations are performed using the key's default value. If value, flags, and data are omitted, add a subkey. Flags 0x00000000. Value is REG_SZ. This is the default if you omit flags. • 0x00000001. Value is REG_BINARY. • 198 0x00010000. Value is REG_MULTI_SZ. • 0x00020000. Value is REG_EXPAND_SZ. • 0x00010001. Value is REG_DWORD. • 0x00020001. Value is REG_NONE. • 0x00000002. Do not overwrite existing keys and values. Combine this flag with others by ORing them. • 0x00000004. Delete subkey from registry or delete value from subkey. Combine this flag with others by ORing them. • 0x00000008. Append data to value. This flag is only valid when the value is REG_MULTI_SZ. The string data is not appended if it already exists. Combine this flag with 0x00010000 by ORing them. • 0x00000010. Create subkey but ignore value and dates if specified. Combine this flag with others by ORing them. • 0x00000020. Set value only if it already exists. Combine this flag with others by ORing them. • 0x00001000. Make the indicated change in the 64-bit registry. If not specified, the change will be made to the native registry. Combine this flag with others by ORing them. • 0x00004000. Make the indicated change in the 32-bit registry. If not specified, the change will be made to the native registry. Combine this flag
with others by ORing them together. • data This is the data to be written to value. If the value does not exist, the setup API creates it; if the value exists, the API overwrites it; If the value is REG_MULTI_SZ and you set the flag 0x00010008, the API adds the value to the existing list of strings. If you omit data, the setup API creates the value without setting it. Check out the example below to see how each value type is formatted. Example [Version] Signature=$CHICAGO$ [DefaultInstall] AddReg=Reg.Settings [Reg.Settings] ; Sets the default value of HKCU\Software\Sample HKCU,Software\Sample,,,"Default" ; Creates a REG_SZ value named Sample HKCU,Software\Sample,String,0x00000,"String" ; Creates a REG_BINARY value named Binary HKCU,Software\Sample,Binary,0x00001,00,01,30,05 ; Creates a REG_MULTI_SZ value named Multisz HKCU,Software\Sample,Multisz,0x10000,"String list" ; Creates a REG_DWORD value named Dword HKCU,Software\Sample,Dword,0x10001,0x01010102 ; Creates a REG_SZ value named Hello HKLM,SOFTWARE\Sample,Hello,,"World" ; Creates a REG_DWORD value and sets it to 0x0000 HKLM,SOFTWARE\Sample,Nothing,0x10001
199 The DelReg directive of the [DefaultInstall] section specifies sections containing registry keys and values to be deleted. These are [del-registry-section] sections. They are much simpler than the [add-registry-section] sections, but have similar rules: each section can contain multiple entries, and the name of each section must be unique. Syntax [del-registry-section] rootkey, [subkey], [value], [flags], [data]
rootkey This is the root key that contains the key or value to delete. Use the abbreviations HKCR, HKCU, HKLM, or HKU. Subkey This is the subkey to delete or subkey from which to delete a value. This is optional. If it is absent, all operations are on the root key. value This is the name of the value to delete. This value is optional. If the value is omitted, delete the subkey. Flag 0x00002000. Delete the entire subkey. • 0x00004000. Make the indicated change in the 32-bit registry. If not specified, the change will be made to the native registry. Combine this flag with others by ORing them. • 0x00018002. If the value is REG_MULTI_SZ, remove all strings that match the string specified by data. • data This is only used when flags is 0x00018002. This specifies the string to remove from a
REG_MULTI_SZ value. Example [Version] Signature=$CHICAGO$ [DefaultInstall] DelReg=Reg.Settings [Reg.Settings] ; Removes the key HKCU\Software\Sample HKCU,Software\Sample ; Removes the Hello value from HKCU\Software\Sample HKCU,Software\Sample,Hello ; Removes the string "World" from the REG_MULTI_SZ value. Hello HKCU,Software\Sample,Hello,0x00018002,"World"
Setting and Clearing Bits The BitReg directive is similar to the AddReg directive. You add it to the [DefaultInstall] section to specify the names of the sections that contain bits you want to set and clear. These are [bit-registry-section] sections. Use the BitReg directive when you want to work with bitmasks in the registry. For example, if you want to enable certain user interface features in the UserPreferencesMask value, use this directive. As with the other statements you've seen, each section can contain multiple entries, and the name of each section must be unique. 200 mask and byte replace the value data. The parameter mask is 8 bits long and specifies which bit you want to enable or disable. The parameter byte indicates which byte in the binary value you want to change. This displays bytes from left to right starting at 0. This is easy when working with REG_BINARY values, but less so when working with REG_DWORD values. As discussed in Chapter 1, "Learning the Basics," Windows XP stores REG_DWORD values in the registry in reverse byte order (little-endian architecture). To be sure, test your INF files carefully to make sure you're escaping the bits you think you're escaping. Figure 9-1 shows the relationship between value, mask, and byte. The value I'm applying the mask to is a REG_DWORD value stored in the registry in reverse byte notation: 0x0180C000. Put the mask in byte 0 and the result is 0x0180C080. Clear the mask in byte 1 and the result is 0x0140C080. Figure 9-1 The parameter byte specifies which byte of a number you want to apply a mask to. Syntax [bitregistry section] root key, [subkey], value, [flags], mask, byte
rootkey This is the root key that contains the value you are changing. Use the abbreviations HKCR, HKCU, HKLM, or HKU. Subkey This is the subkey in which to change a value. This is optional. If it is absent, all operations are on the root key. value This is the name of the value to change. This value is not optional and should be a
REG_DWORD or REG_BINARY value. Flags 0x00000000. Clears the bits specified by mask. • 0x00000001. Sets the bits specified by mask. • 0x00040000. Make the indicated change in the 32-bit registry. If not specified, the change will be made to the native registry. Combine this flag with others by ORing them. • Mask 201 This is the byte-sized mask specifying the bits to be set or cleared in the specified value byte. Enter this value in hexadecimal notation. Bits that are 1 are set or cleared depending on flags, and bits that are 0 are ignored. byte This specifies the byte in the value that you want to apply a mask to. The leftmost byte is 0, the next is 1, and so on. Remember that Windows XP stores REG_DWORD values in reverse byte order when you specify which byte to apply the mask to. Therefore, in REG_DWORD values, the rightmost byte is stored in memory first. Example [Version] Signature=$CHICAGO$ [DefaultInstall] BitReg=Bit.Settings [Bit.Settings] ; Changes 50,00,10,00 to 31,00,10,00 HKCU,Software\Sample,Mask,0x0001,0x01,0 ; Changes 50,00,F0,00 to 30,00,70,00 HKU,Software\Sample,Mask,0x0000,0x80,2
Using Strings in INF Files You can make your INF files much easier to read by using the [Strings] section. Each line in this section is a string in the format name ="string". Then you can use this string elsewhere in the INF file by referencing it as %name%. This makes reading INF files easier in a number of ways (see Listing 9.4, which is also a good example of using the BitReg directive): The [Strings] section collects strings at the end of your INF file for you to see in one place. • The [Strings] section allows you to enter a string once and then use that string in many places. The string is consistent throughout your INF file. • The [Strings] section makes translating INF files easier by putting localizable strings at the end of the file. • Listing 9-4: Strings.inf [Version] Signature=$CHICAGO$ [DefaultInstall] BitReg=Bits.Set AddReg=Add.Settings DelReg=Del.Settings [Add.Settings]
HKCU,%HK_DESKTOP%,ActiveWndTrkTimeout,0x10001,1000 HKLM,%HK_SETUP%,RegisteredOwner,,%OWNER% [Del.Settings] HKCU,%HK_EXPLORER%\MenuOrder HKCU,%HK_EXPLORER%\RunMRU HKCU,%HK_EXPLORER%\RecentDocs HKCU ,%HK_EXPLORER%\ComDlg32\LastVisitedMRU HKCU,%HK_SEARCH%\ACMru HKCU,%HK_INTERNET%\TypedURLs
202 [Strings] HK_DESKTOP="Control Panel\Desktop" HK_EXPLORER="Software\Microsoft\Windows\CurrentVersion\Explorer" HK_SEARCH="Software\Microsoft\Search Assistant" HK_INTERNET="Software\Microsoft\Internet Explorer" HK_SETUP="SOFTWARE\ Microsoft\ Windows NT\CurrentVersion" OWNER=" Fuzzy Wuzzy was a bear"
NoteHere's the truth in advertising: I rarely use strings because I don't often localize INF files. I only use strings when it really makes the INF file more readable. Specifically, when a line gets so long that it wraps, I use a string to shorten it. Alternatively, you can use the line-continuation character, a backslash (\), to split lines. I also use strings for values that change frequently, especially in template INF files. Strings make templates easier to use.
Setting Values Using REG Files You learned how to use Regedit to create .reg files in Chapter 2, "Using the Registry Editor." REG files are the classic way to add and change values in the registry, but as I said in the "Choosing a Technique" section, they're not as powerful as the other methods you'll learn about in this chapter. Its major weakness is that you can't remove values with a .reg file; You can only add or change values or remove keys. After creating a .reg file with the .reg file extension, import it into the registry by double-clicking the file. This is great if you want users to import the file themselves, but you need the following command if you want to import a .reg file using your software management infrastructure or a method like posting a link to it on the intranet: regedit /s filename . reg. Replace filename .reg with the path and name of your .reg file. The /s command line option imports the file into the registry without asking the user, which is what you want to do most of the time. To edit a .reg file, right-click it and then click Edit. Don't accidentally double-click a .reg file thinking you'll open it in Notepad, since double-clicking a .reg file imports it into the registry. Remember that Regedit supports two different file formats for REG files. Version 4 REG files are ANSI. The ANSI character encoding uses a byte to represent each character. Also writes regedit
REG_EXPAND_SZ and REG_MULTI_SZ strings in REG files using ANSI character encoding, so each character is a single byte. The Unicode character encoding uses two bytes for each character, and when you create a Unicode REG file, Regedit writes the strings REG_EXPAND_SZ and REG_MULTI_SZ to the file using the two-byte Unicode encoding scheme. Chapter 1, "Learning the Basics," tells you more about the differences between the two coding standards. Chapter 2, "Using the Registry Editor," describes the differences between the two different types of .reg files. What you need to know is that the decision to create a version 4 REG file means that the file and the values in the file are using ANSI; Likewise, creating a version 5 .reg file means that the file and the values in the file use Unicode. I tend to use version 4 ANSI REG files unless I know the registry data contains localized text that requires Unicode to represent. When in doubt, always create Unicode version 5 files. Listing 9.5 shows a sample .reg file. The first line in this file is the header that identifies the version of the file. The Windows Registry Editor Version 5.00 header indicates a Unicode version 5 .reg file. 203 and INI files. Each section contains the fully qualified name of a key. You use the full names of the base keys, not the abbreviations. Listing 9.5 imports settings into three keys: HKCU\Control Panel\Desktop, HKCU\Control Panel\Desktop\WindowMetrics, and HKCU\Control Panel\Mouse. The lines under each section are values that Regedit adds to this key when Regedit imports the file into the registry. The format is "name"=value. The value named @ represents the default value of the key. Some of the values in Listing 9.5 contain dword and hex, while others are enclosed in double quotes. Values enclosed in quotes are strings. Values of the form dword:value are REG_DWORD values. Values in the form Hex: Values are REG_BINARY values. This gets more complicated when you add subtypes like hex(type): value and I'll get into that a bit later. Listing 9-5: Example.reg Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Control Panel\Desktop] "ActiveWndTrkTimeout"=dword:00000000 "ForegroundFlashCount"=dword:00000003 "ForegroundLockTimeout"=dword:00030d40 "MenuShowDelay"="400" " PaintDesktopVersion"=dword:00000000 "UserPreferencesMask"=hex:9e,3e,07,80 [HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics] "Shell Icon BPP"="16"
"Shell Icon Size"="32" "MinAnimate"="1" [HKEY_CURRENT_USER\Control Panel\Mouse] @=" Rodent" "ActiveWindowTracking"=dword:00000000 "DoubleClickHeight"="4" "DoubleClickSpeed"="500" "DoubleClickWidth"="4" "MouseSensitivity"="10" "MouseSpeed"="1" "MouseThreshold1"="6" "MouseThreshold2"="10" "SnapToDefaultButton"="0" "SwapMouseButtons"="0"
Exporting settings to .reg files The easiest way to create a .reg file is to use Regedit to export keys to .reg files. To export branches of the registry to files, do the following: Click the key at the top of the branch that you want to export. 1. On the File menu, click Export. The Export Registry File dialog box appears (see Figure 9-2 on the next page). 2. 204 Figure 9-2: The only two file types that create REG files are registry files and Win9x/NT4 registry files (*.reg). In the File name box, enter a name for the file you are creating. 3. Select the option for the desired export range: To back up the entire registry, select the All option. → To back up the selected branch, select the Selected branch option. → 4. In the Files of type list, click the type of file you want to create: Registry Win9x/NT4 Registry (*.reg). 5. Click Save. 6. The .reg file you created contains all the subkeys and values under the key you exported. The chances that you want all the subkeys and values of the key aren't very high, so you should open Notepad by right-clicking on it and clicking Edit. Then remove any keys and values you want to remain in the file. You can also change any values in the .reg file. For example, you can export a key from your own computer to get you started, and then edit it, edit requests, remove keys, change values, and so on. Caution If you are creating a .reg file for versions of Windows that do not support version .reg files, use ANSI version 4 .reg files. Microsoft Windows 95, Windows Windows Me do not support Unicode .reg files, and everyone Attempting to import Unicode files into their registries might produce results you don't like.
Manually Creating REG Files Manually creating REG files is an error-prone process that I do not recommend. Nonetheless, you probably will anyway, so I'll show you how. First decide whether you are creating an ANSI or Unicode .reg file, then follow these instructions to create it: Create a new file in Notepad. 1. Add one of the following items to the top of the file, followed by a blank line: Add REGEDIT4 to the top of the file to create a version 4 .reg file. →
2. Add a [key] format section to the file for each key that you want to import values into, where key is the fully qualified name of the key. Don't use the root key abbreviations; Use their full names: HKEY_CURRENT_USER. 3. For each value that you want to import into the registry, add the value to the section of the key in the format "name"=value. Use @ for a key's default value. Table 9-2 provides information about how to format the different types of values in a .reg file. You can use the backslash (\) line-continuation character to continue an entry from one line to the next. Table 9-2: Value formats in REG files Type Version 4 Version 5 REG_SZ "String" "String" REG_DWORD dword:00007734 dword:00007734 REG_BINARY hex:00,00,01,03 hex:00,00,01,03 REG_EXPAND_SZ hex (2):25,53,59,53,54,45,4d,52,4f,4f,54,25,00hex(2):25,00,53,00,59,00,53,00, 54,00,45,00,4d,00,52,00,4f,00,4f,00,54,00,25,00,00,00 REG_MULTI_SZ hex(7):48,65,6c,6c,6f ,20,57,6f,72,6c,64,00,4a,65,72,72,79,20,77,61,73,20,68,65,72,65,00,00hex(7) :48,00,65,00,6c,00,6c,00,6f,00,20,00,57,00,6f,00,72,00,6c,00,64,00,00,00,4a ,00,65,00, 72,00,72,00,79,00,20,00,77,00, 61,00,73,00,20,00,68,00,65,00, 72,00 ,65,00,00,00,00,00 4. Click File, Save As, type the name of the file in Filename, including the .reg extension (enclose the filename in quotes so Notepad won't use it uses the .txt extension), do one of the following, and then click Save: In the Encoding list, select ANSI to create a REG-D to create a version 4 file. → Select Unicode from the Encoding list to create a version 5 REG file. → 5.
Coding of special characters Certain characters have a special meaning within REG files. Quotation marks begin and end character strings. The backslash is a line-continuation character. How do you integrate these signs into your values? They use escaping, an age-old method of prefixing special characters with a backslash. For example, the string \n represents a newline character and the string \" represents a double quote. Table 9-3 describes the special characters you can use and gives you examples. Table 9-3: Special characters in REG files
Extended Escape Example \\ \ C:\\Documents and Settings\\Jerry \" " A string in \"quotes\" \n Newline This is on \n two lines \r return This is on \r two lines 206 You can't use a .reg file to remove individual values, but you can certainly use one to delete entire keys. This is an undocumented feature of REG files: just prepend a minus sign (-) to the name of a key: [-key]. Here's a quick example that removes the HKCU\Software\Honeycutt key when you import the .reg file into the registry: Windows Registry Editor Version 5.00 [-HKEY_CURRENT_USER\Software\Honeycutt]
Rather than manually creating a .reg file to remove keys, I prefer to export a key to a .reg file and then edit it. After exporting the key to a .reg file, remove any values and keys that you don't want to delete. Then add the minus sign to the names of the keys you want to delete. Then you can quickly and easily remove these keys by double-clicking the .reg file or by using the regedit /s filename .reg command.
Editing from the Command Prompt Windows XP includes the Console Registry Tool for Windows (Reg.exe). This tool is just wonderful. You use it to edit the registry from the MS-DOS prompt. You can do almost everything you can do with Regedit and more with Reg.exe. The best thing about Reg.exe is that you can use it to write simple scripts in the form of batch files that modify the registry. And unlike previous versions of Windows, you don't need to install Reg.exe. It is installed by default and combines the numerous registry tools that came with the resource kits for previous versions of Windows. This tool is so cool that I can just start with an example. Listing 9.6 is a simple batch file that installs Microsoft Office XP the first time the batch file is run (think of a logon script). After installing Office XP, the batch file calls Reg.exe to add the REG_DWORD value flag to HKCU\Software\Example. Each time the file is executed, the batch file will check for the presence of this value and skip the installation if present. Therefore, the batch file only installs the application once. This is a method that allows you to deploy software through users' login scripts. Instead of looking for a value that you added, as in Listing 9.6, you can look for a value that the application stores in the registry. For example the
The second line in the batch file could simply be RegQUER Y HKCU\Software\Microsoft\Office\10.0 >nul, which verifies that Office XP is installed for the user. Listing 9-6: Login.bat @Echo Off Reg QUERY HKCU\Software\Example /v Flag >nul goto %ERRORLEVEL% :1 Echo installation of software when first running this \\Camelot\Office\Setup.exe /settings setup. ini Reg ADD HKCU\Software\Example /v Flag /t REG_DWORD /d "1" goto CONTINUE :0
207 Set Set REM Reg Reg Reg Reg Reg Reg Reg
HKMS=HKCU\Software\Microsoft HKCV=HKCU\Software\Microsoft\Windows\CurrentVersion Clear History Lists DELETE %HKCV%\Explorer\MenuOrder /f DELETE %HKCV%\Explorer\RunMRU /f DELETE %HKCV%\Explorer\RecentDocs /f DELETE %HKCV%\Explorer\ComDlg32\LastVisitedMRU /f DELETE "%HKMS%\Search Assistant\ACMru" /f DELETE "%HKMS%\Internet Explorer\TypedURLs" /f
The Reg.exe command line syntax is simple: reg command options. Command is one of the many commands that Reg.exe supports, including ADD, QUERY, and DELETE. Options are the options that the command requires. The options usually include the name of a key and sometimes the name and dates of a value. If a key or value name contains spaces, you must enclose the name in quotation marks. However, it gets more complicated for each of the different commands you can use with it, and I cover each of these commands in the following sections. If you don't have this book and need a quick update, just type reg /? at the MS-DOS prompt to see a list of regexe-supported commands.
Adding Keys and Values Use the ADD command to add keys and values to the registry. Syntax REG ADD [\\ computer \]key [/v value | /ve] [/t type] [/s separator] [/d data] [/f]
\\ computer If omitted, Reg.exe connects to the local computer; otherwise, Reg.exe connects to the remote computer. key This is the path of the key, starting with the root. Use the root key abbreviations HKCR, HKCU, HKLM, and HKU. Only HKLM and HKU are available when connecting to remote computers. /v value This adds or changes a value. /ve This changes the default value of the key. /t type This is the type of the value: REG_BINARY, REG_DWORD, REG_DWORD_LITTLE_ENDIAN, REG_DWORD_BIG_ENDIAN, REG_EXPAND_SZ, REG_MULTI_SZ, or REG_SZ. The default is REG_SZ. /s
Separator This specifies the character used to separate strings when creating REG_MULTI_SZ values. the default is \0 or null. /d data This is the data to be assigned to new or existing values. /f This will force Reg.exe to overwrite existing values with prompt. 208 REG REG REG REG
ADD ADD ADD ADD
\\JERRY1\HKLM\Software\Honeycutt HKLM\Software\Honeycutt /v Data /t REG_BINARY /d CCFEF0BC HKLM\Software\Honeycutt /v List /t REG_MULTI_SZ /d Hello\0World HKLM\Software\Honeycutt /v Path /t REG_EXPAND_SZ /d %%SYSTEMROOT%%
Note The percent sign (%) has a special purpose at the MS-DOS prompt and in batch files. You enclose environment variables in percent signs to expand them in place. So to use them on the Reg.exe command line and elsewhere, you must use double percent signs (%%). If you had used single percent signs in the previous example, the prompt would have expanded the environment variable before executing the command. Using double percent signs prevents the command prompt from expanding the environment variable.
Querying Values The QUERY command works in three ways. First, it can display the data in a specific value. Second, it can show all values of a key. Third, it can list all subkeys and values in a key by adding /s command line option. How it works depends on the options you use. Syntax REG QUERY [\\Computer\]key [/v value | /ve] [/s]
\\ computer If omitted, Reg.exe connects to the local computer; otherwise, Reg.exe connects to the remote computer. key This is the path of the key, starting with the root. Use the root key abbreviations HKCR, HKCU, HKLM, and HKU. Only HKLM and HKU are available when connecting to remote computers. /v value This queries the value in the key. If you omit /v, Reg.exe queries for all values in the key. /ve This queries the default value of the key. /s This queries all subkeys and values of the key. Example REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion /s REG QUERY HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion /v CurrentVersion
Note Reg.exe sets ERRORLEVEL to 0 if the command succeeds and 1 if it fails. Therefore you can test ERRORLEVEL in a batch file to see if a value exists or not. You saw an example of this in Listing 9.6. Although you can use the If statement to test ERRORLEVEL, I prefer to create labels in my batch file, one for each level, as shown in Listing 9.6 earlier in this chapter. Then I can just write statements that look like Goto %ERRORLEVEL% or Goto QUERY%ERRORLEVEL% that branch to label QUERY1 if ERRORLEVEL is 1.
Deleting Keys and Values Use the DELETE command to remove keys and values from the registry. 209 REG DELETE [\\ computer \]key [/v value | /ve | /va] [/f]
\\ computer If omitted, Reg.exe connects to the local computer; otherwise, Reg.exe connects to the remote computer. key This is the path of the key, starting with the root. Use the root button
Abbreviations HKCR, HKCU, HKLM and HKU. Only HKLM and HKU are available when connecting to remote computers. /v value This removes the value from the key. /ve This clears the key's default value. /va This clears all values from the key. /f This will force Reg.exe to delete values with prompt. Example REG DELETE \\JERRY1\HKLM\Software\Honeycutt REG DELETE HKLM\Software\Honeycutt /v Data /f REG DELETE HKLM\Software\Honeycutt /va
Comparing Keys and Values Use the COMPARE command to compare two registry keys. These keys can be on the same computer or on different computers, making this a useful troubleshooting tool. The /on command line option seems strange at first. Why would you compare keys or values and not show the differences? Reg.exe sets ERRORLEVEL depending on the result of the comparison, and you can use this in your batch files to run different code depending on whether the two are the same or different - without showing any results. Here is the meaning of ERRORLEVEL: 0. The command was successful and the keys or values are the same. • 1. The command failed. • 2. The command was successful and the keys or values are different. • REG COMPARE [\\computer1\]key1 [\\computer2\]key2 [/v value | /ve] [/oa|/od|/os|/on] [/s]
\\ computer1 If omitted, Reg.exe connects to the local computer; otherwise, Reg.exe connects to the remote computer. \\ computer2 If omitted, Reg.exe connects to the local computer; otherwise, Reg.exe connects to the remote computer. key1 This is the path of the key, starting with the root. Use the root key abbreviations HKCR, HKCU, HKLM, and HKU. Only HKLM and HKU are available when connecting to remote computers. key2 This is the path of the key, starting with the root. Use the root key abbreviations HKCR, HKCU, HKLM, and HKU. Only HKLM and HKU are available when connecting to remote computers. /v value This compares the value. /ve This compares the key's default value. /oa This shows all differences and matches. /od Show differences only. 210 /os This only shows matches. /on This shows nothing. /s This compares all subkeys and values of the key. Example REG COMPARE HKCR\txtfile HKR\docfile /ve REG COMPARE \\JERRY1\HKCR \\JERRY2\HKCR /od /s REG COMPARE HKCU\Software \\JERRY2\HKCU\Software /s
Copying Keys and Values The COPY command copies a subkey to another key. This command is useful for backing up subkeys, as you learned in Chapter 3, "Backing Up the Registry." REG COPY [\\computer1\]key1 [\\computer2\]key2 [/s] [/f]
\\ computer1 If omitted, Reg.exe connects to the local computer; otherwise, Reg.exe connects to the remote computer. \\ computer2 If omitted, Reg.exe connects to the local computer; otherwise, Reg.exe connects to the remote computer. key1 This is the path of the key, starting with the root. Use the root key abbreviations HKCR, HKCU, HKLM, and HKU. Only HKLM and HKU are available when connecting to remote computers. key2 The path of the key, starting with the root. Use the root key abbreviations HKCR, HKCU, HKLM, and HKU. Only HKLM and HKU are available when connecting to remote computers. /s This copies all subkeys and values of the key. /f This forces Reg.exe to copy when prompted. Example REG COPY HKCU\Software\Microsoft\Office HKCU\Backup\Office /s REG COPY HKCR\regfile HKCU\Backup\regfile /s /f
Export keys to REG files Use the EXPORT command to export all or part of the registry to REG files. However, this command has some limitations. Initially, it only works with the local computer. You cannot create a .reg file from a remote computer's registry. Second, it only creates Unicode version 5 REG files. There is no option to create ANSI REG files. The EXPORT command is equivalent to clicking File, Export to Regedit. Filename of the REG EXPORT key
key This is the path of the key, starting with the root. Use the root key abbreviations HKCR, HKCU, HKLM, and HKU. This is the key you want to export to a .reg file. Filename This is the path and name of the .reg file to create. Example REG EXPORT "HKCU\Control Panel" Preferences.reg
211 Use the IMPORT command to import a .reg file into the registry. This command does the same thing as running regedit /s filename. It imports a REG file in the background. This command can handle both version 4 and version 5 .reg files, but only works on the local computer. REG IMPORT filename
Filename This is the path and name of the .reg file to import. Example REG IMPORT Settings.reg
Saving Keys in Hive Files The SAVE command saves a key as a Hive file. This command is similar to clicking File, exporting to Regedit, and then changing the file type to Registry Hive Files (*.*). This is a convenient way to back up the registry before making any significant changes. Chapter 3, "Securing the Registry," describes this technique. This command only works on the local computer. Filename of the REG SAVE key
key This is the path of the key, starting with the root. Use the root key abbreviations
HKCR, HKCU, HKLM and HKU. This is the key you want to save as a Hive file. Filename This is the path and name of the Hive file to create. Example REG SAVE HKU Backup.dat
Restoring Hive Files to Keys The RESTORE command overwrites a key and all of its contents with the contents of a Hive file. This is similar to importing a Hive file into Regedit. The difference between this command and loading a hive file is that this command overwrites any existing keys, while loading a hive file creates a new temporary key that contains the contents of the hive file. Use this command to restore a backup Hive file. This command only works on the local computer. Filename of the REG RESTORE key
key This is the path of the key, starting with the root. Use the root key abbreviations HKCR, HKCU, HKLM, and HKU. This is the key that you want to overwrite with the contents of the hive file. Filename This is the path and name of the Hive file to restore. Example REG RESTORE HKCU Backup.dat
Loading Hive Files The LOAD command loads a Hive file into a temporary key. You reference the hive file's keys and values by the temporary key that you specify on the command line. This command is similar to 212 REG LOAD key filename
key This is the path of the key, starting with the root. Use the root key abbreviations HKCR, HKCU, HKLM, and HKU. This is the new temporary key that you want to load the Hive file into. Filename This is the path and name of the Hive file to load. Example REG LOAD HKU\Temporary Settings.dat
Unloading Hive Files The UNLOAD command removes a Hive file that you loaded with the LOAD command. It simply depends the hive file on the registry. You must remember to unload a Hive file that you have loaded before attempting to copy the Hive file or do anything else with the Hive file, as Windows XP will lock the file while it is in use. REG UNLOAD button
key This is the path of the key, starting with the root. Use the root key abbreviations HKCR, HKCU, HKLM, and HKU. This is the name of the key that contains the hive file you want to unload. Example REG UNLOAD HKU\Temporary
Scripting with Windows Script Host
Scripts give IT professionals the ultimate ability to control and automate Windows XP. These are not batch files; They're full-fledged management programs that are surprisingly easy to create considering the amount of power they offer. For example, you can write a script that inventories a computer and writes the result to a file on the network. You can automate an application to automatically perform redundant steps. The sky is the limit really, but I'm here to tell you how to use scripts to edit the registry, so I'll limit myself a bit. The scripting technology in Windows XP is Windows Script Host. The current version is 5.6 and technologically surpasses what Microsoft Windows 2000 offers by leaps and bounds. Windows Script Host is called a host because it doesn't know the language of a script. Microsoft calls this language agnostic. Windows Script Host uses different script engines to analyze the different languages in which you might write a script. Windows XP offers two scripting engines: VBScript and JScript. If you've ever used the C or C++ languages, you'll feel more comfortable writing scripts using JScript. If you've ever used Visual Basic in any of its incarnations, you'll be more familiar with VBScript for writing scripts. The problem with this chapter's focus on using scripts to edit the registry is that it assumes that you are already familiar with Windows Script Host. If that's not true, I suggest you find a good book on scripting. If you don't want to read a book about it, read http://www.microsoft.com/scripting. This is Microsoft's scripting website. It contains everything you need to know about scripting Windows XP, including how to access Windows Management 213 to use it - the hardest part of scripting Windows XP.
Creating Script Files Script files can have two file extensions, and the script's file extension indicates which language the file contains. Use the .js extension for files that contain JScript. Use the .vbs extension for files that contain VBScript. Regardless, script files are nothing more than text files containing the language's keywords, so you can create them using your favorite text editor, Notepad. When saving a script file, make sure to enclose the filename in quotation marks or select All Files from the Files Of Type list to prevent Notepad from adding the .txt extension to the file. Without going into detail about the object model, you access the registry through the Shell object.
This object contains the methods you call to add, remove, and update values in the registry. You add one of the following statements to each script in which you want to access the registry. The first line shows you how to create the Shell object using VBScript, and the second shows you how to create it using JScript. To show you how easy it is to create a script, open Notepad and type Listing 9-7. The JScript language is case-sensitive, so type Listing 9.7 carefully. VBScript has the advantage that it is not case-sensitive. Save the file with a .js extension, and then double-click the file to run it. You see a message from me. Since double-clicking the script file will run it, you must right-click the file and then click Edit to edit the file. Listing 9-7 Example.js var WshShell = WScript.CreateObject("WScript.Shell"); WshShell.Popup("Hello from Jerry Honeycutt" ); set WshShell = WScript.CreateObject("WScript.Shell") var WshShell = WScript.CreateObject("WScript.Shell");
Why write scripts when INF files are easier? I usually write INF files to edit the registry. When not using INF files, I write batch files and use Reg.exe. I like the simplicity of these methods. However, sometimes writing a script is the only viable method. In some cases it is necessary to write a script. The first is when you must have a user interface. If you want to display settings to users or collect settings from users, scripting is the best choice. Also, scripting is the only method that provides fairly complete access to Windows XP. For example, you can use a script to inventory the computer and print the information to a text file on the network. You can use a script to configure users' computers using if-this-then-that logic, which the other methods cannot. So if you're doing anything more complicated than just adding, changing, or removing values, you'll end up writing scripts. I've seen some pretty complicated scripts. For example, a colleague I worked with wrote a script that would scan the registry for services that Sysprep had disabled and then permanently removed them from the registry. This is a great example of scripting. Scripting combined with WMI is nothing short of amazing. The script on the next page shows you how to use VBScript and WMI to inventory a computer's configuration. It shows the amount of physical memory installed on the computer, the name of the computer, the BIOS version, the type 214
http://www.microsoft.com/technet/scriptcenter. strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colSettings = objWMIService.ExecQuery _ ("Select * from Win32_OperatingSystem") For Each objOperatingSystem in colSettings Wscript.Echo "Operating System Name: " & objOperatingSystem.Name Wscript.Echo "Version: " & objOperatingSystem.Version Wscript.Echo "Service Pack: " & _ objOperatingSystem.ServicePackMajorVersion _ & "." & objOperatingSystem.ServicePackMinorVersion Wscript.Echo "Operating System Manufacturer: " & objOperatingSystem.Manufacturer Wscript.Echo "Windows Directory: " & _ objOperatingSystem.WindowsDirectory Wscript.Echo "Locale: " & objOperatingSystem.Locale Wscript.Echo "Available Physical Memory: " & _ objOperatingSystem.FreePhysicalMemory Wscript.Echo "Total virtual memory: " & _ objOperatingSystem.TotalVirtualMemorySize Wscript.Echo "Available virtual memory: " & _ objOperatingSystem.FreeVirtualMemory Wscript.Echo "OS name: " & objOperatingSystem.SizeStoredInPagingFiles Next, set colSettings = objWMIService. ExecQuery _ ("Select * from Win32_ComputerSystem") For Each objComputer in colSettings Wscript.Echo "System Name: " & objComputer.Name Wscript.Echo "System Manufacturer: " & objComputer.Manufacturer Wscript.Echo "System Model: " & objComputer. Model Wscript.Echo "Time Zone: " & objComputer.CurrentTimeZone Wscript.Echo "Total Physical Memory: " & _ objComputer.TotalPhysicalMemory Next Set colSettings = objWMIService.ExecQuery _ ("Select * from Win32_Processor") For each objProcessor in colSettings Wscript. Echo "System Type: " & objProcessor.Architecture Wscript.Echo "Processor: " & objProcessor.Description Next Set colSettings = objWMIService.ExecQuery _ ( "Select * from Win32_BIOS") For Each objBIOS in colSettings Wscript.Echo "BIOS Version: " & objBIOS.Version Next
Running script files Windows XP provides two script hosts. The Windows-based version runs scripts when you double-click a script file. The script engine is Wscript.exe. You can also use the command line version, which is handy when the script is outputting data similar to most command line programs. The example in the sidebar "Why write scripts when INF files are easier?" Listing 9.7 is a script that works better from the command line. The command line scripting engine is Cscript.exe: cscript script [//B|//I] [//D] [//E:engine] [//H:cscript|//H:wscript] [//
215 //B This specifies batch mode, which does not display warnings, script errors, or prompts. //I This specifies interactive mode, which displays warnings, script errors, and prompts. This is the default and the opposite of //B. //D This turns on the debugger. //E: engine Specifies the scripting language used to run the script.
//H:cscript | //H:wscript This registers either Cscript.exe or Wscript.exe as the default script host for running scripts. If not specified, the default is Wscript.exe. //Job: Name This runs the job identified by name in a .wsf script file. //Logo This specifies that the Windows Script Host banner will be displayed in the console window before the script runs. This is the default and the opposite of //Nologo. //Nologo This specifies that the Windows Script Host banner will not be displayed before the script runs. //S This saves the current command line options for the current user. //T: time This specifies the maximum time the script can run (in seconds). You can specify up to 32,767 seconds. The default is no time limit. //X This starts the script in the debugger. ///? This displays available command parameters and provides help on using them. (This is equivalent to typing Cscript.exe with no parameters and no script.) You can specify some of the same options when using the Windows-based script host. Right-click the script file, and then click Properties. You will see the dialog box shown in Figure 9-3 on the next page. You can specify how long the script is allowed to run and whether or not the host displays a log. The result is a file with a .wsh extension containing these settings. It looks like your average INI file. Then run the script by double-clicking the WSH file. Figure 9-3: You create a WSH file that contains the settings of a script file by right-clicking Properties and then clicking the Script tab.
Formatting Key and Value Names Before I show you how to script edit the registry, there's one more detail: how to format key and value names in a script. Unlike other scripting methods I've described here, the Windows Script Host object model doesn't have separate parameters for the key name. Therefore, you differentiate key names and value names by how you format them. simple: if a string ends with a backslash, it is a key name; if a string does not end in a backslash, a value name. Also, the JScript language reserves the backslash (\) character: for example, \n is a newline character and \t is a tab. That means you need the backslashes in your keys. Therefore, you must use backslashes (\\) whenever you have a backslash in a key. To keep this clear, see Table 9-4. Table 9-4: Formatting of keys and values 217 Object VBScript JScript Value "HKLM\Subkey\Value" "HKLM\\Subkey\\Value" Key "HKLM\Subkey\" "HKLM\\Subkey\\"
Adding and Updating Values The Shell object's RegWrite method adds or modifies keys and values. To change a key's default value, set strName to the name of the key, including the trailing backslash, and then assign it a value. TipOne of the major weaknesses of the RegWrite method is that it only writes four bytes of REG_BINARY values. It cannot handle larger binary values. If you want to switch longer
binary values or change types of values that this method does not support, use the Shell object's Run method to import a .reg file. For example, you can store your settings in a .reg file called Settings.reg. Then import this .reg file using the WshShell.Run("Settings.reg") instruction. object.RegWrite( strName, anyValue [, strType] )
Object This is the shell object. strName This is the string that specifies the name of the key or value. You can add keys. You can add or change values. strName must be a fully qualified path to a key or value, beginning with one of the root keys: HKCR, HKCU, HKLM, or HKU. anyValue This is the data that will be assigned new or existing values. Use the format appropriate for the value type. strType This is the type of value to create: REG_SZ, REG_EXPAND_SZ, REG_DWORD, or REG_BINARY. The RegWrite method does not support the REG_MULTI_SZ value type. Also, this method only writes four byte REG_BINARY values. Example (VBScript) Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.RegWrite "HKCU\Software\Sample\", 1, "REG_BINARY" WshShell.RegWrite "HKCU\Software\Sample\Howdy", "World! ", "REG_SZ"
Beispiel (JScript) var WshShell = WScript.CreateObject( "WScript.Shell" ); WshShell.RegWrite("HKCU\\Software\\Sample\\", 1, "REG_BINARY"); WshShell.RegWrite("HKCU\\Software\\Sample\\Howdy", "World!", "REG_SZ");
Removing Keys and Values The Shell object's RegDelete method removes keys and values from the registry. Be careful though, as it's easy to remove an entire branch. there is no confirmation. To remove a key, end strName with a backslash; Otherwise remove a value. Object.RegDelete(StrName)
Object This is the shell object. strName This is the string specifying the name of the key or value to delete. strName must be a fully qualified path to a key or value, beginning with one of the root keys: HKCR, HKCU, HKLM, 218, or HKU. Example (VBScript) Set WshShell = WScript.CreateObject( "WScript.Shell" ) WshShell.RegDelete "HKCU\Software\Honeycutt\Howdy" WshShell.RegDelete "HKCU\Software\Honeycutt\"
Beispiel (JScript) var WshShell = WScript.CreateObject( "WScript.Shell" ); WshShell.RegDelete ( "HKCU\\Software\\Honeycutt\\Howdy" ); WshShell.RegDelete ( "HKCU\\Software\\Honeycutt\\" );
Querying Registry Values The Shell object's RegRead method returns the data of a value. To read the default value of a key, end strName with a backslash; Otherwise read a value. Object.RegRead(StrName)
Object This is the shell object. strName This is the string that specifies the name of the value to read. strName must be complete
Qualified path to a key or value, starting with one of the root keys: HKCR, HKCU, HKLM, or HKU. Example (VBScript) Dim WshShell, dwFlag, strValue Set WshShell = WScript.CreateObject( "WScript.Shell" ) dwFlag = WshShell.RegRead( "HKCU\Software\Honeycutt\" ) strValue = WshShell.RegRead( "HKCU\Software\Honeycutt \Hi" )
Beispiel (JScript) var WshShell = WScript.CreateObject( "WScript.Shell" ); var dwFlag = WshShell.RegRead( "HKCU\\Software\\Honeycutt\\" ); var strValue = WshShell.RegRead( "HKCU\\Software\\Honeycutt\\Howdy" );
Creating Windows Installer Packages The final method for deploying registry settings that I discuss in this chapter is to create Windows Installer package files. You've probably come across package files by now. Microsoft Office 2000 and Office XP both come as package files, which are databases of files and settings that Windows Installer installs on the computer. Creating a package file for a large application is an intensive process, but creating package files that contain registry settings is straightforward. To create a package file, you need an editor. One of the most popular package editors is VERITAS WinINSTALL, and you can learn more about this enterprise-class tool at www.veritas.com. If you don't want to spend the money to buy a full version of WinINSTALL, you can get a free version if you still have your Microsoft Windows 2000 Professional CD lying around. See 219 Creating package files to provide registry settings. Install the program from doubleSwiadmle.msi. This will install WinINSTALL to the Start menu: Click Start, All Programs, Add/Remove Programs, VERITAS Software Console to run it. Package files contain functions and functions contain components. To deploy the registry settings package file, you need to build all the above steps. To create a new package and add registry settings, complete the following steps: In the Veritas Software Console, right-click Windows Installer Package in the left pane, and then click New. In the File name field, enter the path and name of the package and click OK. 1. In the left pane, right-click the package file you created, and then click Add Feature. In the Name field in the right pane, enter a new name for the feature. This is probably the only feature you're adding to the package file, since you're just providing registry settings. However, you can create multiple features, and each can contain different registry settings. This allows users to install or not install features. 2. In the left pane, right-click the feature you created in step 2, and then click Add Component. The package editor automatically assigns a GUID to the component. Components contain all files and settings that are required to implement a program unit, i.e. applications
have multiple components. If you're using a package file to provide settings, creating components doesn't make much sense. 3. In the left pane, select the added component and click Registration. 4. In the right pane, right-click the root key that you want to edit and click New Key. Create subkeys by right-clicking a key and clicking New Key until you create the path of the key you want to edit. 5. In the right pane, click the key where you want to add or change a value and click New Value. In the Value name field, enter the name of the value. In the data type, the type of the value; click OK. Enter the data of the value in the Type Editor dialog box and confirm with OK. 6. Click File, Save to save your package file. 7. After you create a package file, you can deploy it like any other package file. Users can simply double-click the package file to install it. If the package file contains settings that users do not have permission to change, you can deploy them through Active Directory policy, which installs package files with elevated privileges. You can also run the command that installs a package file, namely msiexec.exe" /i filename.msi. 220
Overview Microsoft Windows XP stores user settings separately from computer settings. The settings affect every user who logs on to Windows XP. Computer settings include configuration, network configuration, etc. Usually only the computer settings of the Administrators group, but some settings are accessible to the Power Users group. On the one hand, a user profile contains settings for a specific user. Users customize operating system preferences, and their settings do not affect other users. Users have full control over their own profiles, containing more than just settings. They also contain files and folders specific to each user. Deploying and managing user profiles are two of the most important issues faced by IT professionals. Properly provisioning and managing user profiles can save companies money. That's because the behaviors users experience in Windows XP have settings in user profiles, professionals can provide user profiles that contain default values for those settings, starting with the right foot. For example, you can populate the Favorites folder with intranet links and don't have to look for those links yourself. You can add printer connections to a default profile so users can print right away without having to figure out how to add a printer. most useful policies managing operating system and application settings profiles. IT pros manage settings in user profiles by assigning policies to them. Mastering user profiles isn't just for IT pros; Power users, especially those who have multiple accounts on their computers or work on a home network, can simplify their user experience. You can customize a default user profile. Then, when they use Windows XP or create a new account, they start with familiar settings and don't have an hour to customize the operating system to their liking. User profiles are not that complicated, power users should not use them to their full advantage. I wrote this chapter primarily for the IT professional; Power users only need Master
Portions First, you will learn about the content of a user profile. Then you will learn how to use roaming users in a corporate network. The most compelling part of this chapter shows you how to create default user profiles. In this part, I will show you two techniques to create standard user profiles. At first it's traditional but quite dirty. I prefer the second method, which is a more surgical way of creating default user profiles. I end this chapter with an explanation of the migration tool, which can help overcome the difficulties associated with migrating user settings from previous versions of Windows.
Examining user profiles Windows XP loads user profiles when they log on to the computer and unloads their profiles when they log off. A user profile contains a registry hive with user-specific settings and folders that contain documents and data files. The following section "Profile Hives" describes the operating system loads of the registry hive. The Profile Folders section describes the folders in a user profile. Before delving into the contents of user profiles, you should know where they are stored in the file system. The default save location differs from that in Microsoft Windows NT 4.0 or other operating systems of the time. Remember that Windows NT 4.0 stored user profiles in %SYSTEMROOT%\. This location made it difficult to back up the operating system files while allowing access data. Microsoft Windows 2000 and Windows XP store user profiles in a different location, 221 but this is only the case when Windows XP is freshly installed. If you are upgrading from a version of Windows earlier than Windows 2000, the profiles in the previous operating system are preserved. For example, if you upgrade from Windows to Windows XP, the profiles remain in %SYSTEMROOT%\Profiles. The location of user profiles that are upgraded from Windows 2000 to Windows XP depends on whether you installed Windows clean or upgraded from a previous version of Windows. In other words, the setup program moves user profiles during an upgrade. Table 10-1 summarizes where to find profile scenario by scenario. Table 10-1: Location of user profiles Scenario Location New installation %SYSTEMDRIVE%\Documents and Settings Upgrade from Windows 2000 %SYSTEMDRIVE%\Documents and Settings Upgrade from Windows NT 4.0 %SYSTEMROOT%\Profiles Upgrade from Windows 98 %SYSTEMDRIVE%\Documents and Settings Windows XP creates and stores a list of user profiles. Table 10-1 shows the location profiles depending on the scenario. The HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProfileList key corresponds to the list you see in the User Profiles dialog box. In the User Profiles dialog box, click Start, Control Panel, Performance and Maintenance, and in the System Properties dialog box, on the Advanced tab, click Settings in User Profiles. Each subkey is a user profile, and the name of the subkey is the SID of the account that owns each profile in ProfileList, contains the REG_SZ value ProfileImagePath, which points to a folder in %SYSTEMROOT%\Documents and Settings. Figure 10-1 illustrates the relationship
between the ProfileList key and the user profile folders. This relationship is why you simply remove a user profile from the file system. Use the User Profiles dialog box instead, which deletes the user profile from both the ProfileList key and the file. Figure 10-1: The ProfileList subkeys contain a wealth of information about the user profiles created by Windows XP, including their paths in the file system. NoteIn organizations using Windows NT 4.0, IT pros sometimes move profiles to %SYSTEMROOT%\Profiles when deploying Windows XP because it is often easier to manage the profiles when they are in the same location regardless of platform. Windows XP answer files provide a setting that lets you do this. The setting is ProfilesDir and is located in the [GuiUnattended] section. Set ProfilesDir to the path of the folder where you want to store profiles. You should start the path with either %SYSTEMROOT% or %SYSTEMDRIVE%; otherwise, the setup program ignores it. Benefits of User Profiles The primary goal of user profiles is to differentiate each user's settings and data from those of other users as well as from computer settings. This has several advantages for corporate environments and also makes Windows XP more convenient to use at home. User profiles enable stateless computing. A company can configure Windows XP to store important user settings and data separately from the computer. This makes backing up and replacing computers much easier, as users' data is safely housed on the network and managed separately from the computer's configuration. When users log on to a spare computer for the first time, the operating system copies their settings from the network. You can get back to work faster. User profiles also allow users' settings to follow them from computer to computer. You don't have to reconfigure the settings on each computer. When they log on to a network that supports roaming user profiles, the operating system downloads their settings from the network. When they log off the computer, the operating system copies the users' settings back onto the network. User profile roaming makes sharing computers easier, since each user has their own personal configuration. Roaming user profiles are a must in environments like call centers where users are not guaranteed to be on the same computer twice. For information about roaming user profiles, see the “Using Roaming User Profiles” section later in this chapter. 223
Profile Structures The first half of a user profile is the profile structure: Ntuser.dat. You can find out the second half in "Profile folder". This file is located at the root of users' profile folders. Chapter 1, "Learning the Basics,"
and Chapter 2, "Using the Registry Editor," describe Hive files and how to work with them. Users' operating system and application settings are stored in profile hives. For example, you can find all user-specific settings for Windows Explorer and persistent network connections in Profilhives. Profile structures also contain user-specific taskbar, printer, and control panel settings. Accessories supplied with Windows XP store user-specific settings in the profile structure. When Windows XP loads a user profile, the operating system loads the Ntuser.dat hive file into the HKU\SID subkey, where SID is the user's SID. (For more information on SIDs, see Chapter 1, "Learning the Basics.") Windows XP then associates the HKCU root key with HKU\SID. Figure 10-2 shows this relationship. Windows XP and most applications refer to user settings through HKCU, not HKU\SID, because HKCU resolves which subkey of HKU contains the console user's settings. HKU includes a second Hive file, HKU\SID_Classes, which contains user-specific file associations and class registrations. You can learn more about this in Appendix A, “File Associations”. Figure 10-2 Windows XP loads Ntuser.dat into HKU\ SID and then links HKCU to it. The list of profile sticks is in the ProfileList key, which you learned about in the previous section. It contains a subkey for each user profile. The subkey name is the name of the hive in HKU or the SID of the account. The REG_SZ value ProfileImagePath is the path of the profile structure file Ntuser.dat for this user profile. However, ProfileList does not contain a value for the SID_Classes hives. HKLM\SYSTEM\CurrentControlSet\Control\hivelist contains a REG_SZ value for each structure in HKLM and HKU that the operating system is currently using. The difference between the ProfileList and hivelist values is that ProfileList contains a list of all user profiles that Windows XP knows about, loaded or not, and hivelist contains a list of all currently loaded hive files. Tip You can load and edit profile hives in Registry Editor (regedit) without logging on to the computer with the account that owns that user profile. This is one of the techniques you'll use later in this chapter to create default user profiles.
Profile folders The folders in a user profile contain user-specific application files. For example, Office XP installs templates and custom dictionaries in the user profile. Internet Explorer stores its cookies and 224 the hidden files in Windows Explorer if you want to see all of the following folders yourself: Application Data. This folder contains application files such as mail files, templates, etc. The provider of each application chooses which files are stored here. Redirect this folder to a network location using Group Policy.
• Cookies. This folder contains Internet Explorer cookies. • Desktop. This folder contains files, folders, and shortcuts on the desktop. User contents of this folder on the Windows XP desktop. You can redirect this folder to the location using Group Policy. • Favorites. This folder contains Internet Explorer's favorite shortcuts. Users see this folder in the Internet Explorer Favorites menu. Group Policy does not support this folder, but you can manually redirect it as shown in Chapter 15, "Functional Issues." • Local settings. This folder contains application files that are not stored per computer with the files you will find in this folder or are too large to copy over the network. Folder contains four interesting subfolders: Application Data. This subfolder contains Computer Specific Application → History. This subfolder contains the Internet Explorer history. → Temp. This subfolder contains temporary files per user. → Temporary Internet files. This subfolder contains Internet Explorer offline → • My Documents. This folder contains the default location for user documents. should save users' documents to this folder by default, and this is the location where common dialog boxes open by default. This folder also contains My Pictures, the default location for user pictures, and optionally a My Music folder, the default location for user music files. You can redirect this folder to a network using Group Policy. • NetHood. This folder contains links to objects on the network. Users can view folders to which these shortcuts are linked in the My Network Places folder. • PrintHood. This folder contains shortcuts to printer objects. Users see the content folder in the printers folder. • youngest. This folder contains links to recently used documents. these shortcuts in the My Recent Documents menu, which is located in the Start menu. • Send to. This folder contains shortcuts to drives, folders, and target applications. Users can see the contents of this folder when they right-click an item and choose Send To. • Start menu. This folder contains shortcuts to program items. Users see the content folder in the Start menu and in the All Programs menu of the Start menu. IT pros redirect this folder to a network location using Group Policy. • Templates. This folder contains template files. Users see the content by right-clicking in a folder and then clicking New. • 225 Figure 10-3: The user profile folders you see in this figure are the default folders in a clean installation of Windows XP. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders is the
Windows XP saves the location of each folder that is part of a user profile. Each value represents a folder as shown in Table 10-2. These are REG_EXPAND_SZ values, so you have environment variables in them. Use %USERPROFILE% to direct the folder to a location in users' profile folders and %USERNAME% to include usernames, especially when redirecting a profile folder to a network location. Redirect users' favorite folders to the Favorites setting on \\ Server \ Share \%USERNAME% \Favorites, where \\Server \Share Server and Share with the folders for example. Windows XP does not use the shell folder. Table 10-2: User Profile Folder Name Default Path AppData %USERPROFILE%\Application Data Cache %USERPROFILE%\Local Settings\Temporary Internet Files Cookies %USERPROFILE%\Cookies Desktop %USERPROFILE%\Desktop Favorites %USERPROFILE%\Favorites History %USERPROFILE %\Local Settings\History Local Application Data %USERPROFILE%\Local Settings\Application Data Local Settings %USERPROFILE%\Local Settings My Pictures %USERPROFILE%\My Documents\My Pictures NetHood %USERPROFILE%\NetHood Personal %USERPROFILE%\My Documents PrintHood %USERPROFILE%\ PrintHood Programs %USERPROFILE%\Start Menu\Programs Recent %USERPROFILE%\Recent SendTo %USERPROFILE%\SendTo Start Menu %USERPROFILE%\Start Menu Startup %USERPROFILE%\Start Menu\Programs\Startup Templates %USERPROFILE%\ Templates 226 The profile folders , which you saw in Figure 10-1, contain more than the standard user profiles that Windows XP creates when users log on to the operating system n. The figure shows four specific user profiles that every IT professional should be aware of: All users. This profile folder contains settings that apply to all users who log on to the computer. This profile folder contains a profile structure, Ntuser.dat, that the operating system does not load. Also, this profile folder contains the shared Documents and Music folders; shared Start Menu shortcuts, etc. The main user shell folders in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer contain the shortcuts to the subfolders in the All Users profile folder. • Standard User. This profile folder contains the default user profile that Windows XP copies when it creates new user profiles. It contains most of the files and folders you saw in the previous section. Customizing this folder is a good way to ensure that every user who logs on to the computer starts with the same settings. Windows XP first looks for a default user folder on the server's NETLOGON share and uses the local default user folder only if the network copy is not available. Customizing this folder is a good way to provide settings that
You don't want to manage. To customize it, see the “Deploying Default User Profiles” section later in this chapter. • Local Service. This profile folder is for the built-in LocalService account, which the Service Control Manager uses to host services that don't need to run in the LocalSystem account. This is a normal user profile with limited data. You don't see it in the User Profiles dialog and the LocalService folder is heavily hidden. • Network Service. This profile folder is for the built-in NetworkService account that the Service Control Manager uses to host network services that don't need to run in the LocalSystem account. This is a normal user profile. You don't see it in the User Profiles dialog and the NetworkService folder is super-hidden. • In the previous list, the first two profile folders are far more interesting than the last two. IT pros often customize the "All Users" profile folder on disk images. The adjustment, e.g. A shortcut, such as a shortcut on the Start menu, affects all users who log on to the computer. However, IT pros more commonly customize the \Default User folder. This is a great way to create custom settings that you don't want to manage. In other words, it's a method of providing common user settings while still allowing users to change those settings if needed. As you will learn in this chapter, customizing the default user folder on a disk image is not necessarily the most efficient way to provide default user settings. Instead, create a custom default user folder on the server's NETLOGON share. See the “Deploying Default User Profiles” section later in this chapter. Tip Many programs install themselves for single-user use when you really want everyone sharing the computer to use them. You can tell when a per-user program was installed because its shortcut is in the profile folder associated with the account you installed it with. If the program recreates missing settings on startup, you can change the program from per-user to per-computer by simply moving its shortcut from the user profile folder where it installed the shortcut to the All Users profile folder. This also works the other way around. You can move a shortcut from the All Users profile folder to a specific user's profile folder so that only a single user sees the shortcut. User Profile Enhancements 227 Users made to his profile are not saved on the server. This has three symptoms: User experience is impacted because changes are not saved when users log on to a different computer. • Because locked profiles are never unloaded, they end up consuming a lot of memory on a terminal server that many users log on to. • If a profile is marked for deletion (to clean up the computer or to delete it temporarily) when you log off.
profiles), profiles are not deleted. The three symptoms are resolved as follows: • On Windows XP, when a user logs off and the profile is locked, the operating system queries the profile for 60 seconds before giving up. Windows XP then saves the user's profile structure and roams the profile correctly. • When the application or service closes the registry key and unlocks the profile, Windows XP unloads the user profile structure, freeing memory used by the profile. • When a profile is marked for deletion and the reference count drops to zero, Windows XP unloads and deletes it. In case the application never releases the registry key, Windows XP deletes all profiles marked for deletion at the next boot. •
Retrieving User Profiles How users retrieve their profiles depends on the type of profile you have configured their accounts for: Local User Profile. This profile is created when users log on to their computers for the first time. Local user profiles are stored on the local hard drive. Changes users make to their profiles do not follow them from computer to computer. • Roaming User Profile. This profile is available to users from any computer on the network, and changes users make to their profiles follow them from computer to computer. • Mandatory user profile. This profile is similar to roaming user profiles. Administrators assign users to mandatory user profiles, and Windows XP discards users' changes when they log off the operating system. In other words, users start with the same settings every time they log into the operating system. Microsoft provides mandatory user profiles to ensure compatibility with Windows NT 4.0, but you should consider using Group Policy instead. • The following sections describe how Windows XP creates a profile when users log on to the operating system. The Using Roaming User Profiles section describes how to create and manage roaming user profiles. Also, the "Managing Roaming User Profiles" section shows you how to prevent Windows XP from merging the local copy of a profile with the server copy using Group Policy.
Local Profiles The following is an overview of how Windows XP creates and uses a local user profile for users when they log on to their computers for the first time: The user logs on to Windows XP. 1.
Windows XP checks the list of user profiles in the ProfileList key to see if a local profile exists for the user. If an entry is present, the operating system uses it; otherwise, the operating system performs one of the following actions: 2. 228 exists, the operating system copies NETLOGON\Defaul %SYSTEMDRIVE%\Documents and Settings\username, where username is the name of the user account. If the computer is not a domain member or Windows XP does not find a default profile on the NETLOGON share, it uses the local default user profile. %SYSTEMDRIVE\DocumentsandSettings\Default %SYSTEMDRIVE%\Documents and Settings\username. → Windows XP loads the profile structure Ntuser.dat in HKU and associates the root key HKCU 3. When the user logs off Windows XP, the operating system saves all changes in the profile folder of the user profile. The profile folder is not copied to the network. It also unloads those from the registry.
Roaming profiles The following is an overview of how Windows XP creates and uses a roaming user profile for users when they log on to their computers: The user logs on to Windows XP. 1. Windows XP checks the list of user profiles in the ProfileList key to see if a profile exists for the user. If an entry is present, the operating system adds the profile's network to the local profile folder; Otherwise, the operating system does the following: Windows XP checks the NETLOGON share on the domain controller for the user folder. If present, the operating system copies the default user %SYSTEMDRIVE%\Documents and Settings\username, where username is the name of the user account. → If Windows XP does not find a default user profile on the NETLOGON share, %SYSTEMDRIVE\DocumentsandSettings\Default %SYSTEMDRIVE%\Documents and Settings\Username. → 2. Windows XP loads the profile structure Ntuser.dat into HKU and associates the root key HKCU 3. When users log out of Windows XP, the operating system saves their changes to the local folders and then unloads the profile structures from HKU. The operating system profile folders are then placed in the network location specified by the administrator. If the profile folder exists on the network, the operating system merges the local copy into the network copy. For more information, see “Understanding the New Merge” later in this chapter. Note There are two differences between roaming and mandatory user profiles. First, create a mandatory profile and copy it to the user's profile folder instead of allowing Windows to create it when the user logs on to the computer. Second, rename the Ntuser. Ntuser.man. Windows XP uses the .manfile extension to make the profile mandatory. Windows XP does not merge mandatory user profiles with the network when the user uses the computer. 229 You configure roaming user profiles on the server so that the user must be a member of and domain to use a roaming user profile. Both Microsoft Windows NT Server 4.0 and
Windows 2000 Server supports roaming user profiles as does Microsoft Windows .NET. The following instructions show you how to configure roaming user profiles in Active Directory. Windows 2000 Server: Create a folder on the server where you want to store user profiles. This is the folder that contains individual user profile folders. 1. Share the folder and give all users full control. (I sometimes lower users' permissions and run them in this folder and then give them full control of their individual profile. 2. In Active Directory Users and Computers, double-click the account for which you are using a roaming user profile 3. On the Profile tab of the Name Properties dialog box (see Figure 10-4), in the Profile Path field, type where you want to save the user's profile: The path is Share\ username" where "server" is the name of the server, "share" is the share in step 1, and username is the name of the account. Optionally, you can use %USERNAME% username and Active Directory will replace it with the name of the current one Accounts 4. 230 If you want to configure many accounts to use roaming user profiles, performing the task manually represents a monumental task a third-party tool or write an Active Directory Scripting Interface (ADSI) script to do the job. You access ADSI through Windows Script Host using VBScript or JScript. This topic is beyond the scope of this book, but you can visit Microsoft's Web site for more information: http://www.microsoft.com. Folder redirection is a great addition to user profiles, especially the roaming variety. It allows an IT professional to redirect the location of some profile folders to the network. There is nothing magical about folder redirection. Group Policy simply changes the location of the folder in the user shell folder key so that applications automatically look for the folder on the network. From a user's perspective, redirected folders are similar to roaming user profiles in that their documents follow them from computer to computer. However, unlike roaming user profiles, redirected folders always stay in the same place. You can use redirected folders with or without roaming user profiles. When you use them with roaming user profiles, you can reduce the amount of data that Windows XP transfers when users log on and off the operating system. Additionally, redirected folders are often useful even if you don't intend to use roaming user profiles. They can allow user documents to follow them without the complexity and sometimes difficulty of using roaming user profiles. For information about roaming user profiles, see the previous section, Creating User Profiles. Table 10-3: Roaming and redirection folders
Folder roaming possible? Can redirect? Application Data Yes Yes Cookies Yes No Desktop Yes Yes Favorites Yes No Local Settings No No My Documents Yes Yes My Recent Documents Yes No NetHood Yes No PrintHood Yes No Send To Yes No Start Menu Yes Yes Templates Yes No User Profile Roaming Best Practices Following are best practices for roaming user profiles: Redirect the My Documents folder outside of roaming user profiles. This shortens the registration time. Folder redirection is the best way to do this, but you can also manually redirect the My Documents folder, as described in Chapter 15, "Working Around IT Problems." • Do not use an Encrypted File System (EFS) for files in a roaming user profile. EFS is not compatible with roaming user profiles. Encrypting a roaming user profile prevents the user profile from roaming. • 231 that Windows XP creates during the synchronization process, so make sure that enough disk space is available on the server. Also ensure that there is enough disk space on the workstation to create temporary duplicates of the profile. Do not make folders in roaming user profiles available offline. If you use offline folders with roaming user profile folders, you will encounter synchronization problems because both offline folders and roaming user profiles try to synchronize at the same time. However, you can use offline folders with folders that you redirect, e.g. B. My Documents. • Use Group Policy loopback policy processing in moderation if you also use roaming user profiles. Loopback processing allows you to apply different per-user Group Policy settings to users, depending on the computer they are using. • When redirecting the My Documents folder outside of a roaming user profile, set the home folder to the redirected My Documents folder for compatibility with applications that are not compatible with folder redirection. • Disable Fast Network Logon using Group Policy when using roaming user profiles. This prevents conflicts that occur when user profiles switch from local to roaming. For more information, see “Understanding Quick Network Logon” later in this chapter. •
Managing Roaming User Profiles Group Policy provides a set of policies that you can use to manage how Windows XP works
processes user profiles. You can configure these policies in a local Group Policy Object (GPO) or in a network GPO. Chapter 6, "Using Registry-Based Policies," provides more information. First, here is a description of the user profile guidelines: Connect the home directory to the root of the share. This policy restores the %HOMESHARE% and %HOMEPATH% environment variable definitions to those used in Windows NT 4.0 and earlier versions. • Limit profile size. This policy sets the maximum size of each roaming user profile and determines how the system reacts when a roaming user profile reaches the maximum size. If user profiles grow excessively large, consider redirecting the My Documents folder to a location outside of the profile. • Excluding directories in a roaming profile. This policy allows you to add folders to the list of excluded folders from the user's roaming profile. • Delete cached copies of roaming profiles. This policy determines whether the system saves a copy of a user's roaming profile to the local computer's hard drive when the user logs off. • Do not detect slow network connections. This policy disables the slow link detection feature. • Slow network connection timeout for user profiles. This policy defines a slow connection for roaming user profiles. • Wait for the removed user profile. This policy tells the system to wait for the remote copy of the roaming user profile to load, even if the loading is slow. Also, if the user is notified about a slow connection but does not respond within the allowed time, the system will wait for the remote copy. • Prompt user when slow connection is detected. This policy notifies users when their roaming profile is loading slowly. Users can then decide whether to use a local copy or wait for the roaming user profile. • Timeout for dialog boxes. This policy determines how long the system waits for a user response before using a default value. • 232 Maximum retries to unload and update user profile. This policy determines when the system attempts to unload and update the profile structure. When the number specified by this setting is exhausted, the system stops trying. As a result, the may not be up to date, and local and roaming user profiles may not match. • Add the Administrators security group to roaming user profiles. This policy administrator security group for roaming user profile sharing. The default behavior
Prevent administrators from managing individual profile folders without taking ownership. • Prevent changes to roaming profiles from being propagated to the server. determines whether the changes a user makes to his or her roaming profile are merged server copies of his or her profile. This is a policy-based method of implementing mandatory profiles. • Allow only local user profiles. This policy determines whether roaming user profiles exist on a given computer. By default, when users with roaming profiles log on to a computer, the roaming profile is copied to the local computer. If they have already enrolled computers in the past, the roaming profile will be merged with the local profile. Likewise, when users log off from that computer, the local copy of their profile, including any changes made, is merged into the server copy of their profile. • The first three policies in this list are per user and the rest of the policies are per computer. 10-5 shows them in the Group Policy Editor. All are administrative policies in System\Profiles under User Configuration and Computer Configuration. Figure 10-5 These policies give you control over how Windows XP uses profiles.
Understanding Fast Network Logon Windows XP does not wait for the network to start before displaying the Windows Logon dialog box. This greatly improves boot time over Windows 2000. Previous users of the computer get to their desktops faster because the operating system uses cached group policies and loads them in the background as soon as the network is available. Although network login improves perceived performance, it has implications that you should understand. Important from this section is that Windows XP does not use fast network 233 Because background refresh is the default behavior, users may need to log on to Windows three times for Group Policy extensions such as software installation and folder redirection to take effect. Windows XP has to process these types of extensions in the background without logging on. Also, because Advanced Folder Redirection is based on group membership, it must log on to Windows XP three times: once to update the cached user object membership, a second time to detect the group membership change and request a policy application, and a third time to have folder redirection policy in the foreground use. The system may require users to log in twice to update the properties of other group objects. Another thing to note is the effect Fast Network Logon has on Windows XP profiles that switch from local to roaming. If the operating system uses Fast Network, the locally cached copy of the profile is always used. By the time the operating system recognizes that the user has a roaming user profile, it has already loaded the local profile structure and modified its. The result is that the operating system can replace profile structures with older ones when users log on to multiple computers. To handle this scenario, Windows XP treats the switch from roaming as a special case. First, the operating system checks the following conditions: Is the user switching from a local to a roaming profile? • Is there a copy of the user profile on the server? • When both of these conditions are true, Windows XP merges the contents of the local copy of the User Profile Server without the Ntuser.dat profile structure. Then the operating system copies the
of the profile to the local copy, regardless of the timestamps of the profile hives. After the user's profile becomes a roaming profile, Windows XP always waits for the network to download the profile. In other words, fast network logon and roaming user profiles don't work together. Note Given the changes that Windows XP makes to roaming user profiles, if you are using a user's roaming profile path in Active Directory, you should remove the profile from the server. If you reconfigure the user to use roaming user profiles and you use path, the user gets the older server copy of the user profile.
Understanding New Merging Many IT professionals are reluctant to use roaming user profiles because they use the Windows NT 4.0 merging algorithm. This algorithm assumes that there is a master copy of the user's profile. When the user logs on to the computer, the operation assumes that the master profile is on the local computer, and when the user logs on to the computer, it assumes that the master profile is on the server. It mirrors the entire local computer profile to the server and vice versa, completely replacing the profile on the target. This works perfectly when users are using a single computer, but it wreaks havoc when using multiple computers. The merging algorithm in Windows XP is more advanced; It merges user profiles, in other words it's a real merge, no swipe and load. The merged profile then becomes the files in the local and server copies of the user profile, and if a file exists in both operating systems, the latest version of the file is used. New files are not missing, updated files are not replaced - both symptoms of the Windows NT 4.0 merge. In the Windows NT 4.0 merge case, if one profile changes to two, only the last one copied to the network remains. 234 profile list. When the user logs off the computer, the operating system uses the timestamp to determine which files have been added or removed from the server copy of the user example, if a file named Example.doc is included in the server copy of the user profile, but not copying it helps Windows XP uses the timestamp to determine whether the file was added to the server and removed from the local copy. If the file's timestamp is later than the profile's timestamp, the file was added to the server copy. The result is that Windows XP does not touch when merging the local profile with the server copy. If the timestamp of the file is an earlier timestamp of the local user profile, the file has been removed from the local user profile. The Windows XP removes the file from the server, copies the profile when the operating system copies the local copy into it. If a profile changes on two computers in Windows XP, both are copied to the server file by file. Note There is another issue that prevents many IT pros from using roaming profiles. Roaming user profiles are great when configurations are similar from desktop to desktop. When users log in on different computers with different applications, screen sizes, power management requirements, etc., user profiles are cumbersome and the user experience is not very good. User profiles are great for scenarios like call centers and other environments where configurations are standardized, but they're not very useful. Configurations are not standardized across the organization.
Deploying Default User Profiles Deploying default user profiles is one of the easiest ways to deploy settings to new users. However, use default user profiles to provide settings for existing users because they already use user profiles. These aren't settings you want to manage. These are the default values
set up for users, while users can change them as needed. Essentially, default user profiles are like changing default settings in Windows XP. If you want a setting that users can't change, use policies. Chapter 6, "Using Registry-Based Policies," for more information on managing settings. To deploy a default user profile, do the following: Create a template account. You can use a local or domain account, but the user profile is generally cleaner than a local account on a non-domain-joined computer. (Since I include shortcuts in my profiles, I usually use a domain account to create standard user profiles.) Use a name for the template account that you are sure is unique in the registry and contains more than eight characters. You'll learn a little later why using a unique name is important. 1. Log on to the computer with the template account and adjust its settings. “Customizing user settings” later in this chapter describes settings that I use frequently. 2. Clean up the user profile to remove artifacts that you do not want to provide. The “Cleaning up the user profile” later in this chapter describes how to clean up the profile. 3. Copy the template account user profile folder to a new location and name it as Default. Do not replace %SYSTEMDRIVE%\Documents and Settings\Default User. You may need to repeat the process a few times to get it right though I want the default user profile handy. In the section “Creating the default user folder” 4. 235 Provide the default user profile. You can put the default user folder in %SYSTEMDRIVE%\Documents and Settings on disk images and then mount them, or you can put the default user folder on the server's NETLOGON share. I prefer the second method because it separates the settings from the disk images, which makes it much easier for me to update the settings. 5. Alternatives to Standard User Profiles An alternative to customizing a number of settings in standard user profiles is scripting. Create a script that configures Windows XP user settings to suit your organization's needs. This assumes you have a specification, or at least a list of settings, that you want to customize for users. Then edit the Hive Ntuser.dat file in the standard user folder of the disk image by adding the command to run the script to the HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce key. By default, the Ntuser.dat hive file in the default user folder does not contain the RunOnce key, so you must add it. Then add a REG_SZ value to this key - you can name it anything - and paste in the command line you want to run. Each time Windows XP creates a new user profile, it runs the script to customize the user's settings. Also, you can add a script that adjusts the current user profile to HKLM\Software\Microsoft\Windows\CurrentVersion\Run. Windows XP runs this script every time a user
logs on to the computer. If you want to configure the settings only when the user logs on to the computer for the first time, add code to the script that looks for a value in HKCU and runs only if that value doesn't exist. Then end the script with code that creates the missing value so that the script doesn't run the next time the user logs on to the computer. Chapter 9, "Scripting Registry Changes," shows you how to write scripts using Windows Scripting Host, and these are ideal for this scenario.
Customize user settings Sign in to the template account you created in step 1 of the previous section and customize the account's settings. When customizing settings for a default usage profile, less is more. Preferably, you work from a list of settings that you have reviewed with other members of the deployment planning team. The following list gives you an idea of the settings I often control with standard user profiles: Taskbar • Quick Launch Bar • Start Menu • Windows Explorer • Internet Explorer • My Network Places • Search Companion • Optimize User Interface • Control Panel, specifically: Display → Folder Options → Mouse → • 236 Sounds and Audio Devices → Taskbar and Start Menu → You want to adjust per-user settings because those are the only settings that are profiles. When customizing a user profile, how do you know that a setting is per user? not necessarily. That's why you need to test the settings in your list beforehand. Creating a standard user profile isn't the time to start wondering if it's for a specific user or computer. The easiest way to find out is to log into a new account and adjust the settings in your list. Then copy that user profile to a clean install of Windows and see what settings have been made. The settings that didn't make it are per-machine settings, you should cross them off your list. There are a small number of settings that still don't work well in standard user profiles, and there's generally little you can do to hack the profile to make them work. The most prominent example is the desktop background. The background image in a standard user profile requires you to paste the background image graphic file into the folder and then hack the profile structure to point to the new location. You may also want to include settings for applications you deploy, whether or not you
Add your disk images or mount them using other methods. First, a caveat: Do not include Windows Installer-based applications in a standard user profile. Windows Installer provides methods for deploying settings. This means that you should not provide settings for standard Office user profiles. Instead, use tools like the Custom Installation Wizard and the Office Wizard. Both tools are included in the Office XP Resource Kit, and Chapter 14, "Deploying Settings," describes how to use them. Install other types of applications and customize them to your needs just like you would customize Windows XP settings. This last part is optional, but I recommend it: Remove artifacts from the user profile to be served. Artifacts include history lists and the like. I have a preset route that I use via a user profile. First, I clear Internet Explorer's Start menu and history lists. To do this, proceed as follows: Click on Start, Control Panel, Appearance and Themes and Taskbar and Start Menu. On the Start Menu tab, click Customize. In the Customize Start Menu dialog box, under Advanced, click the Clear List button. • Click Start, Control Panel, Network and Internet Connections, and Internet Options. In the Internet Options dialog box, click Clear History to remove Internet Explorer history. • You don't have to worry about removing temporary Internet files because they reside in the Local Settings folder and Windows XP does not copy them with the profile. However, if you opened Explorer to customize, you can clear the Internet Options dialog box for cookies and autocomplete. On the General tab, click Clear Cookies, then Content, click AutoComplete, followed by Clear Forms and Clear Passwords. After you're done adjusting and cleaning up account settings, sign out of Windows. Do not open dialog boxes and programs that you do not customize. This keeps their settings outside of the default user profile. For example, if you want to customize Windows Media Player, do not open the program.
Clean up user profiles You cleaned up the user profile a bit in the previous section, but only to remove some from the profile structure. The next big step is to open the profile hive in Regedit and 237. The most important example is paths. User profiles contain references to the profile folder: %SYSTEMDRIVE%\Documents and Settings\name. If you provide the user profile to countless users, they all have different profile folders. When trying to access the name profile folder, Windows XP and programs fail because the user does not have access to that folder. A more concrete example should clarify this. Suppose you created a user profile with a template account named DefUser and deployed that profile to a user named Jerry. User Jerry has access to %SYSTEMDRIVE%\Documents and Settings\Jerry, but %SYSTEMDRIVE%\Documents and Settings\DefUser folder doesn't even exist. If user Jerry runs a program that uses a setting that includes the path to the DefUser user profile folder, the program will fail. To correct this
Follow these steps: Log on to the computer that contains the template user profile as an administrator. 1. In Regedit, load the Hive Ntuser.dat file from the user profile templates folder. (For more information on using Hive files, see Chapter 2, "Using Registry Editor.") 2. Browse the Hive file for references to the user profile templates folder. If the folder name is longer than eight characters, look for the long and short versions of the folder name. 3. Remove values that include the path of the template user profile folder. 4. Unload the Hive file and restart the computer. A computer restart is often required because Windows XP locks the file and you cannot copy it. Restarting the computer is the quickest way to force it to let go of the file. 5. If you remove values that include the template user profile folder path in step 4, assume that Windows XP and other programs are recreating missing settings. That's not always true. Some of my favorite apps fail to recreate missing settings. You'll learn what works and what doesn't through trial and error. However, you can easily solve the problem. Instead of permanently removing the value, replace a REG_SZ value with a REG_EXPAND_SZ value of the same name. Then set the value to the original path and replace %USERPROFILE% with the part that is the user profile folder. For example, if you see a REG_SZ value named Templates containing C:\Documents and Settings\Jerry\Templates, remove the value; then add the Templates value back as a REG_EXPAND_SZ value and set it to %USERPROFILE%\Templates. Test these changes in your lab to ensure they work properly. In the previous section, you cleared some of the history lists using the Windows XP user interface. Take this opportunity to further cover your tracks by removing the keys listed in Table 104. These correspond to most history lists that Windows XP keeps, including the Search Companion and common dialog boxes. Table 10-4: History Lists to Remove History List Key Internet Explorer Address Bar HKCU\Software\Microsoft\Internet Explorer\TypedURLs Run Dialog Box HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU Documents Menu HKCU\Software\Microsoft \ Windows\CurrentVersion\Explorer\RecentDocs General dialog boxes
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32 \LastVisitedMRU Search Assistant HKCU\Software\Microsoft\Search Assistant\ACMru 238 The template user profile is ready to use. Now all you have to do is copy it. To open the Users dialog box, click Start, Control Panel, Performance and Maintenance, and then System. On the Advanced tab, in the User Profiles area, click Settings. In the User Profiles dialog box, create a template for the user profile, and then click Copy To. In the "Copy profile to" field (see image), specify the path to which you want to copy the profile. For convenience, I usually copy the folder to C:\Default User. Just make sure the folder doesn't already exist. Also, the Everyone group permission to use the profile, which is appropriate for a standard user profile: Change, type Everyone, and then click OK. The default user profile can be deployed. The next section tells you how to do this. Figure 10-6: Copy template user profile using this dialog box; Do not copy the folder using Windows Explorer as this will copy artifacts that you do not want in the profile. The method just described is common for creating a default user profile from a template profile. I don't like it because user profiles grow a lot in size and complexity after Windows loads and uses them. A standard user profile created using the method just described will contain more files and folders than necessary. To use the more surgical method I prefer, follow this Copy %SYSTEMDRIVE%\Documents and Settings\Default User to a location other than C:\Default User. If you want to keep the original default user folder, you'll have to start over. 1. Copy the Hive Ntuser.dat file from the template user profile to your copy of the default C:\Default User folder. 2. Copy other files from the template user profile folder to your copy of Default C:\Default User. I tend to copy files from the following folders, assuming they want to deploy: \Application Data\Microsoft\Internet Explorer\Quick Launch → \Desktop → \Favorites → \NetHood → \PrintHood → \SendTo → \Templates → 3. 239 After completing the steps in the last section, you have a finished default user profile. You have two choices. When deploying Windows XP using disk imaging techniques, include the standard user profile in the disk image. Replace %SYSTEMDRIVE%\Documents Settings\Default User with your own default user folder. After replacing the default user with your own, clone and mount the disk image. When new users log on to the computer,
They will be your default user profile and therefore your settings. However, I don't like customizing the local default user folder as the only means of deploying defaults. I prefer to separate settings from configurations. What if I need to update a preference line? I don't want to update the default user folder on every computer in the organization. The alternative is to copy the customized default user folder to the NETLOGON share server. As you learned earlier in this chapter, Windows XP looks for the network version's default user folder first, and then for the local version. When users log on to a computer for the first time, XP retrieves my default user profile from the network. The advantage, of course, is that I can always do it later. The main problem with this method is that users who log on to their computers still get the default local user profile. For this reason I prefer to do both at the same time, replacing the default user folder on disk images and also copying the same folder to the server's NETLOGON share. Note An alternative to copying a standard user profile to the NETLOGON share is to keep the profile handy on the network and then copy it to users' network profile folders to create new accounts. For example, stash a standard user profile somewhere on a server. Assuming you are using roaming user profiles, copy the profile folders of the new default user accounts. When these users log on to Windows XP for the first time, the system downloads their roaming user profile, which you have already preconfigured. useful in one-off scenarios when you want users to have a different profile than this, also useful in a heterogeneous environment that often requires different versions of windows for different users.
Coexistence with earlier versions of Windows Coexistence is an issue that only affects roaming user profiles. If you don't use roaming profiles on your network, coexistence isn't an issue because you're not deploying different versions of Windows to users. However, in general, roaming user profiles are compatible with Windows 2000 and Windows XP. Here are some precautions you can take to minimize problems: Try to ensure that users with roaming user profiles log on to the same Windows on each computer. This means you should choose your rollout units to include all computers that users can access. • As a minimum, ensure that all computers on which you have applications installed have the same application versions installed on all computers in the same path. • When using roaming user profiles with Windows 2000 and Windows XP, make %SYSTEMDRIVE% and %SYSTEMROOT% the same. Also make sure they are saved in the same path. If you use roaming user profiles with Windows Windows XP, you should move the location of the user profiles used by Windows XP by moving the ProfilesDir property to the [GuiUnattended] section of your answer file. • 240 Windows NT-based profiles. Second, since I am aware of both versions of the registry and that slight differences between the two are likely to cause configuration issues, I would encourage you to provide more information and carefully test these scenarios in
Migrate user settings to Windows XP
Standard user profiles give new users settings, but what do you do with users who are already using profiles? You can let Windows XP migrate the user profile. Throw in disk imaging and you've got a whole host of other problems. One of the disadvantages of using OS disk imaging is that users lose their documents and settings. However, this has no barrier to deployment. Various third-party utilities are available for migrating settings. Also, Microsoft provides two tools, one for the user and one for the IT pro. All of these tools work in roughly the same way. First, you extract users' documents and settings from their computers and store them on the network. They install a new disk image on theirs and then reapply their settings. Users can keep their documents and settings. Here are tools provided by Microsoft: Files and Settings Transfer Wizard. This tool is designed for the user. This wizard is useful in corporate environments when employees want to migrate their own and settings without help from the IT department. • User State Migration Tool (USMT). This tool is designed for IT professionals deploying Windows XP Professional at scale in an organization. USMT provides the same functionality as the Files and Settings Transfer Wizard, but with more functionality. USMT IT professionals have precise control over the documents and settings to be migrated. •
Files and Settings Transfer Wizard The Files and Settings Transfer Wizard is a quick and easy way to copy all your document settings from your previous configuration to Windows XP. To start, click Start, All Accessories, System Tools, Files and Settings Transfer Wizard. It migrates settings in groups: action. This group contains settings like the key repeat rate, whether Doublefolder opens it in a new window or in the same window, and whether you need to double-click or single-click an item to open it. • Web. This group contains settings that allow you to connect to the Internet and how Internet Explorer works. This includes settings such as your home page URL, Internet shortcuts, cookies, security settings, dial-up connections, and so on. • Post. This group contains settings for connecting to your mail server, your signature views, email rules, local email and contacts. The wizard only supports Outlook and Express. • Application. This group includes application settings such as Microsoft Office. migrates only application settings, not the applications. You must reinstall the Windows XP update. • The Files and Settings Transfer Wizard also migrates your documents. This is done by type (*. (C:\Documents and Settings\Administrator\My Documents) or by name (C:\Documents 241 File Types and File Lists.
User State Migration Tool The User State Migration Tool (USMT) is similar to the Files and Settings Transfer Wizard, but gives you the ability to fully customize exactly what is being migrated. USMT is designed for IT
professionals only; individual users do not need to use USMT. The tool is designed for large scale and requires a domain controller on which to store settings during migration. USMT consists of two programs, ScanState.exe and LoadState.exe, and four migration information files: Migapp.inf, Migsys.inf, Miguser.inf, and Sysfiles.inf. ScanState.exe collects documents and settings based on the information contained in Migapp.inf, Migsys.inf and Sysfiles.inf. LoadState.exe places this user state data on a computer running an installation of Windows XP. Both tools are located in the Windows XP folder \Valueadd\Msft\Usmt. The shared set of INF files controls USMT. IT professionals use these files to customize the documents and settings that the tool migrates. In fact, during the deployment project, you will most likely need to modify the INF files to meet your needs. Note The "Step-by-Step Guide to Migrating Files and Settings" white paper is a good tutorial on how to use USMT. 242
Overview Windows Installer is a component of Microsoft Windows XP that simplifies the deployment, management, and removal of applications. It manages the installation by applying the setup rules that a package contains. These rules define the files to be installed and the configuration of the application. When you install Windows Installer-based applications, you can modify, repair, or remove them with a high degree of reliability - much greater than applications using older setup programs. Windows XP, Windows Installer is an operating system service. Windows Installer is a big topic. Component management, customization with transformations, deployment via Active Directory, and resiliency are some of the topics in the extensive list that you should learn about Windows Installer before deploying applications based on this technology. However, this is a book about the registry, so I need to focus on how Windows Installer interacts with the registry. That being said, you don't necessarily need to buy a book to learn how to deploy Windows Installer-based applications. Microsoft has published incredibly useful documentation on the company's website. The white paper to start with is Windows BenefitsandImplementationforSystemAdministrat www.microsoft.com/windows2000/techinfo/administration/management/wininstaller.asp. Office XP Resource Kit, www.microsoft.com/office/ork, is the ultimate learning resource Deploy large Windows Installer-based applications such as Microsoft Office XP. At this point, I assume you are familiar with Windows Installer and want to learn more about interacting with the registry. In this chapter I describe the Windows Installer registry First I describe the user and computer settings of the Windows Installer-based application Problem detects (e.g. missing or corrupted files) and activates users manually to the application's user and computer settings. This chapter also describes the
Professionals use to manage Windows Installer and the applications that use it. Some are more useful than others, so I'll describe those that provide solutions to common deployment problems. Finally, I describe the tools you can use to unregister an application's installer settings. These tools are sometimes essential because they corrupt the application's Windows Installer settings, you can't remove the application or remove programs and you can't reinstall or repair them.
Repairing Registry Settings One of the most common things you will do with a Windows Installer application's registry settings is to repair the registry settings. The most common scenario is when the settings are so out of whack that the only option is to reset them to their original values. also for computer settings. After the helpdesk call exceeds a reasonable amount, the technician can quickly end the call by repairing the application. The easiest way to repair a Windows Installer-based application is through its interface: On the application's Help menu, click Detect and Repair. • Under Add or Remove Programs, select the application you want to repair, click Change, and then follow the on-screen instructions. • 243 variable package is the path and name of the package file from which you installed the application. To repair user settings, type msiexec /fu package. To repair computer settings, type msiexec /fm package. The msiexec /fmu package command will get them both at the same time. These commands work pretty well as you can see for yourself. Install Office XP. Unregister its settings located in HKCU\Software\Microsoft\Office and then repair the user settings. Windows Installer recreates the missing settings. msiexec /f[p|o|e|d|c|a|u|m|v|s] package
p Reinstall missing files but do not check version o Reinstall missing files or files from a previous version e Reinstall missing files or files from the same or a previous version d Reinstall missing files or files not from the same version c Reinstall missing or corrupted files. This option only repairs files that have a checksum in the package file. a Reinstall all files regardless of their versions or checksums. u Rewrite the essential registry values described in the package file. This includes values in the HKU and HKCU user-specific branches. m Override essential registry values described in the package file. This includes values in the computer-specific branches HKLM and HKCR. s Reinstall all shortcuts and overwrite existing icons. v Cache the source package locally. Note Using Windows Installer to repair an application is a bit extreme considering you have System Restore at your disposal. Chapter 3, “Securing the Registry,” describes how to use this great configuration protection feature. If users' settings are out of whack, reverting to an earlier restore point will likely fix the problem
Problem. IT pros can also easily script this process, allowing the helpdesk to automatically revert to the most recent restore point.
Managing Windows Installer with Policies Windows Installer provides a set of policies for managing application installation and user interaction. Some guidelines are more important and useful than others; I'll get to that in a moment. First, here is the listing (the parentheses indicate the policy registry values): User Configuration\Administrative Templates\Windows Components\Windows Installer (HKCU\Software\Policies\Microsoft\Windows\Installer) AlwaysInstallElevated. Instructs Windows Installer to use system permissions when installing a program on the system. You must also set the computer version of this policy for it to work. → Search order (SearchOrder). Specifies the order in which Windows Installer searches for installation files. In other words, you can specify the order in which network, local media, and web locations are searched for installation files. → Prohibit rollback (DisableRollback). Prevents Windows Installer from generating and saving the files required to roll back an interrupted or failed installation. This is useful when you know the disks do not have enough space to store the rollback files. However, it is dangerous because Windows Installer cannot restore the computer if the installation fails. → • 244 Prevent users from self-installing applications and circumventing IT policies. however, controls only Windows Installer-based applications. Computer Configuration\Administrative Templates\Windows Components\Windows (HKLM\Software\Policies\Microsoft\Windows\Installer) Disable Windows Installer (DisableMSI). Disables or restricts the use of the installer. Use this policy to restrict Windows Installer to managed applications. You can choose to allow users to install Windows Installer-based applications, allow them, or allow them to only install managed applications. → Always install with elevated rights (AlwaysInstallElevated). Instructs the installer to use system permissions when installing a program on the system. must also set the per-user version of this policy for it to work. → Prohibit rollback (DisableRollback). Forbids Windows Installer from saving the files it needs to undo an interrupted or failed operation. This is useful when you know that the user's hard drive does not have enough space for the rollback files. However, it is dangerous because Windows Installer can restore the computer if the installation fails. → Remove search dialog for new source (DisableBrowse). Prevents searching for installation files when they add features or components of the installed program. By default, if Windows Installer cannot find the application's files, it displays a dialog box that allows users to browse for the files. →
Disable patching (DisablePatch). Prevents users from using Windows installation patches. Prevent users from patching their applications to protect against malicious code. → Disable the IE security query for Windows Installer scripts (SafeForScripting). Allows web-based programs to install software on the computer without notifying the user. → Activate user control over installations (EnableUserControl). Allows users installation options normally only available to system administrators. Policy only in environments where configurations are unlocked and carefully controlled, as some of the security features built into Windows Installer are bypassed. → Allow the user to browse for the source with elevated privileges (AllowLockdownBrowse). Allows users to search for installation files during privileged installations. Windows Installer does not allow users to search for installation source files that run with elevated privileges. → Allow user to use media sources while elevated (AllowLockdownMedia). Allow users to install programs from removable media such as floppy CD-ROMs during privileged installations. By default, Windows Installer does not prompt users to install applications from local media when running with permissions. → Allow the user to patch elevated products (AllowLockdownPatch). Allows upgrade programs during privileged installations. By default, Windows does not allow users to patch applications if the installer has elevated privileges. → Allow the administrator to install via terminal services (EnableAdminTSRemote). Allows Terminal Services administrators to remotely configure programs. Windows Installer only allows administrator applications if they are console users. This policy allows them applications that use Terminal Services. → Save transformations in a safe place on the workstation (TransformsSecure). → • 245 from computer to computer. However, users can change the transformations. causes Windows Installer to store transforms in a safe place and prevents them from being modified, but the transforms do not follow users. Logging (Logging). Specifies the types of events that Windows Installer logs in its transaction log for each installation. The Msi.log log is displayed in the system volume directory. → Prohibit user installations (DisableUserInstalls). Allows user installations by IT professionals. This policy has three options. Allow per-user installs, which is the default, and Windows Installer prefers per-user installs over per-machine installs. Installs per user and Windows Installer prefers installs per computer per user. Prohibit user installations and Windows Installer will prevent applications
Installation per user. The last option is desirable to ensure a default configuration available to all users on all computers. → Disable the creation of system restore checks (LimitSystemRestoreCheckpointing). Prevents Windows installation at System Restore checkpoints. System Restore allows users who are having problems to restore their computers to a previous state without losing personal files. By default, the Windows Installer automatically creates a system checkpoint each time an application is installed so that users can return the computer to the state it was in before the application was installed. → Of all the policies I've just described, the most useful are AlwaysInstallElevated, sufficient security to allow restricted users to install applications, TransformsSecure, which transforms to prevent tampering, and the other policies you can use to significantly improve Windows Installer. Both ends of the spectrum are available to you.
Installation with Elevated Privileges The InstallAlwaysElevated policy installs Windows Installer-based applications with privileges. The Microsoft documentation often calls this a privileged installation. This policy allows users to install applications that they would otherwise not be able to install because they are in groups or because you have locked down your organization's desktops. A better way is to deploy applications through Active Directory or using something like SMS (Microsoft Management Server). If none of the products are available to you, consider applying this policy, but be aware that the consequences can be severe. These consequences are due to the fact that users can use this policy control for their computers. Potentially, users could permanently change their permissions to bypass your ability to manage their accounts and computers. In addition, this policy protects against viruses disguised as Windows Installer package files. For these reasons, I only recommend this in the worst-case scenarios where no method is available to throw users into the local admins group. For this policy to take effect, you must enable both the per-machine and per-user versions at the same time. In other words, enable it in both computer configuration and user configuration. TipDeploying applications to locked desktops is a common and difficult scenario. The AlwaysInstallElevated policy isn't the best solution either. Apart from the typical tariffs, Active Directory and SMS, there are elegant solutions to this problem. Chapter 7, Registry Security, describes many of them, including using security templates and running setup programs with elevated privileges.
Caching Transforms in Secure Locations Transforms are essentially response files for Windows Installer-based applications. The Deploying Office XP Settings chapter describes transformations, but chances are you already know all about them. Transforms that you create with the Office XP Resource Kit's Custom Installation Wizard customize the way an application is installed. When you install an application using a transform, Windows Installer saves the transform with an .mst extension in the Application Data folder of the user profile. Windows Installer requires this file
reinstall, remove or repair the application. Retention in the user profile ensures that the file is always available. For example, if users have roaming user profiles, the transformation from computer to computer follows them. However, this is not certain. If you set the TransformsSecure policy, Windows Installer instead stores transforms in %SYSTEMROOT%, where users do not have permissions to modify files. However, because Windows Installer requires access to the transform used to install an application, the user must use the same computer on which they installed the application or have access to the original installation source to install, remove, or access software repair. The idea behind this policy is to secure enterprise transformations when IT pros cannot risk users maliciously modifying the files.
Windows Installer Lockdown Table 11-1 describes the policies that provide the greatest security for Windows Installer-based applications and Windows XP in general. The first part of the table contains policies per user, the second part contains policies per computer. In the Setting column, Not Configured means that you do not define the policy. Activated speaks for itself. Table 11-1: Windows Installer secure settings Policy setting User configuration Always install with elevated privileges Not configured Prevent removable media source for all installations Enabled Computer configuration Always install with elevated privileges Not configured Allow user to browse source while elevated Not configured Enable user to Use elevated media source Not configured Allow users to patch elevated products Not configured Remove browse for new source dialog box Enabled Disable Windows Installer Enabled for unmanaged apps only Disallow patching Enabled Enable user control over installations Not configured IE security prompt for Windows Installer disable scripts not configured cache transformations in a safe place on the workstation Enabled 247 to 0x01. To disable the policy, set it to 0x00. Clear the value to remove the policy. However, these are typical of enterprise-style deployments, so I wouldn't configure them to be completely unmanaged. Instead, use Group Policy to configure them locally or on the where you can properly manage them.
Removing Windows Installer Data If you found that removing older applications manually was difficult, try removing installer-based applications manually. More than once I've corrupted Windows Installer applications so badly that I couldn't remove, repair, or reinstall them. In these, the application's Windows Installer data had to be manually removed from the Windows XP registry. There are tools available that automate this process and you will learn about them
Chapter. Removing Windows Installer data without these tools is like replacing transistors on your computer's motherboard—it's not really possible. Before introducing the tools, I will direct you to the location in the registry where Installer stores data about the installed applications. Do not change these settings using Notepad (Regedit) as this will likely cause you pain. It's difficult to sort out the relationships between all the different bits of data that Windows Installer stores in the registry. only have good information available: HKCU\Software\Microsoft\Installer. This branch contains per-user Windows Installers for applications that you install per-user. • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer. This branch Windows Installer data for per-machine applications and managed applications. • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall. This information about removing the branch for Windows Installer-based programs. • HKCR\Installers. This branch contains information similar to the Installer key at • The tools you will learn about in the next two sections come with Windows XP Support. Install the tools from \Support\Tools on your Windows XP CD.
Msizap.exe Msizap is a tool that removes most of the data that Windows Installer maintains for an application. however, does not remove the files or settings of the application from the hard drive; you have it yourself. You can focus this utility on a single application or make changes to the Windows Installer data. I've had good luck using Msizap to unregister the application's Windows Installer data, but I don't trust it to grow large enough to remove all Windows Installer folders and registry keys. The following examples show the different forms of the command line of the Msizap program. two forms are the most useful. In the first case, you provide the product code, which is the unique GUID. You probably don't know the product code right away, so you should use the second form. In the second form, enter the path and the name of the package. Then Msizap will look up the product code for you. An example is fine. Assuming that Microsoft Office XP is installed and cannot remove it using Add/Remove Programs, msizap T! path\proplus.msi in the Run dialog box. Path is the path that contains the Proplus.msi package. After Msizap has finished removing the application's Windows Installer data shortcut 248 from the start menu, but when you click on it you see an error message telling you that the application is not installed. Chapter 3, "Backing Up the Registry," describes how to manually remove a program after you've made it this step. msizap msizap msizap msizap
T[A!] Produktcode T[A!] Paketdatei *[A!] ALLPRODUCTS PSA?!
* Remove all Windows Installer folders and registry keys, adjust the number of shared DLLs and stop the service
T Remove all Windows Installer information for a product. P Remove the key in progress. S Remove rollback information. A Give admins full control over destination folders and keys instead of removing them. W Apply changes to all users instead of just the current user. G Remove Cached Windows Orphaned Installation Files! Automatically answer yes to all prompts ? View Help TipI don't feel comfortable manually removing a program's files and registry settings after using Msizap. Most large applications store settings in the registry beyond the typical HKU\Software\Vendor\Product\Version keys. For example, they register components in HKCR and you may not get rid of them all. My solution seems strange but it works fine. Zapping a program's Windows Installer data from the registry should allow me to reinstall it. So I reinstall the application and then use "Add or Remove Programs" to remove it. Windows Installer will probably remove the application much cleaner than I did.
Msicuu.exe Windows Installer Clean Up (Msicuu.exe in the Windows XP Support Tools) adds a graphical user interface to Msizap.exe. If you are at the computer, use this tool instead of using Msizap at the command prompt. It's less error-prone: In the Run dialog box, type Msicuu and click OK. 1. In the Windows Installer Clean Up dialog box (see Figure 11-1), click the application for which you want to unregister Windows Installer data, and then click Remove. 2. 249 Figure 11-1: Windows Installer Clean Up is a user-friendly interface for Msizap. Confirm that you want to unregister the application's Windows Installer data by clicking OK. 3.
Inventorying Applications One of the most common requests I get regarding Windows Installer-based applications is to inventory the applications and features installed on users' computers. If you already have a software management infrastructure in place, consider using the tools provided. Otherwise, Microsoft's TechNet Script Center (www.microsoft.com/technet/scriptcenter), which has a great collection of useful scripts, has a few scripts that do very well for the purpose. Listing 11.1 is a script that inventories the software installed on a computer. Listing 11.2 is a script that inventories the capabilities of all software installed on a computer. These stocks only
However, Windows Installer-based applications do. Using Notepad, type each script and save it as a text file with a .vbs extension. To run each script, double-click the file. Listing 11-1 Inventory.vbs Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.CreateTextFile("c:\scripts\software.tsv", True) strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colSoftware = objWMIService.ExecQuery _
250 "Install Date" & vbtab & "Install Location" & vbtab & _ "Install Status" & vbtab & "Name" & vbtab & _ "Package Cache" & vbtab & "SKU Number" & vbtab & "Vendor" & vbtab _ & "Version" for each objSoftware in colSoftware objTextFile.WriteLine objSoftware.Caption & vbtab & _ objSoftware.Description & vbtab & _ objSoftware.IdentifyingNumber & vbtab & _ objSoftware.InstallDate2 & vbtab & _ objSoftware.InstallLocation & vbtab & _ objSoftware.InstallState & vbtab & _ objSoftware.Name & vbtab & _ objSoftware.PackageCache & vbtab & _ objSoftware.SKUNumber & vbtab & _ objSoftware.Vendor & vbtab & _ objSoftware.Version Next objTextFile.Close
Listing 11-2 Software.vbs strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colFeatures = objWMIService.ExecQuery _ ("Select * from Win32_SoftwareFeature") For each objFeature in colfeatures Wscript.Echo "Accesses: " & objFeature.Accesses to Wscript.Echo "Attributes: " & objFeature.Attributes Wscript.Echo "Caption: " & objFeature.Caption Wscript.Echo "Description: " & objFeature.Description Wscript.Echo " Identifying number: " & objFeature.IdentifyingNumber Wscript.Echo "Install date: " & objFeature.InstallDate Wscript.Echo "Install state: " & objFeature.InstallState Wscript.Echo "LastUse: " & objFeature.LastUse Wscript.Echo "Name: " & objFeature .Name Wscript.Echo "ProductName: " & objFeature.ProductName Wscript.Echo "Vendor: " & objFeature.Vendor Wscript.Echo "Version: " & objFeature.Version Next
Updating Source Lists After inventorying Windows Installer-based applications, the second most common request I receive is to update an application's source list. When you deploy a Windows Installer-based application, you provide a list of alternate locations from which Windows Installer can install files. This supports multiple installation locations from a single set of configuration files. If you deployed an application with an incorrect source list or moved your administrative installations, you must update the source lists on each client computer. With previous versions of Windows Installer, updating source lists was a difficult task. You had to
Deploy a registry hack. With the current versions, you can use the custom maintenance wizard to provide an updated source list. This is a far more elegant solution than providing a registry hack. Chapter 14, "Deploying Office XP Settings," provides more information about using the custom maintenance wizard. 251 252
Overview Users who install Microsoft Windows XP on their own computers often do not worry about the setup program. Instead, they insert the CD into the drive, the setup program starts, and answers the setup program's prompts. This will not work in a company, since most companies do not know the answers to all of the setup program's questions. Automating the setup eliminates the need for users to fiddle with the installation. Additionally, as an IT pro, you want to make sure users are having a positive experience so they say positive things about it. Windows XP installation is more convenient and the options are not available through the setup program interface. Microsoft provides several tools to help you deploy automated and customized Windows installations. Each tool has purposes, strengths, and weaknesses that differ from tools in different deployment scenarios. Examples of deployment tools are Sysprep imaging and Remote Installation Service, both of which are included in the Microsoft Windows Server and Microsoft Windows .NET Server family of products. Each deployment method has unattended answer files that you use to automate the setup program so that it runs or requires no user interaction. The operating system setup program uses the information contained in the answer files instead of prompting the user. Response files are text files that look like INI files. Response files have many sections, and each contains settings. Because this book is about desktop deployment of Windows XP's registry and user settings, I'll only present answer files. Now that you've got the basics down, I'll describe two answer file features that specifically enable your user preferences as part of the Windows XP setup process. To learn more about Windows XP deployment, see the Microsoft Windows XP Corporate Deployment Tools User's You find it in Deploy.chm, located in the Deploy.cab file in the Support\Tools folder on the Windows XP CD is located. You begin this chapter by learning how to add files to the Windows XP distribution (the i386 folder).
Creating Distribution Folders To add files to the Windows XP distribution folder, first make a copy of the CDs on your hard drive because you cannot modify the CD. You don't need the rest of the files or the CD—just the i386 folder. Finally, in an enterprise deployment, you replicate the i386 folder to distribution servers and then deploy the command that installs Windows. If you are a power user, you will probably burn a custom CD containing your files. You
the distribution folder by creating the structure shown in Figure 12-1. Figure 12-1: In addition to creating this folder structure, you must set the Windows XP answer file OEMPreinstall=Yes. Here is a description of each folder shown in Figure 12-1: i386 folder. This is the i386 folder from the Windows XP CD including all of its files and files. • $OEM$. This is the OEM distribution folder that contains additional files that you want and that are required to install Windows XP. If you use the [Unattended] section of the answer file's OemFilesPath setting, you can create the $OEM$ folder outside of the folder. I often create multiple $OEM$ folders (one for each different configuration) and deploy each along with a single i386 folder. To do this, I create an answer file configuration that points to a unique $OEM$ folder. You must include OemPreinstall= in the [Unattended] section of the answer file if you are using the $OEM$ folder for the system or if you are using Cmdlines.txt to run other programs during installation. • Cmdlines.txt. This file contains the commands that the setup program runs to install. The file format is similar to an INI file. You create this file in $OEM$ by adding each command in the [Commands] section. For more information about Cmdlines.txt, particularly providing user settings with Windows XP, see "Cmdlines." in this chapter Renaming names to long file names. You can use a long filename $$Rename file for each short filename folder that you want to rename • $OEM$\Textmode: This folder contains hardware-dependent files that are installed on the target computer during text mode installation Storage device driver, txtsetup .oem file that describes how to load and install these components. List in the [OEMBootFiles] section of your answer file. This folder is not as necessary when hardware configurations vary widely. • $OEM$\ $$. This is the folder where you will add files a Locate the subfolders you want the program to copy to the %SYSTEMROOT% folder on the target computer. This customizes the system folders of Windows XP Professional. To create a file named Sample. %SYSTEMROOT%\System32, add it to $OEM$\$$\System32. The subfolders of the setup program that do not exist on the target computer. Therefore, you can create a new name called Drivers in %SYSTEMROOT% to provide third-party device drivers with Windows. OemPnPDriversPath must specify the location of third-party device drivers on the computer. in this case OemPnPDriversPath=%SYSTEMROOT%\Drivers. • $OEM$\$1. This folder allows you to add files and folders to the target computer %SYSTEMDRIVE%. It works similar to $OEM$\$$ except you add $ files to the root of the drive where you install Windows XP. A typical create a folder on %SYSTEMDRIVE% named $OEM$\$1\Sysprep which automatically adds the Sysprep folder and files needed to prepare the target computer
• 254 TipYou can use Setup Manager to create the i386 distribution folder for Sysprep, Remote Installation Service, or an unattended installation using an answer file. Setup Manager is located in Deploy.cab, located under \Support\Tools on the Windows XP CD. Open Deploy.cab in Windows Explorer and extract the contents to a folder on your hard drive. I prefer to create the distribution folder manually as many options are not available through the Setup Manager UI. Customize Default Settings Windows XP doesn't invent its settings out of thin air. It uses four INF files in the i386 distribution folder to create the registry hive files when you install the operating system. These INF files use the same syntax I described in Chapter 9, “Registry Modification Scripts,” and you should be able to customize them easily. Here are these four INF files: Hivecls.inf. This INF file creates the settings in HKLM\SOFTWARE\Classes (HKCR). • Hivedef.inf. This INF file creates the settings in HKU\.DEFAULT. It also creates the default user profile settings. • Hivesft.inf. This INF file creates the settings in HKLM\SOFTWARE. • Hivesys.inf. This INF file creates the settings in HKLM\SYSTEM. • You can change any of the default Windows XP settings by changing the setting in the Hive files listed. For example, if you want to use some of the custom hacks shown in Chapter 4, “Hacking the Registry,” change these values in the Hivedef.inf file. This replaces creating a standard Windows XP user profile. If you want to change file associations for each computer in the organization, change them in the Hivecls.inf file.
Customizing Response Files As you learned earlier, a response file is a script that looks a lot like an .ini file. The script controls the setup program instead of the setup program prompting the user for information. An answer file not only automates the Setup program's user interface, but also allows you to configure Windows XP in ways that are not possible through the user interface. I'm using an answer file to change the location of user profiles from, say, %SYSTEMDRIVE%\Documents and Settings to %SYSTEMDRIVE%\Profiles because I'm a command line junkie and don't like typing C:\Documents and Settings over and over again. Unattend.txt is the traditional name for answer files, but I prefer to give answer files names that make it easy to decipher their purpose. Just make sure you limit their names to eight characters so you can read their names when installing Windows XP with MS-DOS. Also, I don't like using it
the .txt extension for response files. I prefer to use .sif, the file extension for setup information files, so I can easily distinguish a text file from an answer file. For example, I might have an answer file for installing Windows XP on a lab computer called Labprep.sif. You can create different answer files for different departments named Sales.sif, Legal.sif, and so on. Still, use descriptive names that help you identify the differences between response files as you expand a collection. 255 Listing 12-1: Unattend.txt [Unattended] UnattendMode = FullUnattended TargetPath = Windows FileSystem = LeaveAlone OemPreinstall = Yes OemSkipEula = Yes [GuiUnattended] ; Set the time zone. For example, to change the time zone for the ; Pacific Northwest, use the value 004. Be sure to use the ; numeric value representing your own time zone. lookup ; a numeric value, see the Deploy.chm file on the Windows XP Professional CD. ; The Deploy.cab file is located in the \Support\Tools folder. TimeZone = "YourTimeZone" OemSkipWelcome = 1 ; The OemSkipRegional key allows skipping the unattended installation; RegionalSettings if the final location of the computer is unknown. OEMSkipRegional = 1 [user data] ; Tip: Avoid using spaces in the ComputerName value. ComputerName = "YourComputerName" ; To ensure a fully silent installation, you must provide a value; for the ProductKey key. ProductKey = "Your product key"[LicenseFilePrintData] ; This section is used for server installations. AutoMode = "PerServer"AutoUsers = "50" [Display] BitsPerPel = 16 XResolution = 800 YResolution = 600 VRefresh = 60 [Components] ; This section contains keys to install the components of ; Windows XP Professional. A value of On installs the component and a ; A value of Off prevents the component from being installed. iis_common = On iis_inetmgr = Off iis_www = Off iis_ftp = Off iis_doc = Off iis_smtp = On ; The Fp_extensions key installs Front Page server extensions. Fp_extensions = On ; If you set the TSEnabled key to On, Terminal Services will be installed on; a current version of Windows Server. TSEnabled = On ; If you set the TSClients key to On, the ; Terminal Services client disks are installed. If you put this button ; to On, you must also set the TSEEnabled key to On. TSClients = One Indexsrv_system = One Accessopt = One Calc = One Charmap = One Chat = One Clipbook = One
256 Hypertrm = On Media_clips = On Media_utopia = On Minesweeper = Off Mousepoint = Off Mplay = On Mswordpad = On Paint = On Pinball = Off Rec = On Solitaire = Off Templates = On Vol = On [TapiLocation] CountryCode = "1" Dialing = Pulse ; Displays your phone's area code. This value must ; be a 3-digit number. AreaCode = "Your phone area code" LongDistanceAccess = 9 [Networking] [Identification] JoinDomain = YourCorpNet DomainAdmin = YourCorpAdmin DomainAdminPassword = YourAdminPassword [NetOptionalComponents] ; The section contains a list of optional network components to install. Snmp = Off Lpdsvc = Off Simptcp = Off [Branding] ; This section marks Microsoft® Internet Explorer with custom ; Properties from the unattended installation response file. BrandIEUsingUnattended = Yes [URL] ; This section contains custom URL settings for Microsoft ; Internet Explorer. If these settings are not present, the ; default settings are used. Returns the URL for the ; Default browser home page. For example, you could ; The following: Home_Page = www.microsoft.com. Home_Page = YourHomePageURL ; Specifies the URL for the default search page. For example, ; Use the following: Search Page = www.msn.com Search_Page = YourSearchPageURL ; Specifies a shortcut name in the Favorites shortcuts folder. ; For example, you could use: Quick_Link_1_Name ; "Microsoft Product Support Services" Quick_Link_1_Name = "Your Quick Link Name" ; Specifies a shortcut URL in the Favorites links folder. To the ; You can use this: Quick_Link_1 = http://support.microsoft. Quick_Link_1 = YourQuickLinkURL [proxy] ; This section contains custom proxy settings for Microsoft
257 ; with their own values. HTTP_Proxy_Server = Proxysrv:80 Use_Same_Proxy = 1
You tell the setup program your answer file with the /unattend command-line option. You can shorten this to /u (we all know that technology professionals and enthusiasts have a limited number of keystrokes in their lives). You must also use the Setup program's /source command-line option to tell it where to find the Windows XP source files. You can shorten it to /s. The setup program's command line has many other options that control how it works. For more
See Deploy.chm in Deploy.cab in the Support\Tools folder on the Windows XP CD. The following example commands run the setup program from \\camelot\wxppro: net use w: \\camelot\wxppro w:\i386\winnt /s:w:\i386 /u:w:\winnt.sif
Setup Manager Use Setup Manager to create answer files for unattended Windows XP installations, automated installations using Sysprep, or automated installations using the Remote Installation Service. Setup Manager is located on the Windows XP CD in the Deploy.cab file in the Support\Tools folder. Installation Manager is a wizard that helps you create and modify response files by prompting you for the information required to create response files. Setup Manager can create new answer files, import existing answer files, and create new answer files based on a computer's current configuration. The last option is useful when you want to configure network settings in an answer file and don't want to understand all the available settings or risk errors, which are probably due to how complex these sections are sometimes. To install and run Setup Manager, double-click Deploy.cab in the Support\Tools folder on the Windows XP CD, then copy the contents of the cab file to a folder on your hard drive and double-click Setupmgr.exe to launch Setup Run Manager as shown in Figure 12-2. The result of the wizard is an answer file. Table 12-1 describes the different Setup Manager pages in the order in which you see them. Table 12-1: Setup Manager Pages Page Description Set User Interaction Use this page to set the level of user interaction during the setup process. Select Provide default values to see the configurable values provided in the answer file, or select Fully automated to create a setup process that requires no user interaction. Customize the software Use this page to specify an organization and username. Display Settings Use this page to configure the display settings for color depth, screen resolution, and refresh rate. I prefer to allow Windows XP to automatically adjust these settings to the best available, and you should generally avoid setting a refresh frequency unless you are 100% sure that all monitors used by your organization can support that frequency. In general, 70 is a safe choice, and LCD monitors work best at 60. Time Zone Use this page to set the time zone. 258 Providing the product key Use this page to provide a product key, which is required for a fully automated installation. Computer Names Use this page to instruct Setup Manager to generate a Uniqueness Database File (UDF) that the setup program uses to give each computer a unique name. If you import names from a text file,
Setup Manager converts them to a UDF file. You can also set an option to generate unique computer names. Administrator Password Use this page to instruct Setup Manager to encrypt the local administrator password in the answer file to prevent users from gaining unauthorized access to the local administrator account. You can also configure the answer file to prompt users for the local administrator password during installation. If the Administrator Password field is blank, you can use the AutoLogon feature to automatically log on to the client computer as an administrator. For more information on using the AutoLogon feature with [GuiRunOnce] to deploy user settings with Windows XP, see “[GuiRunOnce]” later in this chapter. Network Components Use this page to configure all network settings in Setup Manager that you can configure on the desktop. The user interface for specifying the network settings in the Setup Manager is the same as in Windows XP. Workgroup or Domain Use this page to add computers to a domain or workgroup. You can also automatically create accounts on the domain. Telephony Use this page to set telephony properties such as area codes and dialing rules. Regional Settings This page allows you to set regional options such as date, time, and currency formats. Languages Use this page to add support for other language groups. Browser and Shell Settings Use this page to configure Internet connections, including proxy server settings. If you need to customize the browser, you can use the Setup Manager to access the Internet Explorer Administration Kit (IEAK) available at http://www.microsoft.com and the Office XP Resource Kit Toolbox at http ://www. microsoft.com/office/ork. Installation Folder Use this page to specify the default Windows folder, create a unique folder during setup, or install Windows XP to a custom folder. For example, if you plan to keep Microsoft Windows 2000 in parts of your organization or to upgrade from Windows 2000 to Windows XP, you can move Windows XP from the Windows folder to the Winnt folder so that you have a consistent have folder structure . Install Printer Use this page to install printers as part of the installation process. Run Once Use this page to add commands that run automatically when a user logs on to the computer for the first time. Setup Manager adds these commands to the [GuiRunOnce] section of the answer file. For example, you can start the Microsoft Office XP setup program from here. For more information on using this feature to provide user preferences, see “GuiRunOnce” later in this chapter. Additional Commands On this page you can add commands to be run at the end of the setup process and before the user logs into the system, e.g. B. starting a 259 setup program or adding user settings. For more information, see "Cmdlines.txt" later in this chapter. Figure 12-2: The Windows XP Setup Manager has been greatly improved over the Windows 2000 version. Most
Most of the changes are in the UI, but local admin password encryption is a new feature.
Notepad and other text editors Despite all the features of the Setup Manager, I prefer to create answer files manually. Now, before you think I'm being silly and just working for myself, let me add that I have a library of response file templates that I call on-demand. Once you create your first answer file and it's just right, you can use it over and over again, since little changes from job to job. I have another surprise for you that I'll hold onto until you reach the end of this section. You can use a text editor, e.g. B. Notepad, to create response files. They look just like INI files; both have sections and their sections contain settings. You don't have to use all the sections or values available in the response file if you don't need them. In fact, a typical answer file for a computer that you connect to a Microsoft-based network is only about 20 lines long. When you add errors to an answer file, the setup program reports the line number that contains the syntax error. I use the response file in Listing 12.2 a lot. Notice that I commented out the AdminPassword and FullName values by prefixing them with a semicolon (;) so that the setup program prompts the user for both values. For this example, you must provide your own product key (wink). Also note that I don't use the [Display] section in this answer file, but Windows XP automatically optimizes the display settings when the user logs on to the computer. Lastly, I commented out the DomainAdmin and DomainAdminPassword values in this answer file so that the setup program prompts the user for the necessary credentials to join the domain. I do this to avoid including my domain admin credentials in an answer file. However, this is not a problem as I delegate ownership of each computer object to users so they can use their own account to join their own computers to the domain. Listing 12-2 Unattend.txt [Unattended] FileSystem=ConvertNTFS OemPreinstall=Yes
260 [GuiUnattended] ; AdminPassword= OEMSkipRegional=1 OEMSkipWelcome=1 ProfilesDir=%SYSTEMDRIVE%\Profiles TimeZone=020 [UserData] ComputerName=* ; FullName= OrgName="Jerry Honeycutt" ProductID="Your Product ID"
[TapiLocation] AreaCode=972 CountryCode=1 Dialing=Ton [Identifikation] ; DomainAdmin= ; DomainAdminPassword= JoinDomain=HONEYCUTT [Networking] InstallDefaultComponents=Yes ;end
This answer file is just an example. I created this answer file to perform a clean install of Windows XP from MS-DOS. I also have answer files that upgrade Windows 2000 to Windows XP. I have answer files that create disk images for deployment. I have other answer files for deploying Windows XP via Remote Installation Services, building lab computers, installing Windows XP on mobile computers, installing Windows XP on Novell networks, and so on. Jerry's Answer File Editor Here's the surprise I promised. I don't use Notepad to edit answer files. I'm using Microsoft Word 2002. Here's why: Word includes built-in version control that allows me to manage the different versions of an answer file over time. I can revert to a previous version of an answer file to see what I changed. • Word includes a revision tracker that allows me to see the changes I've made to the current version of my answer file. This is a great feature for documenting answer files as well as sending answer files for review. • Word allows reviewers to comment on answer files without actually modifying them. This is another great feature for sending answer files for review. • Word allows me to create custom dictionaries. I create custom dictionaries that contain response file sections and value names, which ensures I don't add errors to response files with something as stupid as a typo. • I bet these four features are enough to convince you to use Word to edit answer files. This makes you as an IT expert many times more productive. The 261 into a text file. Enjoy!
Adding Settings to Unattend.txt Now you know how to create and use answer files. It's time to get to the heart of the matter, which is how to provide user settings with your answer file. How to deploy settings with Windows
XP you need a mechanism to run a program during the setup process. The Windows XP setup program offers two different mechanisms, but first think of all the different ways to add settings to the registry (and this is only a partial list): REG files. For more information about creating REG files, see Chapter 2, "Using the Registry Editor," and Chapter 9, "Recording Registry Changes." You import a .reg file using the regedit filename.reg /s command. • INF files. For more information on creating and installing INF files, see Chapter 9, "Scripting Registry Changes." You install an INF file by running the command rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 filename.inf. • Scripts. For more information about scripting Windows Scripting Host, see Chapter 9, "Scripting Registry Changes." You run a script using the wscriptfilename.ext command, where ext is either vbs or js. • OPS files. For more information about creating and installing OPS files, see Chapter 14, "Deploying Office XP Settings." You import an OPS file into the user's profile with the proflwiz /r filename.ops /q command. • Console Registration Tool for Windows (Reg). For more information about using Reg to edit the registry, see Chapter 2, "Using the Registry Editor," and Chapter 9, "Scripting Registry Changes." Reg has a robust command line interface that allows you to edit the registry using batch files. • Windows Installer package files (MSI files). For more information about package files, see Chapter 11, "Associating Windows Installer." For information about creating MSI files that install registry settings, see Chapter 9, "Scripting Registry Changes." • Now that I've reminded you of the many tools and commands I describe in this book for installing registry settings, read the following two sections, [GuiRunOnce] and Cmdlines.txt, to learn how to use them Deploy commands with Windows XP.
[GuiRunOnce] The [GuiRunOnce] section contains a list of commands that run when a user logs on to the computer for the first time after running the Windows XP setup program. Enclose each command in quotation marks. The commands in the [GuiRunOnce] section are run in the context of the console user, so you must ensure that the user has the appropriate permissions to run each command. You can use this feature to install a .reg file when a user logs on to the computer. For example, add the following lines to your answer file to import Settings.reg into the registry when a user logs in to the for the first time
computer: [GuiRunOnce] "regedit %SYSTEMROOT%\Settings.reg /s"
However, you must provide any programs and data files that you wish to use, and you do this by providing them through the $OEM$ distribution folders that you learned about in "Creating 262 %SYSTEMROOT% on the target computer" to ensure that a program by [GuiRunOnce] has a command line option to run in the background; You don't want to show any user interface while installing registry settings. All of the commands I listed in the "Adding to Unattend.txt" section include the command-line option to run them without displaying a user interface. Another method for deploying settings is to run the Profile Wizard from the Office XP resource Attach your answer file Add the following lines. Also make sure that the Windows program copies Proflwiz.exe and Settings .ops to the target computer. In this case I put i386\$OEM$\$$: [GuiRunOnce] "%SYSTEMROOT%\Proflwiz.exe /r %SYSTEMROOT%\Settings.ops /q".
Here are three things to keep in mind when using [GuiRunOnce]: You cannot run programs that force Windows XP to restart from [GuiRunOnce]. Because Windows XP loses any entries remaining in [GuiRunOnce] when it restarts, these commands will not run. If you cannot prevent the program from restarting, try repackaging it as a Windows Installer package file or add it as the last command [GuiRunOnce]. This is not a problem for any of the commands I gave you with these settings. • Any programs that rely on Windows Explorer will not work properly because Explorer will not run when the commands in the [GuiRunOnce] section are run. You may consider repackaging these applications. • When attempting to install Windows Installer package files from [GuiRunOnce], use the /wait switch to ensure that two packages are not attempted to install at the same time. Otherwise both packages will fail. However, this is only an issue when installing Windows packages using Setup.exe, as Setup.exe launches Windows Installer and then returns, allowing the next package to begin installing immediately. If Windows Installer packages use Msiexec (the Windows Installer command line instead), this problem is not an issue. Tip The commands in the [GuiRunOnce] section run asynchronously, which means they can potentially all run at the same time. d Run commands synchronously – one at a time – create batch runs the program with the /wait command of the start command The syntax is start program /wait where program is the path and program file Returns control to the batch file by Program Then run this batch file from [GuiRunOnce]. •
Cmdlines.txt The Cmdlines.txt file contains commands that the GUI-mode portion of the setup program uses when installing optional components, including applications that the setup program must run immediately after installing Windows XP. The commands in Cmdlines.txt run as system, so they run with elevated privileges. You put Cmdlines.txt in the $OEM$ subfolder of the XP distribution folder. You put the same types of commands in Cmdlines.txt that you would use
[GuiRunOnce]. You must also use the $OEM$ folder to copy data files such as .reg files and scripts to the target computer. 263 contains spaces. Here's an example that imports a .reg file named Settings.reg and installs it named Config.inf, assuming I've added both files to $OEM$\$$ in the distribution folder: [Commands] "regedit.exe %SYSTEMROOT%\Settings.reg /s" "rundll32.exe setupapi,InstallHinfSection DefaultInstall 132"\ "%SYSTEMROOT%\Config.inf"
However, using Cmdlines.txt differs from [GuiRunOnce] in a few important ways: you must create the $OEM$ distribution folders and set your OEMPreinstall= response file. • When the setup program runs the command in Cmdlines.txt, no user is logged on to Windows XP and no network connection is guaranteed. Because Windows XP stores settings in the standard user hive file, all users receive settings. • You cannot install Windows Installer packages using Cmdlines.txt. •
Automatic logon after installation If you use the [GuiRunOnce] section to deploy settings or run programs after installing XP, you should automatically log on to the operating system immediately after the installation is complete. Additionally, you will likely want to log in as a local administrator to install applications that require elevated privileges or change settings in HKLM that restricted users cannot change. Use the AutoLogon setting in the [GuiUnattended] section of your answer file. Set AutoLogon= This sets the AutoAdmin Logoninth HKLM\Software\Microsoft\Windows\CurrentVersion\WinLogon value, which you will learn about in Chapter 15, "Workaround IT Problems." You must also set AutoLogonCount in the [GuiUnattended] section. This setting specifies how often you want to automatically log on to Windows XP as a local administrator. the AutoLogonCount value in HKLM\Software\Microsoft\Windows\CurrentVersion\WinLogon. Typically, you only log on to XP once by setting AutoLogonCount=1. However, you can log in to the operating system as many times as necessary, e.g. B. if a setup program restarts the computer during the installation process. The following lines show you the necessary settings to use this function: [GuiUnattended] AutoLogon=Yes AutoLogonCount=1 [GuiRunOnce] "regedit %SYSTEMROOT%\Settings.reg /s"
If you set a password with the AdminPassword setting in [GuiUnattended], Windows XP uses that password to log on as the local administrator. However, if you encrypt the password and set EncryptedAdminPassword=Yes, Windows XP disables this feature. It falls somewhere between security and ease of deployment. But don't panic; Windows XP installation removes the password from all local copies of the %SYSTEMROOT%\System32\$winnt$.sif answer file. 264
Overview Disk imaging involves taking a snapshot of the configuration of a computer that includes Windows XP and applications such as those in Microsoft Office XP, and then deploying snapshots to other computers in the organization. It's essentially like installing a Windows computer's hard drive and then copying that hard drive to other computers. Use Disk Deployment for clean Windows XP installations in large organizations when hundreds of computers have the same configuration. Disk imaging is more effective when companies have standard configurations, but with a tweak here and there, it's a method that can be used in companies that tend to buy the computer du jour. While I will say disk imaging is for large organizations, in my 10 small PC I use it more conveniently and much faster to install Windows XP from a disk image than from scratch via the setup program. This is a huge productivity boost for me since I install Windows a dozen times a week. Disk imaging has two personalities: good and bad (not ugly). First the good: Disk imaging is the fastest way to deploy Windows XP. Instead of the operating system installation taking up to 45 minutes, a disk image installs in less than 10 minutes. And with multicasting technologies, you can deliver disk images to many computers at the same time. Perhaps the greatest benefit of disk imaging is that you can standardize third-party applications and custom desktops across the enterprise, all without user interaction. Now for the bad: you can't use disk imaging to upgrade from a previous Windows because you're replacing the contents of the disk. This means users' documents, settings, and applications will be lost unless you use the user state migration tool on the Windows XP CD. Also, disk imaging requires reasonably compatible sample and target configurations, although you can mitigate this problem a little with the techniques you'll learn in this chapter. Another concern is that multicasting can bring a network to its knees, so manage the rollout so it doesn't impact user productivity. The final problem, mounting disk images on remote computers is tricky—but it's not impossible when using images on CDs. The benefits of disk imaging far outweigh the potential problems, especially for large disk imaging Windows XP did better than Microsoft Windows 2000; XP's new disk imaging tools dramatically reduce the number of disk images you manage The Microsoft website is full of case studies of companies that have reduced their image percentage. A company reduced its image count from 50 with Windows 2000 to one with XP. This is impressive! This chapter shows you how you can use these advantages for yourself. In introducing you to disk imaging, I will focus on how the registry fits into the disk imaging process.
Cloning Windows XP The best way to understand disk imaging is to walk through the entire process. However, you will cover this process later in this chapter (see Figure 13-1 as you work through each step): Install Windows XP on the sample computer. 1. 266 your disk images after fixing problems. Do not join the computer to a domain; working group. Log on to the computer as an administrator and do one of the following: Install and customize any application that you want to include on the disk
B. Install Office XP. As a rule, do not adjust the settings picture per user; save this for a network-based standard user profile (see chapter "Distribution of user profiles"). → Install any third-party device drivers that are not included in the Drivers.cab that Microsoft distributes the Windows XP device drivers and that you can find in your distribution folders. → 2. Customize the %SYSTEMDRIVE%\Sysprep folder. Copy Sysprep.exe and Setupcl.exe to this folder. Also, copy and create the Sysprep.inf file in advance. Sysprep.inf automates the mini-setup wizard, a lightweight full setup program that runs when users start a computer on which you mounted a disk image. In the next section, I'll tell you where to get these files. 3. Run Sysprep.exe, select the Mini Setup check box, and then click Reseal. If the computer is ACPI compliant, Sysprep will automatically shut down the PC; Turn off the computer when you see a message stating it is safe to shut down the computer. 4. Clone the hard drive to an image file. 5. Figure 13-1: Use disk imaging to expose the contents of a sample computer's hard disk to the hard disks of other computers. It is an effective way to deploy many desktops. After deploying the disk image to users' computers and turning them on, Mini-Setup will start. First, the wizard detects the computers' plug-and-play devices. Then the wizard users must accept the license agreement, enter their name and organization, join a workgroup, specify regional options, configure TAPI, and select the network protocol services to install. The wizard may skip some or all of these settings when you configure Sysprep.inf. Finally, the mini-setup wizard removes %SYSTEMDRIVE% \Sysprep and the computer. The entire process takes less than five minutes. Before we move on to the actual techniques, I'm going to walk you through the tools required for the job. The following sections provide everything you need to prepare disk images in Windows XP, describe these tools, their limitations, and list third-party disk images to evaluate. (Third-party tools are required to duplicate disk images after preparing 267. Disk imaging consists of two phases: preparing disk image and cloning disk image. Everything required to prepare a disk image is on the Windows XP CD in the file Deploy.cab file.This Support\Tools folder Extract its contents by opening the file in Windows Explorer The disk tools in Deploy.cab include: Sysprep.exe Prepares the disk for the • Setupcl.exe: Renews the computer's security identifier (SID) since everyone on the network must have a unique SID It also starts the mini-setup Wizards for Windows XP on the computer • Sysprep.inf: Automates the mini-setup wizard by providing settings to users • The tools are self-evident, but I love the documentation in the Deploy.cab file - an improvement over the deployment documentation for Windows 2000. First Ref.chm describes
for creating answer files and includes a reference that describes all the settings you can use. Deploy.chm describes how to use the disk imaging tools in Deploy.cab. It also contains references for all settings that you can use in response files. This is the resource where you will learn the most about disk imaging.
Sysprep Limitations Due to the nature of disk imaging—copying an image of a hard disk to other computers—there are some Sysprep requirements (name them limitations if you like): The sample and target computers must have the same hardware abstraction (HALs). . For example, a disk image created on a computer that uses a uniprocessor that is incompatible with a computer that uses a multiprocessor HAL. • The sample and target computers must have compatible BIOS types. For example, an image created on a computer with an ACPI BIOS is not compatible with a computer with an APM BIOS. However, a disk image created with an APM BIOS is often a compliant computer that has an ACPI BIOS. • The target computer's hard drive must be at least as large as the example hard drive. If the target computer's hard disk is larger, you can set ExtendOEMPartition Sysprep.inf to extend the disk image to the end of the disk. The Sysprep.inf sample page opposite shows an example of using this setting to extend a partition. • Sysprep only prepares the disk image; it does not clone the disk. Therefore, to mount an image, you must use a third-party disk imaging product. The ThirdImaging Suites sidebar on the facing page gives you rating choices. My preference is Symantec Ghost, but there are many good products out there. • The Windows XP documentation also states that the mass storage controllers (IDE, SCSI, and ) must be identical on the sample and target computers. This is not the case if you inform Sysprep of the expected mass storage controllers. For More Information See the "Reducing the Image Count" section later in this chapter for more information. I've had good luck imaging mass storage controllers and deploying them to machines with vastly different mass controllers. The remaining devices are the sample and target machines don't have to be the same plug-and-play devices like modems, sound cards, network cards, video adapters, and you expect devices that Windows XP doesn't natively support (the device 268 comes after Windows XP. Chapter 12, “Deploying with Answer Files" describes how third-party device drivers are deployed with Windows XP. Often, device drivers that you download from a vendor's website aren't suitable for deployment. They're installed from package files, so you can't e just extract the device driver files, and then find out which files require are orderly and which are not. However, you can almost always get the latest device drivers from Windows Update, and these device drivers are in a format suitable for delivery via an answer file and on a disk image. The trick is to use the Windows Update Catalog. In Internet Explorer, click Tools, Windows Update. In the web
In the left pane of the page, click Personalize Windows Update. In the right pane, under See Also, select View link to Windows Update Catalog and click Save Settings. Now you will see the Windows Update Catalog link on the left pane of the Windows Update website, and you can browse and download packaged and ready-to-use device drivers. Third-party disk imaging suites Sysprep only prepares disks for duplication; it doesn't clone them. Hence, you need a third-party tool to mount disk images. A small sampling of the tools I'm familiar with include the following: Symantec Ghost. http://www.symantec.com • Altiris eXpress 5. http://www.altiris.com • Phoenix ImageCast. http://www.it-infusion.com • PowerQuest Deploy Center. http://www.powerquest.com • Symantec Ghost tops the list because it's the tool I know best and use the most. It's a robust disk imaging tool that can do much more than just clone disk images. For example, you can mount a disk image on a remote computer without ever leaving your desk. You can also use it to manage configurations, not just disk images. When I speak to admins around the world, this is the tool that 90 percent of them use, while the other tools tend to have a small but loyal following. Regardless, the disk imaging process is about the same across all these tools, and most of them are of high quality.
Creating a Disk Image You got the overview earlier in this chapter. Now it's time for some details. The first step is to configure a sample computer, and you can get the ball rolling by installing Windows XP. However, don't just put the Windows XP CD in the drive and manually install the operating system. If you find an error in your disk image, you will probably repeat it or introduce other errors since you are using a manual process. (Image plays Whack-a-Mole.) Instead, install Windows XP from a fully customized distribution folder. Chapter 12, “Deploying Using Answer Files,” describes how to customize the distribution folders to install Windows XP without user intervention. Just make sure your answer file joins a workgroup and not a domain, because Sysprep will remove the computer from the domain anyway and you don't want the extra registry junk. Next, install the applications you want to include in your disk image. Include only
Applications that you want to install on each computer where you mount the disk image. For example, manually include 269 applications for the same reasons I don't want to install Windows XP regression tests. Instead, install Windows Installer-based applications from fully customized administrative installations. Install other applications with all the silent mode switches, considering repackaging them as Windows Installer packages that you can install interactively. After you automate the installation of each application, you can easily install any Windows XP answer file. Tip Whether it's superstition or fact, I usually custom build for the express purpose of making disk images. I use the most generic ones I can find and I omit all the unnecessary equipment (sound cards and I think and what I want to pass along to you is that by using generic hardware there is a better chance of getting a disk image create one that works on many The goal, of course, is to manage fewer disk images.
Customize Mini-Setup Sysprep.inf automates the Mini-Setup wizard. In other words, the wizard avoids prompts for settings that you provide in Sysprep.inf. If your goal is a 100% automated installation, you should create a robust Sysprep.inf. However, full automation of the mini-setup wizard can occur in three cases: Username. You can specify a username, e.g. For example, Valued Microsoft Employee Sysprep.inf, or you can allow the wizard to prompt users for their names. • Computer name. This is the hardest to automate. You can accept the computer names that the mini-setup wizard generates by setting ComputerName=* Sysprep.inf, or you can allow the wizard to prompt users for a computer name. For this reason, many organizations send technicians to desktops to install Windows. Alternatively, you can accept the random computer name and then use scripts to modify the installation. The TechNet Script Center provides Windows Script Host to rename computers and join them to domains, and you can run these scripts Sysprep.inf. Chapter 12, "Deploying Using Answer Files," shows how to run after installing Windows XP. TheScriptCen www.microsoft.com/technet//scriptcenter/default.asp. • Join a domain. To join a domain automatically, you must provide domain administrator credentials in your answer file. But, grrrr, they're plain text. (Documentation that can encrypt the domain administrator password is inaccurate.) One solution is to create a domain account with just enough rights and permissions to join computers, and then use those credentials in the answer file. Otherwise, you can delegate computer ownership to users so they can add their own computers to the domain. You use scripts from the TechNet Script Center to automatically join computers after the Windows XP installation is complete. • The rest of the settings in a typical Sysprep.inf file are easy to understand because you learned more about answer files in Chapter 12, “Deploying with Answer Files”. However, the ultimate reference is Ref.chm in Deploy.cab. The Microsoft documentation is full of example answers. Listing 13-1 on the next page shows you one I usually use. A few notes on that
Listing: ExtendOemPartition causes the mini-setup wizard to extend the partition to the end, which is required when the target computer's hard disk is larger than the computer's. • 270 OemPnPDriversPath tells the mini-setup wizard where to find third-party device drivers I've included in the disk image (helps reduce the number of images). • The computer name and user name are missing from this Sysprep.inf file, so the mini-setup wizard prompts users for both values. • DomainAdmin and DomainAdminPassword are missing from this Sysprep.inf file, so the mini-setup wizard prompts users for the necessary credentials to join the computer to the domain. • [Sysprep] and [SysprepMassStorage] help reduce the number of disk images you need to manage. I discuss these two sections later in this chapter under "Reducing the Number of Images." • Listing 13-1: Sysprep.inf [Unattended] ExtendOemPartition=1 InstallFilesPath=\Sysprep\i386 OemPnPDriversPath=\Windows\Drivers OemPreinstall=Yes OemSkipEula=Yes [GuiUnattended] OemSkipRegional=1 OemSkipWelcome=1 TimeZone=020 [UserData] OrgName= "Jerry Honeycutt" ProductID=#####-#####-#####-#####-##### [TapiLocation] AreaCode=972 CountryCode=1 Dialing=Tone [Identification] JoinDomain=HONEYCUTT [Network] InstallDefaultComponents=Yes [Sysprep] BuildMassStorageSection=Yes [SysprepMassStorage] ;end
The easiest way to create your own Sysprep.inf file is to use a template and then edit it in Notepad. You can use the previous listing with very little modification. If you prefer, you can use the setup manager. Chapter 12, “Deploying with Answer Files,” introduced you to Setup Manager. In the setup manager, you have some additional settings that are not shown in this list, e.g. B. Installing printers. Therefore, you can use Setup Manager to create a Sysprep.inf file and then use that as a template for future jobs. NoteChapter 12, “Deploying Using Answer Files,” describes how to deploy settings in a
response file. It shows how to use .reg files, .inf files, etc. from an answer file. You can use the 271 registration. Because Chapter 12 covers these topics in detail, I will not repeat them
Preparing to Duplicate You're almost done; Now you need to prepare the sample computer's hard drive for duplication. Surface, that's the easy part, but like I do sometimes, I'm going to throw a curveball. To duplicate, create %SYSTEMDRIVE%\Sysprep and copy the Sysprep.exe, Setupcl.exe, and Sysprep.inf files you created there. That's it - now for the curveball: Fully automatic disk image generation is the ideal. regression testing. If you can swing it (and you can with a bit of work), you want your Windows XP answer file to sysprep after it installs all the applications. How to create a Sysprep folder in the Windows XP distribution folder under $OEM$\$1. The setup program creates %SYSTEMDRIVE%\Sysprep for you during installation. prevents you from having to interact with the disk image at all. 1. Add the following to the answer file that you will use to create the disk image. This installs the application. The placeholders setup1 and setup2 are the commands required by applications that you want to include in the disk image. If you want, you can run the [GuiRunOnce] section and install all applications from this batch file. Any setup program without user interaction is preferable. This script runs quietly and is configured to use the mini-setup wizard that prepares the disk for cloning: [GuiRunOnce] "setup1" "setup2" "%SYSTEMDRIVE%\Sysprep\Sysprep.exe -mini -quiet - reseal - force shutdown"
2. Add the following to the answer file that you use to create the disk image. This automatically logs the local administrator into Windows XP to run the programs in [GuiRunOnce] AutoLogonCount as many times as you need to log into Windows XP to complete the installation process in [GuiRunOnce]): [GuiUnattended] AutoLogon=Yes AutoLogonCount= 1
3. In the answer file that you use to install Windows XP on the sample computer, the local administrator password is null: AdminPassword=*. This ensures that you can find the local administrator password in Sysprep.inf. 4.
Cloning the Disk Image The final step is to run Sysprep and clone the disk to an image file. When you fully automate image production, it happens automatically. Otherwise, run Sysprep manually. The following describes how to run Sysprep so that it prepares the disk for cloning and configures the automated mini-setup wizard: Run %SYSTEMDRIVE%\Sysprep.exe. You will see the Sysprep window shown in Figure 13-2. 1. 272
Figure 13-2 Previous versions of Sysprep had no user interface, so this look and feel is really new. Select the Mini Setup check box. This causes Sysprep to use the mini-setup wizard as the first run instead of Windows Welcome, which is the default. The mini-setup wizard is the first run that you customize with Sysprep.inf. 2. Optionally, select the PnP check box. Only do this if you want the mini-setup wizard to detect older devices during hardware detection, which adds about 10 minutes to the installation process. 3. Click Reseal to prepare the hard drive for cloning and shut down the computer. 4. I'm not a fan of graphical user interfaces when there's a perfectly good command I can type at the MS-DOS prompt. So I almost always use Sysprep's command-line options instead: sysprep {[-clean] | [-activated] [-audit] [-factory] [-forceshutdown] [-mini] [-noreboot] [-nosidgen] [-pnp] [-quiet] [-reboot] [-reseal]}
-activated Does not reset the grace period for Windows product activation. Use this option only if you activated Windows XP in factory mode. The product key you use to activate Windows XP must match the product key found on the COA sticker attached to that particular computer. -audit Reboots the computer in factory mode without generating new SIDs or processing items in the [OEMRunOnce] section of Winbom.ini. Only use this command line option if the computer is already in factory mode. -clean Clears the critical device database used by the [SysprepMassStorage] section in Sysprep.inf. You can learn more about this setting in the “Reduce Frame Count” section later in this chapter. -factory Reboots into a network-aware state without displaying the Windows Welcome screen or mini-setup wizard. This option is useful for updating drivers, running plug-and-play enums, installing applications, testing, configuring the computer with customer data, and making other configuration changes in your factory environment. For organizations using disk imaging, factory mode can reduce the number of images required. When you have completed the desired tasks in factory mode, run Sysprep with the -reseal option selected to prepare the computer for end-user deployment. -forceshutdown Shuts down the computer after Sysprep is complete. Use this option with a computer with an ACPI BIOS that does not shut down gracefully with the default Sysprep behavior. -mini Configures Windows XP Professional to use the mini setup wizard instead of Windows Welcome. This option has no effect on Windows XP Home Edition, where the first run is always Windows Welcome. -noreboot Modifies registry keys (SID, OemDuplicatorString, etc.) without rebooting the system or preparing for duplication. This option is primarily used for testing, specifically to determine if the registry has been modified correctly. This option is not recommended because changes made to a computer after Sysprep has run can invalidate the preparation that Sysprep performs. Do not use this option in a production environment. -nosidgen Runs Sysprep without generating new SIDs. You must use this option if this is the case
Do not duplicate the computer on which you are running Sysprep or preinstall domain controllers. -pnp Performs full plug and play device enumeration and installation during the mini-setup wizard. This command-line option has no effect if the first run is Windows Welcome. Only use -pnp if you need to discover and install legacy, non-plug and play devices. Do not use sysprep -pnp on computer systems that only use plug and play devices. If you do this, you increase the time required for the first run without providing any additional benefit to the user. -quiet Runs Sysprep without displaying confirmation messages on the screen. This is useful when automating Sysprep. Choose this option if you B. want to run Sysprep immediately after installation. -reboot Forces the computer to automatically reboot and then start Windows Welcome, the mini-setup wizard, or factory mode. This is useful when you want to check the system and make sure the first run works correctly. -reseal Clears the Event Viewer logs and prepares the computer for delivery to the customer. The Windows Welcome or Mini Setup Wizard is set to start at next boot. If you run the sysprep -factory command, you must seal the installation as the last step in your preinstallation process, either by running the sysprep -reseal command or by clicking Reseal in the Sysprep window. After preparing the disk for cloning, use your third-party disk imaging product to clone the disk into an image file. For example, with Symantec Ghost, the product I know and love, you run the Ghost Multicast client on the sample computer to transfer the disk image to the Ghost Multicast server on another computer. However, this is the easiest way to clone disk image. The product becomes more complicated when you configure disk images so that you can mount them remotely. In the case of Symantec Ghost, you use the Ghost Enterprise Console to manage and deploy images. For more information, see your provider's documentation. Tip Sysprep does not always shut down the computer properly. Sometimes it just restarts the computer. However, if the mini-setup wizard starts, you cannot use the image. To prevent an unexpected restart, insert a blank floppy disk into drive A before running Sysprep so that when the computer restarts, it boots from the floppy disk and the mini-setup wizard does not run. 274 I get down to the nitty gritty in this section: how to reduce the number of images you manage, how registration fits into that process. To reduce the number of images, you must ensure that XP is started on each hardware configuration, as Windows XP must be started before the wizard can start. This is not always possible without additional effort on your part. Windows is aware of the devices installed on the sample computer, and if the target computer has boot hardware (storage controllers and system devices), it will not boot. The secret is to let Windows XP know about the other boot hardware you expect to encounter when deploying the operating system. I'll show you the hard way first, which is to manually customize the [SysprepMassStorage] section of the Sysprep.inf file, and then I'll show you the easy way, by allowing Sysprep to create that section for you automatically. The manual method is what you do
Windows 2000, and you must use it with Windows XP if the operating system does not support all boot hardware in your organization. In either case, customizing [SysprepMassStorage] allows the following combinations: IDE to IDE. The sample computer uses a different IDE controller than the target computers. • IDE to SCSI. The sample computer uses an IDE controller and the target computers use SCSI controllers. • SCSI-to-SCSI. The example computer uses a different SCSI controller than computer. • SCSI to IDE. The sample computer uses a SCSI controller and the target computers use IDE controllers. • Note When deploying disk images to computers using SCSI controllers, the target disks must support INT13 extended BIOS features. You must be able to open a Boot.ini file that uses multi() syntax instead of scsi() or signature() syntax. using the multi() syntax, add AddBiosToBoot to your response file.
Populating SysprepMassStorage manually To populate the [SysprepMassStorage] section, you need to dig up the Plug and Play ID for the device on the target computers. There are several ways to get this ID. You look for it in what comes with Windows XP. Search %SYSTEMROOT%\Inf for the name of the device INF file you find and note the device ID and the name of the INF file found. For example, when deploying a disk image to computers with the Intel 82801BA Master IDE Controller, I would look in Mshdc.inf for its Plug and Play ID PCI\VEN_8086&DEV_244A. All your hits are in Machine.inf, Scsi.inf, Pnpscsi.inf and After you identify boot devices, add them to your Sysprep.inf file in the [SysprepMassStorage] section. The following listing shows the format. PNPID is the device's Plug and Play ID, the path and filename of the INF file that contains the device's Plug and Play ID. [SysprepMassStorage] PNPID = INF
Here's an excerpt from a Sysprep.inf file I used recently: [SysprepMassStorage] Primary_IDE_Channel=%SYSTEMROOT%\Inf\Mshdc.inf Secondary_IDE_Channel=%SYSTEMROOT%\Inf\Mshdc.inf PCI\VEN_8086&DEV_1222=%SYSTEMROOT% \Inf\Mshdc .inf PCI\VEN_8086&DEV_1230=%SYSTEMROOT%\Inf\Mshdc.inf
275 PCI\VEN_8086&DEV_2421=%SYSTEMROOT%\Inf\Mshdc.inf PCI\VEN_8086&DEV_2441=%SYSTEMROOT%\Inf\Mshdc.inf PCI\VEN_8086&DEV_244A=%SYSTEMROOT%\Inf\Mshdc.inf
If Windows XP does not natively support a boot device, use a different format. Copy the device driver files to a folder on the disc image. The easiest way is to add $OEM$\$$\Drivers to the Windows XP distribution folder so that the setup program automatically adds them to %SYSTEMROOT%\Drivers on the sample computer. Then add lines in the [SysprepMassStorage] section that look like the following listing. PNPID is the plug and device. INF is the path and filename of the INF file that contains the %SYSTEMROOT%\Drivers\ Filename.inf Plug and Play file. DIR is the name of the directory on the floppy disk that contains the device driver. DESC is a description of the disk as specified in the txtsetup. and TAG is the volume tag as specified in the Txtsetup.oem file. The last three elements are
Optional. PNPID = INF[, DIR[, DESC[, TAG]]]
Automatically populating SysprepMassStorage New to Windows XP is the ability to automatically populate the [SysprepMassStorage] section of the Sysprep.inf file. Adding the lines you see in the list below to your Sysprep.inf file will extract all the Plug and Play IDs from Machine.inf, Scsi.inf, Pnpscsi.inf, and Mshdc.inf to the appropriate entries. Be sure to leave the [SysprepMassStorage] section and check the spelling of BuildMassStorageSection. (I spent hours troubleshooting because I misspelled the name of this setting.) [Sysprep] BuildMassStorageSection=Yes [SysprepMassStorage]
Note If you create the [SysprepMassStorage] section automatically, it will take much longer to run. Instead of shutting down the computer for seconds, which is Sysprep's typical behavior, Sysprep loops for 15 minutes while it creates this section. Be patient while you see activity and a spinning hourglass. It is worth reducing the number of images
Clean Up After Sysprep You're not done yet. Sysprep adds the devices in the [SysprepMassStorage] section to the XP critical device database. This database is located in the reg HKLM\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase. Each subkey corresponds to the device you added to [SysprepMassStorage] and contains a link to the actual device driver registry. Windows XP tries to start every device in the database every time it starts. That this increases boot time significantly - something you don't want to inflict on users. Don't I always have a solution? Run the sysprep.exe -clean command on each target computer to disable any devices that Windows XP did not find at startup. The next operating system starts, it doesn't try to start device drivers for the devices it didn't trick when trying to run this command. You don't do it when you create the image. Instead, command during the mini-setup wizard. Add the command to the Cmdlines.txt file located in %SYSTEMDRIVE%\Sysprep\i386\$OEM$. The file looks like this (make sure InstallFilesPath points to the folder containing the $OEM$ folder which is 276 [Commands] "%SYSTEMDRIVE%\Sysprep\Sysprep.exe -clean -quiet".
Mapping Sysprep Settings When you run Sysprep, hundreds, if not thousands, of registry settings are modified to prepare the computer's hard drive for cloning. Table 13-1 on the next page describes the settings that are directly related to Sysprep. These are settings that prepare the mini-setup wizard to run the next time you start Windows XP. I tracked these down by comparing snapshots of the registry before and after running Sysprep. I have divided this table into sections with each key in a different section. Table 13-1: Sysprep registry settings Value Type Description HKLM\SOFTWARE\Microsoft\Sysprep SidsGenerated REG_DWORD Sysprep sets this value to 0x01, indicating that the computer's SID was removed and Setupcl.exe is regenerating it.
CriticalDevicesInstalled REG_DWORD Sysprep sets this value to 0x01, indicating that the critical device database has been created. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup SourcePath REG_DWORD Sysprep sets this to the value of InstallFilesPath in Sysprep.inf, which tells the setup program where to find installation files. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OOBE RunWelcomeProcess REG_DWORD Sysprep sets this value to 0x00, which disables the default Windows Welcome. HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache MachineSid REG_BINARY Sysprep clears this value to remove the machine's SID. HKLM\SYSTEM\CurrentControlSet\Control\Session Manager SetupExecute REG_MULTI_SZ Setup adds Setupcl.exe to this value. This will run Setupcl.exe when Windows XP restarts, allowing Setupcl.exe to regenerate the computer's SID and run the mini-setup wizard. HKLM\SYSTEM\Setup BootDiskSig REG_DWORD Sysprep stores the boot disk signature in this value. CloneTag REG_MULTI_SZ Sysprep stores the date and time you ran the prepared disk in this value. Cmdline REG_SZ Sysprep stores the setup command line setup -newsetup -mini in this value. This is the command that runs the mini-setup wizard. MiniSetupInProgress REG_DWORD Sysprep sets this value to 0x01, indicating that the mini setup wizard is in progress. 277 SetupType REG_DWORD Sysprep sets this value to 0x01. SystemSetupInProgress REG_DWORD Sysprep sets this value to 0x01. Sysprep changes other settings that I don't describe in Table 13-1. The changed settings depend on the configuration of the computer. For example, Remote Desktop and Remote Assistance will be disabled. It configures System Restore to create an initial system checkpoint the next time you start Windows XP. It also resets the computer's digital ID and resets the Windows Product Activation timer. Finally, when you use [SysprepMassStorage], Sysprep populates the critical device database and configures the device drivers for each device. The changes that Sysprep makes to the registry are numerous, but the following list summarizes some of the most important ones I found while spying on the changes it made: Sysprepresets the event system. These settings are located in HKLM\SOFTWARE\Microsoft\EventSystem . • Sysprepre moves certificate templates and certificates from the keys
HKLM\SOFTWARE\Microsoft\Cryptography and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates. • Syspreset the Group Policy configuration in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy key. • Sysprep removes the computer from the domain if it is a domain member by using the appropriate values from the keys HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ DomainCache to be deleted , and elsewhere. • Sysprep removes policies from the HKLM\SOFTWARE\Policies key. • Sysprepre moves network components from the HKLM\SYSTEM\CurrentControlSet\Control, HKLM\SYSTEM\CurrentControlSet\Enum, and HKLM\SYSTEM\CurrentControlSet\Services keys. • Sysprepreset the application compatibility data in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility. • System preferences for power management settings in the HKLM\SYSTEM\ControlSet001\Control\Session Manager\Power key. • Sysprep configures the Netlogon service to load on demand instead of automatically in HKLM\SYSTEM\CurrentControlSet\Services\Netlogon. • Sysprep adds the devices specified in [SysprepMassStorage] to the critical device database. This database is located in the HKLM\SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase key. • Sysprep installs and configures device drivers for the devices listed in the [SysprepMassStorage] section. It configures these device drivers in the HKLM\SYSTEM\CurrentControlSet\Services key. •
Keeping the Perspective In this chapter, I've given you enough information to start testing Sysprep in your lab right away. In fact, Sysprep is a great tool for power users who keep reinstalling Windows XP. But I haven't told you enough about Sysprep to create an image and start blowing it onto corporate desktops. Sysprep is much more than just writing a few answer files and running Sysprep.exe. There is everything to consider from defining preferred configurations to licensing to whether you have your routers configured for multicast. Disk imaging is part of an overall deployment plan, 278 disk imaging techniques. To learn more about these important resources, contact your
Account Manager who will be happy to inform you about it. The ultimate resource deployment information is the desktop deployment resource C www.microsoft.com/windowsxp/officexp/deploy/default.asp. 279
Overview Microsoft Office XP is extremely flexible and highly customizable. Users can customize through its settings, custom templates, tools and more. For example, a department can create custom expense report templates and custom IT pro dictionaries that contain computer terminology and product names. Users can customize everything from the look of their toolbars to the file formats used to save documents. Almost settings are in the registry. IT pros can customize user preferences and distribute Office XP default configurations to users. First, install Office XP on a sample computer, and then customize the toolbars, templates, dictionaries, and any other options for each program. Run the Profile Wizard profile settings (.ops) file, which contains all of these settings. If you add the .ops (.mst) file, your custom settings are included when Office XP is installed on the client. The custom installation wizard is the tool you use to create MST files. It allows you settings directly in the MST file without an OPS file. You can also use it to set registry entries for user options. The Profile Wizard and the Custom Installation Wizard are part of the Office XP Resource Kit, located in the ORK folder on every Office XP Enterprise Edition CD. You can also download http://www.microsoft.com/office/ork. Since the Resource Kit tools are fully covered in the Resource Kit book, I won't go into detail. Instead, I focus on tools for providing user settings, which are essentially registry settings. And if you want to learn more about specific Office XP settings, including Office XP policies and where to find the registry, see Part IV, "Appendices." Tip Most of the tools in the Office XP Resource Kit are not just useful for deploying XP. For example, you can use the profile wizard to provide settings for any program and customize other Microsoft Windows Installer-based applications with the custom wizard. In this regard, you can use Profile Assistant to customize Windows XP if you reinstall frequently.
Profile Wizard The Profile Wizard saves and restores Office XP user settings that reside in Office XP users' profiles (see Chapter 10, "Providing User Profiles"). When you run the Profile Wizard user profile, you create an .ops file that you can use later to restore these settings. The Resource Kit installs the Profile Wizard in the Start menu. Click Start, All Programs, Microsoft Tools, Microsoft Office XP Resource Kit Tools, and then click Profile Wizard. The program Proflwiz.exe is located in C:\Programs\ORKTools\ORK10\Tools. By default, the Profile Wizard uses the OPW10adm.ini file to decide which settings and files are included in an OPS file. This file is essentially a big list of settings and files. This file also indicates that settings and files are intentionally excluded from an OPS file. The standard OPW10adm. Office XP; It grabs most Office XP settings from the registry and takes files from the folder. It excludes settings that shouldn't be provided, like usernames, recent lists, and so on. You can use the Profile Wizard with the default OPW10adm.ini file to capture Office XP settings, or you can customize it to capture and deploy any settings, including
280 The following sections describe how to collect settings, apply settings, and customize settings using the profile wizard. The following list describes the ProfileWizard command line options: proflwiz.exe [/a] [/u] [/q] [/e] [/p] [/f] [/i filename.ini] /s filename.ops | /r filename.ops
z/a Starts the wizard in administrator mode (Profile Wizard). Uses the OPW10adm.ini file by default. This is the default when neither /a nor /u is on the command line. /u Starts the wizard in user mode (Save My Settings Wizard). Proflwiz.exe uses the OPW10usr.ini file if /u is present on the command line. OPW10usr.ini is only available with Office XP and not with the Office XP Resource Kit. /q Runs the wizard in silent mode. Runs the wizard in the background and does not show progress bars or error messages. Use this option with either the /s or /r option, but not with the /p or /e option. You do not need to specify an operating mode (/a or /u) when using the silent mode option. /e Display error messages. Displays only error messages and no progress bars while the wizard is running. Use this option with either the /s or /r option, but not with the /q option. /p Displays progress bars. Displays only progress indicators and no error messages while the wizard runs. Use this option with either the /s or /r option, but not with the /q option. /f Displays a completion message at the end of the restore or save operation. Use this option with either the /s or /r option, but not with the /q option. The /e, /p, and /f options are additive. Placing /e and /f on the command line only displays error messages and completion messages. /i filename.ini Specifies the INI file to use. Instructs the profile wizard not to use the default INI file (OPW10adm.ini or OPW10usr.ini). Instead, it uses the INI file filename.ini to determine which settings and files should be stored in the OPS file. /s filename.ops Saves user configuration settings from the current computer to the OPS file filename.ops. The wizard displays progress bars and error messages as it runs. /r filename.ops Restores the application settings from the specified OPS file filename.ops to the computer. The wizard displays progress bars and error messages as it runs. Note The Office XP Save My Settings Wizard is based on the Profile Wizard. It uses an INI file that saves and restores user settings. This INI file is OPW10usr.ini. However, the OPS file created contains personal settings and information, making it unsuitable for deployment to other users.
Customizing the Assistant You do not need to edit the Profile Assistant INI file to include or exclude entire Office XP applications in your OPS file. On the Save or Restore Settings page of the wizard, select the check boxes next to
Applications for which you want to save settings. If a setting in Office XP (or any other program) that you want to capture is not in OPW10adm.ini, you must customize OPW10adm.ini or create a new .ini file to capture it in an OPS file. Edit OPW10adm.ini in Notepad or another text editor, and then add or delete references to settings and files that you want to include or exclude. You can also run the profile wizard from the command line without loss of functionality. Each option available in the wizard has a corresponding 281 Office XP, start with this file. If you are capturing user settings for Windows XP or any other system, you should create a new INI file with OPW10adm.ini as a reference. Make sure your file contains the [Header] section shown in Listing 14-1; otherwise, the profile wizard will not pass the settings defined in your INI file into an OPS file. Here is an overview of each [IncludeFolderTrees] section. List the folder trees you want to include in the OPS Assistant to capture all subfolders and files in each tree. All entries in this section begin with one of the following tokens, which represent a subfolder in the user's folder: , ,, ,, , , , ,, , . • [Include Individual Folders]. Listing individual folders that you want to include in the OPS format is the same as [IncludeFolderTrees]. • [Include Individual Files]. List individual files that you want to include in the OPS file. is the same as [IncludeFolderTrees]. • [Exclude Files]. List files that you do not want to include in the OPS file. The format is [IncludeFolderTrees], except that you can use wildcards to specify all files of a specific • FolderTreesToRemoveToResetToDefaults]. List the folder structures that should remove profiles before restoring the settings in the OPS file. This essentially application. The format is the same as [IncludeFolderTrees]. • [IndividualFilesToRemoveToResetToDefaults]. List individual files that you want Wizard to remove before restoring the settings in the OPS file. The format is [IncludeFolderTrees]. • [ExcludeFilesToRemoveToResetToDefaults]. List each file that you want to remove from the profile wizard, regardless of where they are located in the profile folder. This will keep specific files in folders you remove [FolderTreesToRemoveToResetToDefaults]. You can only use filename wildcards and you cannot specify a path: *.doc. • [Include registry trees]. List the registry branches that you want to include in the profile wizard to capture all the subkeys and values in each branch. Add a line. • [Include individual registration keys]. List individual registry keys that you want to include
OPS file. • [Include individual registry values]. List individual registry values that you want to add to OPS files. For the default value, use a trailing backslash: HKCU\Software\. Paste the value name into each line: HKCU\Software\Value. • [Exclude registry trees]. List the registry branches that you want to exclude from the • [ExcludeIndividualRegistryKeys]. List the desired individual registry keys from the OPS file. • [Exclude Individual Registry Values]. List each value that you want to exclude from the OPS file. The format is the same as [IncludeIndividualRegistryValues]. • [RegistryTreesToRemoveToResetToDefaults]. List the registry branches that you need to remove using the wizard before applying the OPS file. • [IndividualRegistryValuesToRemoveToResetToDefaults]. List individual values in the profile wizard to be removed before applying the OPS file. The format is [IncludeIndividualRegistryValues]. • [RegistryTreesToExcludeToResetToDefaults]. List each registry branch that you do not want Profile Wizard to remove when applying an OPS file. You cannot use if you embed the OPS file in an MST file. This is [RegistryTreesToRemoveToResetToDefaults]. • [RegistryKeysToExcludeToResetToDefaults]. Listing each registry key • 282 [RegistryTreesToRemoveToResetToDefaults]. [RegistryValuesToExcludeToResetToDefaults]. List each value that you do not want the Profile Wizard to remove when applying the OPS file. You cannot use this section when embedding the OPS file in an MST file. This overrides [RegistryTreesToRemoveToResetToDefaults]. • Listing 14-1: OPW10adm.ini # Microsoft Office Assistant INI file for saving my settings/profiles # Edit this file to change which files and registry keys are included in the OPS file # and/or to change what is cleared when using the # “Reset settings to defaults before restoring” option. # The syntax is documented in each section. # All include and exclude strings are case insensitive. # Comments are marked with # at the beginning of the line. # At the end of a line there is a '#' followed by one or more of the following # possible terminal symbols: # word, xl, access, ppt, ol, pub, fp, designer, common, all # Terminal symbols indicate what applications, to which the settings line belongs. # "all" indicates settings to be saved for each application. # "common" indicates settings common to all applications. [Header] Version = 10.0 Product = Microsoft Office 10.0 # ************************** File/Folder Sections ******** ********************* [IncludeFolderTrees] # List the folder trees to include in the OPS file. # syntax is one folder per line; no trailing backslash. # Includes all subfolders in the specified tree. # Wildcards are not supported. # Entries must begin with one of the following folder tokens:
# , , , , , # , , , , # , , . # Subfolder tokens of the format can be embedded in # lines and will be replaced on save with the registry data found in the $$$$ # value of HKCU\Software\Microsoft\Office\10.0\Common\General. \Microsoft\ # xl word \Microsoft\ClipGallery # ppt \Microsoft\Excel # xl \Microsoft\FrontPage # fp \Microsoft\Graph # all \Microsoft\Office # common \Microsoft\Outlook # ol \Microsoft\PowerPoint # ppt \Microsoft \ # common all \Microsoft\ # xl access \Microsoft\ # ol \Microsoft\ # ol \Microsoft\ # word ppt xl \Microsoft\ # ppt
283 # \Microsoft\Shared\ # ol # Use the following line for web server locations: # # [IncludeIndividualFolders] # List individual folders to include in the OPS file. # Syntax like [IncludeFolderTrees] but does not include subfolders. # Wildcards are not supported. [IncludeIndividualFiles] # List individual files to include in the OPS file. # Syntax is one path\filename per line. # Entries must begin with one of the folder tokens listed under # [IncludeFolderTrees]. # Wildcards are not supported. # # Example of including Normal.dot: # \Microsoft\\Normal.dot # [ExcludeFiles] # Lists files that should not be included in the OPS file. # Syntax is one filename or path\filename per line. # Folder token (e.g. ) is optional. # The path relative to the folder token is optional. # Wildcards are supported in filenames. # Wildcards are not supported in the path. # # Examples of excluding Normal.dot: # Normal.dot # Normal.* # Norm??.dot # \Microsoft\\Normal.dot *.OST *.PAB *.PST *.TMP *.RWZ *.NICK EXTEND .DAT OutlPrnt \Microsoft\Outlook\*.FAV \Microsoft\Word\*.ASD \Microsoft\Word\*.WBK [FolderTreesToRemoveToResetToDefaults] # List folder trees to remove before restoring data # Syntax is identical with [IncludeFolderTrees] . # Wildcards are not supported. # Every file in the folder and all subfolders will be deleted. # Use this section with caution; it could delete more than you # terminal symbols are ignored and treated as "all". \Microsoft\Office\Shortcut Bar \Microsoft\FrontPage [IndividualFilesToRemoveToResetToDefaults]
284 # Entries must begin with one of the folder tokens listed under # [IncludeFolderTrees]. # Wildcards are supported in filenames. # Wildcards are not supported in the path. # Terminal symbols are ignored and treated as "all". \Microsoft\\*.* \Microsoft\ClipGallery\*.* \Microsoft\Excel\*.* \Microsoft\Excel\\*.* \Microsoft\Graph\*.* \Microsoft\Office\*.* \Microsoft \Office\\*.* # \Microsoft\Office\\*.* \Microsoft\PowerPoint\*.* \Microsoft\\*.* \Microsoft\\*.* \Microsoft\\*.* \Microsoft\\ *.* \Microsoft\\*.* \Microsoft\\*.* \Microsoft\Word\*.* \Microsoft\Word\\*.* [ExcludeFilesToRemoveToResetToDefaults] # list of files NOT to be removed, regardless of where they are when # resetting to default values before restoring data from OPS file. # # syntax is one filename per line; no preceding path. # Wildcards "*" and "?" are only supported as the first character. # The following are allowed:*.DIC #NORMAL.DOC #?FOO.FIL #*FILE.FOO #*.DIC # Terminal symbols are ignored and treated as "all". # Your files must not be prefixed with a path. *.PST *.DIC *.OST # ***************************** Registry Sections ********* * ******************* [SubstituteEnvironmentVariables] # List environment variables to substitute in registry values that # take data type REG_EXPAND_SZ. # Syntax is one environment variable per line. # Wildcards are not supported. %USERPROFILE% %USERNAME% [IncludeRegistryTrees] # List of registry trees to include. # All values and subkeys within the specified tree are included. # Syntax is one key per line. # Wildcards are not supported. HKCU\Software\Microsoft\Office\10.0\Access # HKCU\Software\Microsoft\Office\10.0\Common #
285 HKCU\Software\Microsoft\Office\10.0\Osa HKCU\Software\Microsoft\Office\10.0\Outlook HKCU\Software\Microsoft\Office\10.0\PowerPoint HKCU\Software\Microsoft\Office\10.0\Shortcut Bar HKCU\Software\ Microsoft\Office\10.0\Web Server HKCU\Software\Microsoft\Office\10.0\Word HKCU\Software\Microsoft\Office\10.0\Publisher HKCU\Software\Microsoft\Office\10.0\ClipGallery HKCU\Software\Microsoft\Office\Access HKCU\Software\Microsoft\Office\Common HKCU\Software\Microsoft\Office\Excel HKCU\Software\Microsoft\Office\Outlook HKCU\Software\Microsoft\Office\PowerPoint HKCU\Software\Microsoft\Office\Word HKCU\Software\Microsoft \FrontPage HKCU\Software\Microsoft\Shared Tools\Font Mapping
HKCU\Software\Microsoft\Common Tools\Proofing Tools HKCU\Software\Microsoft\Common Tools\Outlook\Journaling HKCU\Software\Microsoft\VBA\Office HKCU\ControlPanel\International\NumShape HKCU\ControlPanel\International\Calendars\TwoDigitYearMax HKCU\ AppEvents \Schemes\Apps\Office97 [IncludeIndividualRegistryKeys] # List individual registry keys to include. # The syntax is the same as [IncludeRegistryTrees], but only includes values # in the specified key, no subkeys. # Wildcards are not supported. HKCU\Software\Microsoft\Exchange\Client\Options HKCU\Software\Microsoft\Office\10.0\Common\LanguageResources HKCU\Software\Microsoft\VBA\Trusted [IncludeIndividualRegistryValues] # List individual registry values to include. # Same as [IncludeIndividualRegistryKeys], but includes only specific # values, no subkeys. # Syntax is key\value name. # Wildcards are not supported. # The name can be empty to specify the default value (use a trailing [ExcludeRegistryTrees] # List registry trees to exclude. # All values and subkeys within the specified tree are excluded. # The syntax is one key per line. # Wildcards are not supported HKCU\Software\Microsoft\Office\10.0\Common\Migration [ExcludeIndividualRegistryKeys] # List individual registry keys to exclude # The syntax is the same as [ExcludeRegistryTrees] but excludes only values # in the specified key, no subkeys # Wildcards will not be used supports HKCU\Software\Microsoft\Office\10.0\PowerPoint\Tips HKCU\Software\Microsoft\Office\10.0\Common\UserInfo HKCU\Software\Microsoft\Office\10.0\Excel\Recent Files HKCU\Software\Microsoft\Office\10.0 \PowerPoint\Recent File List
286 HKCU\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent # all HKCU\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent # all HKCU\Software\Microsoft\Office\10.0\PhotoDraw\Recent File List # all [ExcludeIndividualRegistryValues] # List individual registry values to exclude. # Same as [ExcludeIndividualRegistryKeys], but only excludes specific # values, not subkeys. # Syntax is key\value name. # Wildcards are not supported. # name can be empty to indicate the default value (use a trailing backslash). HKCU\Software\Microsoft\Office\10.0\Access\MRU1 HKCU\Software\Microsoft\Office\10.0\Access\MRUFlags1 HKCU\Software\Microsoft\Office\10.0\Access\MRU2 HKCU\Software\Microsoft\Office\10.0\Access \MRUFlags2 HKCU\Software\Microsoft\Office\10.0\Access\MRU3 HKCU\Software\Microsoft\Office\10.0\Access\MRUFlags3 HKCU\Software\Microsoft\Office\10.0\Access\MRU4 HKCU\Software\Microsoft\Office\10.0 \Access\MRUFlags4 HKCU\Software\Microsoft\Office\10.0\Access\MRU5 HKCU\Software\Microsoft\Office\10.0\Access\MRUFlags5 HKCU\Software\Microsoft\Office\10.0\Access\MRU6 HKCU\Software\Microsoft\Office \10.0\Access\MRUFlags6 HKCU\Software\Microsoft\Office\10.0\Access\MRU7 HKCU\Software\Microsoft\Office\10.0\Access\MRUFlags7 HKCU\Software\Microsoft\Office\10.0\Access\MRU8 HKCU\Software\Microsoft \Office\10.0\Access\MRUFlags8 HKCU\Software\Microsoft\Office\10.0\Access\MRU9 HKCU\Software\Microsoft\Office\10.0\Access\MRUFlags9 HKCU\Software\Microsoft\Office\10.0\Access\Settings\Prefs Migrated HKCU\Software\Micros of\ Office\10.0\Access\UserData HKCU\Software\Microsoft\Office\10.0\Common\General\FirstRun HKCU\Software\Microsoft\Office\10.0\Common\UserData
HKCU\Software\Microsoft\Office\10.0\Excel\Options\FirstRun HKCU\Software\Microsoft\Office\10.0\Excel\Options\TipShown HKCU\Software\Microsoft\Office\10.0\Excel\UserData HKCU\Software\Microsoft\Office \10.0\Outlook\Setup\First-Run HKCU\Software\Microsoft\Office\10.0\Outlook\Setup\MailSupport HKCU\Software\Microsoft\Office\10.0\Outlook\UserData HKCU\Software\Microsoft\office\10.0\Outlook\ Journal\Item Log File HKCU\Software\Microsoft\office\10.0\Outlook\Journal\Outlook Item Log HKCU\Software\Microsoft\Office\10.0\PowerPoint\First Run\FirstRun HKCU\Software\Microsoft\Office\10.0\PowerPoint\ UserData HKCU\Software\Microsoft\Office\10.0\Word\Options\FirstRun HKCU\Software\Microsoft\Office\10.0\Word\Options\ReplyMessageComment HKCU\Software\Microsoft\Office\10.0\Word\UserData HKCU\Software\Microsoft\ Office\10.0\Outlook\Preferences\AnnotationText HKCU\Software\Microsoft\Office\10.0\Shortcut Bar\LocalPath HKCU\Software\Microsoft\office\10.0\Word\Options\PROGRAMDIR HKCU\Software\Microsoft\Office\C ommon\Assistant\AsstFile HKCU\Software\Microsoft\Office\Common\Assistant\CurrAsstFile [RegistryTreesToRemoveToResetToDefaults] # Registrierungsstrukturen auflisten, die entfernt werden sollen, bevor benutzerdefinierte Werte geschrieben werden. # Alle Werte und Unterschlüssel innerhalb des angegebenen Baums werden entfernt. # Platzhalter werden nicht unterstützt.
287 HKCU\Software\Microsoft\Office\Common HKCU\Software\Microsoft\Office\Excel HKCU\Software\Microsoft\Office\Outlook HKCU\Software\Microsoft\Office\PowerPoint HKCU\Software\Microsoft\Office\Word HKCU\Software\ Microsoft\FrontPage HKCU\Software\Microsoft\Shared Tools\Proofing Tools HKCU\Software\Microsoft\VBA\Office # HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging # Subsystem\Profiles HKCU\Software\Microsoft\VBA\Trusted [IndividualRegistryValuesToRemoveToResetToDefaults] # List individual registry values to remove before writing custom values. # Syntax is key\value name. # Wildcards are not supported. # valuename can be empty to indicate the default value (use a trailing backslash). # Terminal symbols are ignored and treated as "all". [RegistryTreesToExcludeToResetToDefaults] # List individual registry trees that will not be removed when resetting # to defaults. # All values and subkeys within the specified tree are ignored. # Wildcards are not supported. # Terminal symbols are ignored and treated as "all". # This section cannot be used when using the OPS file for a custom setup in a # transformation. [RegistryKeysToExcludeToResetToDefaults] # List individual registry keys that are not removed when resetting # to default values. # All values within the specified tree are ignored. # Wildcards are not supported. # Terminal symbols are ignored and treated as "all". # This section cannot be used when using the OPS file for a custom setup in a # transformation. [RegistryValuesToExcludeToResetToDefaults] # List individual registry values that will not be removed when resetting # to default values. # Wildcards are not supported. # Only excludes specific values only, not subkeys. # Terminal symbols are ignored and treated as "all". # Syntax is key\value name. # name can be empty to indicate the default value (use a trailing backslash). # This section cannot be used when using the OPS file for a custom setup in a # transformation.
Capturing Settings Before creating an OPS file, you must start and set each Office XP program on a sample computer
any options you want to capture in the file. The most interesting settings are in the Tools menu of each program. To customize toolbars and menus, on the Tools menu, click Customize. To configure 288 created for another application, customize that application instead. There are two ways to capture the settings defined in your INI file. You can run the profile wizard from the start menu. This is interactive and sometimes a bit confusing if you use this application other than Office XP. You can also run the Profile Wizard from the MS-DOS prompt: proflwiz /i filename.ini /s filename.ops /q
Replace filename.ini with the name of the customized .ini file. If you use the OPW10adm.ini file, you don't need to specify an INI file (just make sure it's in the same Proflwiz.exe). Replace filename.ops with the name of the OPS file in which you want settings from the current profile. The following steps describe how to save settings in a Run Profile Wizard and then click Next. 1. From the Save or Restore Settings page (see Figure 14-1), select Save from this machine. Then in the Settings File field, enter the name and OPS file. Figure 14-1: Profile Wizard allows you to exclude settings for some Office XP programs and include settings for others. Uncheck the boxes next to the settings you want to exclude. 2. Check the boxes next to each Office XP program that you want to include in your program. Uncheck the boxes next to each program you want to exclude. If you are using the customized program for another program, skip this step. 3.
Providing Settings The main purpose of OPS files is to provide settings with Office XP. They are more than that, however. You can also use them to restore a program's default configuration, to help deploy settings to users' desktops, and as a convenient way to configure a computer after 289. Just as there are many ways to OPS -Use files, there are also different ways to use them. The most common method is to embed them in MST files that you create using the Custom Installation Wizard. You will learn about this in the next section. However, if you want to make settings outside of the setup program in Office XP, you must run the profile wizard separately. This is much more flexible than including OPS files in MST files as it allows you to provide different settings for different user groups. To restore settings from an OPS file to the user's profile, run the following command while logged on to Windows XP as that user: proflwiz /r filename.ops /q
Replace filename.ops with the name of the OPS file that you want to restore to the user's profile. The profile wizard must be available for users to run, so copy Proflwiz.exe from C:\Program Files\ORKTools\ORK10\Tools to a share available to all users, such as Office
XP administrative installation.
Custom Installation Wizard Custom Installation Wizard is the tool that you use to customize Office XP. You can use it to configure everything from the Office XP installation folder to security settings. It's the one tool you'll always use when deploying Office XP. The result of running the Custom Installation Wizard is a transform (MST file). You associate this MST file with the Office XP package file by using the TRANSFORMS= filename.mst property or the MST1 setting in the Office XP Setup.ini file. Precedence Most Office XP settings are located in the registry. If you define conflicting values for the same setting, Office XP has rules that determine which setting is used. The later in the process you apply a setting, the more precedence it tends to have. Office XP applies settings in the following order: Settings in an .ops file included in the transform. • Settings on the Change Office user settings, Specify Office security settings, and Outlook: Custom default settings pages of the Custom Installation wizard. • Registry values specified in the transform. • Settings applied by running the profile wizard during installation. • Settings being migrated from a previous version of Office XP. • Settings applied after installing Office XP using the Profile Wizard or the custom maintenance wizard. This priority assumes that users have already started all Office XP applications and any migrated settings have already been applied. • Settings managed by policies. • Four pages of custom installation wizard allow you to deploy settings with your MST file. For more information about each page, see the Add/Remove Registry Entries, Customize Default Application Settings, Change Office User Settings, and Add Installations and Run Programs sections below. 290 Because most Office XP settings reside in the registry, you can customize them by changing registry values in MST files. The setup program applies your settings and installs Office XP. You can apply settings once per user by adding settings to HKCU, apply settings once per computer by adding settings to HKLM. You can also add registry values that customize settings that are not accessible through the Office XP user interface. The Profile Wizard does not capture to OPS files. For example, you can include preference programs. To add registry values to a transform On the Add Registry Entries page (see Figure 14-2), click Add. Figure 14-2: Custom Installation Wizard is the primary tool you use to customize 1.
In the Root field, select the part of the registry that you want to change. 2. In the Data type field, select a data type for the new entry. 3. In the remaining fields, enter the full path for the registry value to add, the value name, and the data, and click OK. 4. Entering values on the Add Registry Entries page of the Custom Install Wizard is a tedious process. It is better to export the settings to a .reg file and then import that .reg to your MST file. For more information on creating REG files, see Chapter 2, "Using Notepad," and Chapter 9, "Scripting Registry Changes." Of course, this assumes that the transform you want to add already exists in your computer's registry. If the values are not there, you can use the Registry Editor interface to add them to a .reg file. To import a registry file into a transform On the Add Registry Entries page of the Custom Installation Wizard, click Import. 1. In the File name box, type the path and file name of the .reg file, and then click Custom Installation Wizard adds the values from the .reg file to the list on the Add Entries page. When the wizard encounters an entry in the .reg file that contains a duplicate version with different value dates, the wizard prompts you to select Keep. To remove values that you do not want to keep, click the value and then click 2. 291 Changing registry values will override duplicate values you have set on other pages of the installation wizard, including the following: Settings in an OPS File added to a transform • Settings on the Change Office User Settings page • Options on the Outlook: Customize Defaults page • Settings on the Set Office Security Settings page •
Customize default application settings Adding an OPS file to an MST file is an easy way to deploy a set of settings across the enterprise. You learned how to create an OPS file earlier in this chapter. Now you need to embed this OPS file in your MST file. The big problem here is that any settings in the file have lower priority than settings you define elsewhere in your MST file. These settings on the Change Office User Settings page override the settings in your OPS file, as do the settings defined on the Add Registry Entries page. You embed the OPS file in your MST file on the Customize Default Settings page of the Custom Installation wizard. Select the Get values from an existing settings profile check box and the OPS file name and path. Custom Installation Wizard creates a transform containing the OPS file and any other customizations you made. Note Adding an OPS file to the MST file increases the size of the transform and requires recreating the MST file each time you change the OPS file. You can save the OPS network and run the profile wizard with your OPS file during Office XP installation. For more information, see “Adding installations and running programs” later in this chapter. If a previous version of Office is installed on a user's computer, Windows Installer migrates the settings from the previous version to Office XP the first time the user starts an Office XP program. Migrated settings overwrite duplicate settings in an OPS or MST file. You can use Behavior on the Customize Application Settings page of the Custom Install Wizard (see Figure 14-3). If you do not include an OPS file in the MST file, the wizard selects the Migrate settings check box by default. When users install Office XP with their transform, setup settings from a previous version of Office. If you add an OPS file to the transform, the
Migrate user settings check box in the wizard and uses the values in your OPS file instead. Figure 14-3: Custom Installation Wizard clears the Migrate User Settings check box if you have an OPS file in your MST file. If you add an OPS file to an MST file and select the Migrate user settings check box, settings are migrated from your OPS file during the initial installation. When a user runs Office XP programs for the first time, Windows Installer migrates settings from a previous version or overwrites any previously applied equivalent settings.
Changing Office User Settings You can set most of the options that you collect with the Profile Assistant on the Change Office User Settings custom page. This includes all REG_DWORD and REG_SZ values, as well as REG_BINARY values. This is useful for customizing a small number of settings or default configurations without recreating an OPS file that is already in the MST file. To configure settings on the Change Office User Settings page, as shown in Figure 14, category in the left pane. In the right pane, double-click the settings that you want to configure and include in your MST file. Figure 14-4: The Custom Installation Wizard's Change Office User Settings page is very similar to the System Policy Editor with Office XP policy templates (.adm files) loaded. When users install Office XP using your transform, the settings you configure on the Change User Settings page apply to all users on that computer. However, Windows Installer applies settings that differ from the existing default settings. Settings you configure in this wizard override the same settings in the OPS file that you included in the transform. Tip The Change Office User Settings page uses templates for the settings shown, only Policies and System Policies use templates. These templates are located in C:\Files\ORKTools\ORK10\Tools and have the file extension OPA.
Add installations and run programs The custom installation wizard lets you run programs during the Office XP installation. Run the Profile Wizard (Proflwiz.exe) to distribute custom settings at the end of Office XP, for example. However, you cannot use the Add and Run Installations page of the custom installation wizard to install other Windows Installer packages. If Windows Installer starts the second package before the first one finishes installing, the whole process will fail. Here is the profile wizard for the Add Installations and Run Programs page: On the Add Installations and Run Programs page, click Add. 1. In the Target field, enter the path and filename of the profile wizard, typically C:\Files\ORKTools\ORK10\Tools\Proflwiz.exe. 2. In the Arguments field, add command line options to apply the OPS file to the computer, typically /r filename.ops /q. 3. Do one of the following, as shown in Figure 14-5: Click Run this program once per computer to apply your settings at first login. → Click Run this program once per user to apply your default settings to this computer. This option requires an active network connection when a user logs on to the computer for the first time.
→ 4. 294 Figure 14-5: You can also add programs to your installation by customizing the Office Setup.ini file.
Custom Maintenance Assistant You only get one chance to apply an MST file to Office XP, and that's during installation. If you change the settings after installing Office XP, you can use almost everything you can configure in the Custom Installation Wizard with the Custom Maintenance Wizard, including user security levels, Outlook profile settings, etc. The Custom Maintenance Wizard is one of the improvements in the Office XP Resource Kit versus the Office 2000 version. The Resource Kit installs the custom maintenance wizard in the Start menu. Click Start, All Microsoft Office Tools, Microsoft Office XP Resource Kit Tools, and then click Custom Maintenance Wizard. The program file Maintwiz.exe is located in C:\Programs\ORKTools\ORK10\Tools. to run the wizard is a CMW file that contains your configuration changes. For custom CMW files that the wizard creates, you must copy Maintwiz.exe and the CMW files to the administrative share, which gives the Custom Maintenance Wizard elevated privileges. Alternatively, you can apply the "Allow CMW files in any location" policy. The user interfaces of both wizards are almost identical, so I won't use much space here to describe how to use the custom maintenance wizard. For example, you specify new settings on the Change Office User Settings page of the Custom Maintenance Wizard. However, you cannot use the custom maintenance wizard to deploy a new OPS file, so you must run the profile wizard login script separately, etc.). Chapter 15, "Workarounds IT Problems," contains recommendations for getting command lines onto users' computers.
Group and System Policy Everything I've presented so far will help you deploy user settings for Office XP and other programs. However, if you want to manage settings, you must use the Group Policy 295 Directory. Chapter 6, "Using Registry-Based Policies," describes policies in detail. Part IV, "Appendices," describes many of the policies in Office XP and tells you where to find them in the registry. The Office XP Resource Kit provides policy templates (.adm files) that you can use with either Group Policy or System Policy. It installs several ADM files in %SYSTEMROOT%\Inf, e.g. B. OFFICE10.ADM, which contains policy settings common to all Office XP programs. When to use Which scenario Method tool Distributing a standard Office XP standard configuration Adding an OPS file to a Transform Profile Wizard and a Custom Installation Wizard (Customize
Default Application Settings page) Configure some options or override the settings of the .osp file without recreating it. Add user settings to a transform. Custom Setup Wizard (Change Office User Settings page) Setup Wizard (Specify Office Security Settings page) Specify migration and e-mail options for Outlook Specify Outlook settings in a transform Custom Setup Wizard (Outlook: Custom Defaults page ") Specify settings that are not captured in an OPS file Add registry values to a transform Custom Installation Wizard (Add/Remove Registry Entries page) Distribute a standard Office XP configuration, but store one or more OPS files separately from the MST file Wizard to run profiles during setup Profile Wizard and Custom Install Wizard (Add Installs and Run Programs page) Retain users' custom settings from a previous release , instead of specifying new default settings t Settings Enable Setup to migrate settings from a previous version of Office. Default Behavior Set unique options for Office XP Multilingual User Interface Packs or other chained packages
Specify settings in the transform that will be applied to the concatenated package Custom Installation Wizard and Setup INI Customization Wizard Distribute a default Office XP configuration that overrides individual users' settings Run the Profile Wizard as a standalone tool after installing the Office XP Profile Wizard Modify Post Office XP User Settings Distribute a .cmw file after installing the Office XP custom maintenance wizard. Prevent users from changing settings. Setting policies. System Policy Editor or Windows 2000 Group Policy. They try to follow the rules, but sometimes they have to bend them to make things good around them. Breaking the rules often means using the registry to accomplish something that isn't normally possible. Chapter 4, "Hacking the Registry," gave good examples of rule bending. For example, if you want to use folder redirection without Active Directory, you have the registration. This chapter follows this example with many others. I could fill an entire book (I'd love to try that) on the dirty tricks IT pros use to get things done the way they want. However, in this chapter I have focused on the issues that I am frequently asked. For example, I don't know many professionals who aren't frustrated by Microsoft Outlook Express icons that keep popping up on users' desktops. In this chapter you will learn how to free your company from it. I also know that many professionals want to permanently use some components of Microsoft Windows XP and of course this chapter will show you that too want to distribute the benefits of a software management infrastructure and how to customize the enrollment process.
Controlling Just-In-Time Setup All the IT pros I spoke to, especially desktop deployment types, had a problem: they wanted to know how to prevent Windows XP from showing icons for Outlook on the quick launch bar and start menu Windows XP creates these icons when it creates user profiles for new users, specifically when users first log on to the computer. Icons aren't in the default user profile, which you learned about in Chapter 10, "Providing Profiles," so you can't just remove them from it to avoid creating them. At this point, you might be wondering why you can't just remove these components from Windows
Well, the operating system does not provide any user interface for this. However, in the Components section later in this chapter, I show you how to restrict which components Setup installs. However, other components are required for the operating system to function properly. For example, Windows XP requires Internet Explorer. If you are redeploying Microsoft Outlook, you must install Outlook Express because Outlook 2002 depends on many of the components of Outlook Express. The best thing you can do is not to promote these programs so that users get distracted while using their computer. Windows XP actually creates these icons as part of its own in-time setup process for users. The operating system creates a user profile for a new user and then runs this just-in-process to complete the configuration Imagining the process is that the setup program configures settings per user until Windows XP creates user profiles when decisions about settings can be better made. This just-in-time setup process is what you need to prevent annoying Outlook Express icons from appearing on the desktop p. The HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components key controls the Justsetup process. Each subkey is a component. Example: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} is for NetShow. In each subkey, look at the REG_EXPAND_SZ StubPath value. If this value is present, Windows XP runs the command it contains when the operating system creates a new user profile. If you don't specify a value or the value is empty, nothing happens. So, to prevent Windows XP from running a component's Just-In-Time setup process, remove the StubPath value from subkey 298 of that component Cloning Disks with Sysprep describes how to change settings on your disk images provide. NoteWho cares if Outlook Express has an icon on the Quick Launch bar? It distracts and keeps users from their work. In particular, your company probably won't use Outlook Express as an email client. You've probably deployed a full-featured client like Outlook 2002 or similar. If you offer Outlook Express on the desktop, users have two email clients. If that doesn't confuse you and cause problems, it will surely tempt you to play with Outlook Express. This is true of many of the other programs that come with Windows XP, including Windows Media Player, NetMeeting, and so on.
Outlook Express When Windows XP creates a new user profile, it runs the command in the REG_EXPAND_SZ value HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840CC5111CF-AAFA-00AA00B6015C}\StubPath to add the Outlook Express icon to the Start menu create and on the quick launch bar. This command is "%ProgramFiles%\Outlook Express \setup50.exe" /APP:OE /CALLER:WINNT /user /install. To prevent this command from running, remove the StubPath value or alternatively change its name to HideStubPath as shown in Figure 151. Figure 15-1: Prevent Windows XP from creating shortcuts to Outlook Express by hiding StubPath.
This customization is common with disk images, so I'll provide you with a script for it. Save the script shown in Listing 15-1 to a text file with an .inf extension. Right-click it and then click Install. Have this script handy as a tool for customizing disk images. Listing 15-1 Outlook.inf [Version] Signature=$CHICAGO$ [DefaultInstall] DelReg=Reg.Settings [Reg.Settings] HKLM,SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-\ CC51-11CF-AAFA -00AA00B6015C},StubPath
TipAn alternative to hiding the Outlook Express icon is to make Outlook Express a newsreader client only. Add the /outnews option to the target of each icon (enclose this command-line option outside the quotes). When users select the shortcut, Outlook Express opens with all news client functionality working, but email client functionality does not work. This is useful in scenarios where you need to grant newsgroup access to users such as developers who typically need access to Microsoft and developer newsgroups. To easily deploy this custom Outlook Express shortcut, add it to the default user profile. Alternatively, because this hack 299
Windows Media Player Windows Media Player has two subkeys in HKLM\SOFTWARE\Microsoft\Active Setup Components: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} is for version 6.4 and the StubPath value is rundll32.exeadvpack.dll,LaunchINFSectionC:\WINDO \ mplayer2.inf,PerUserStub.NT. • {6BF52A52-394A-11d3-B153-00C04F79FAA6} is for version 8 and the value is rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS \INF\wmp.inf,PerUserStub. • These values are responsible for the numerous Windows Media Player shortcuts. Remove the StubPath values to prevent Windows XP from adding the Windows Media Player shortcut quick launch bar. Also, if you want to keep the Windows Media Player shortcut out of the Start menu, remove it from the default user profile (see Chapter 10, “Providing Users”) You can also find Windows Media Player shortcuts in the All Users profile AllUsers\Sta \ Programs\Accessories\Entertainment Ideally, remove the shortcut from your networkDefault user profile, and then remove the shortcut from the All Users profile folder for pictures.
Desktop Themes Prevent Windows XP from configuring desktop themes when creating a user profile to return to the classic user interface (see Figure 15-2). Remove or REG_EXPAND_SZ value StubPath from key HKLM\SOFTWARE\Microsoft\Active \Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}. The command value includes %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll. 300 user interface.
Other shortcuts The HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components key contains other components with StubPath values that I haven't mentioned yet. You can prevent Windows XP from configuring any of the components when the operating system creates a user profile by removing or hiding the StubPath value in the appropriate subkey. Table 15-1 lists all of the components that I have already described, as well as those that I have not yet described. Table 15-1: Components in Installed Components Component Subkey StubPath Address Book 6 {7790769C-0471-11d2AF11-00C04FA35D02} "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install Internet Explorer 6 { 89820200-ECBD-11cf8B85-00AA005B4383} %SystemRoot%\system32\ie4uinit.exe Internet Explorer Access {ACC563BC-4266-43f0B6ED-9D38C4202C7E} rundll32 iesetup.dll,IEAccessUserInst Microsoft Outlook Express 6 {44BBA840-CC51-11ProgramFiles%} \Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install Microsoft Windows Media Player 6.4 {22d6f312-b0f6-11d094ab-0080c74c7e95} rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS \INF \mplayer2 .inf,PerUserStub.NT Microsoft Windows Media Player 8 {6BF52A52-394A-11d3B153-00C04F79FAA6} rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF \wmp.inf,PerUserStub NetMeeting 3.01 {44BBA842-CC51 -11CF-
AAFA-00AA00B6015B} rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF \msnetmtg.inf,NetMtg.Install.PerUser.NT theme component {2C7339CF-2B09-4501B3F3-F3508C9228ED} %SystemRoot%\system32\regsvr32.exe / s /n /i: /UserInstall %SystemRoot%\system32 \themeui.dll Windows Desktop Update {89820200-ECBD-11cf8B85-00AA005B4340} regsvr32.exe /s /n /i:U shell32.dll Windows Messenger 4.0 {5945c046- 1e7d -11d1bc44-00c04fd912be} rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF \msmsgs.inf,BLC.Install.PerUser Remember that even if you prevent Windows XP from configuring all the components shown in the table, You may still have unwanted icons. These icons come from the Default User and All Users profile folders. Remove the shortcuts you don't want from a default user profile that you provide. Remove the shortcuts you don't want from the All Users folder on your disc images. Caution 301 For example, when a user opens a shortcut to a Windows Installer-based application, Windows Desktop Update forwards it to Windows Installer so that Windows Installer can scan and repair the application if necessary. If you prevent the operating system from configuring Windows Desktop Update, remove Windows Installer from the process. Although this prevents Windows Installer from repairing broken shortcuts, it does not prevent Windows Installer from repairing components within an application.
Removing Components While the previous section showed you how to prevent Windows XP from configuring components when it creates a user profile, this section shows you how to prevent Windows XP from installing certain components completely. However, be careful when preventing the operating system from installing components, as this could disable some functions and applications. For example, Office XP requires Internet Explorer, Outlook Express, and NetMeeting for many of its features, particularly its collaboration features. The moral is to test your configurations in a
lab before deploying them to unsuspecting users. The Windows XP setup program does not provide a user interface for removing components during installation. However, you can use an answer file to remove components; Chapter 12, “Deploying with Answer Files,” shows you what the [Components] section looks like in an answer file, and I summarize that information in this chapter. However, the operating system allows users to add or remove components using the Windows Components wizard: click Start, Control Panel, Add or Remove Programs, Add/Remove Windows Components. However, the wizard and answer files do not allow you to remove and disable some of the features that companies would rather not install. For example, there is no option to remove Movie Maker, nor is there an option to remove Windows Messenger. This section shows you some alternative ways to get rid of components, if possible, or to hide them. The most common requests I get are to get rid of Tour Windows XP, Movie Maker, Outlook Express, and the Files and Settings Transfer Wizard. Oddly enough, I don't often get asked about removing the games, but you can easily do that from your Windows XP answer file.
Response File [Components] Section Chapter 12, “Deploying with Response Files,” describes how to create a response file. If you're an IT professional deploying Windows XP, you're probably already familiar with answer files. In the [Components] section of the response files, you can prevent the operating system from installing certain components. Listing 15-2 on the next page shows what this section looks like, and the listing includes all of the components that support Windows XP answer files (I left out server-specific components). The names of the individual components are self-explanatory. To install a component, set it to On. To prevent its installation, set it to Off. In the listing I have set each component to its default install value. Listing 15-2 Unattend.txt [Components] accessopt=On; Accessibility Assistant calc=On; Calculator charmap=On; Character Map Chat=Off; Chat
302 fp_extensions=Off; FrontPage Server Extensions fp_vdir_deploy=Off; Visual InterDev RAD Remote Deployment Support freecell=On; Freecell Hearts = On; hearts hypertrm=on; hyperterminal
IEAccess=On; Visible entry points for Internet Explorer iis_common=Off; Internet Information Services (IIS) general iis_ftp=Off; FTP service iis_htmla=Off; HTML based management for IIS iis_inetmgr=Off; MMC based management for IIS iis_pwmgr=Off; Personal Web Manager iis_smtp=Off; SMTP service for IIS iis_smtp_docs=Off; SMTP service documentation iis_www=Off; WWW service for IIS iis_www_vdir_printers=Off; Web Printing Components for IIS iisdbg=Off; Microsoft Script Debugger indexsrv_system=Off; Indexing Service media_clips=On; Example sound clips media_utopia=Off; Utopia sound scheme minesweeper=On; Minesweeper mousepoint=On; mouse pointer mplay=On; Windows Media Player msmq_ADIntegrated=Off; Integrates Message Queuing (MSMQ) with AD msmq_Core=Off; MSMQ core files msmq_HTTPSupport=Off; MSMQ support for HTTP msmq_LocalStorage=Off; MSMQ support for local storage msmq_MQDSService=Off; MSMQ support for child clients msmq_RoutingSupport=Off; MSMQ support for efficient routing msmq_TriggersService=Off; MSMQ Support for Component Object Model msmsgs=On; Windows Messenger msnexplr=On; MSN Explorer mswordpad=On; WordPad Netcis=Off; COM internet services netoc=On; Optional network components objectpkg=On; Object Packager paint=On; paint pinball=on; Pinball Recording=On; Sound Recorder Solitaire=On; Solitaire Spider=On; Spider Templates=On; Document Templates Vol=On; volume control zonegames=On; Gaming Zone internet games
Microsoft does not document a way to prevent the setup program from installing Windows Messenger - a common request. However, I added the msmsgs component to Listing 15.2, which prevents the setup program from installing it. The Sysoc.inf file, which you will learn about in the next section, hides this component in the Windows Components wizard. You can edit this file to show Windows Messenger in the wizard, but this requires users to remove Windows Messenger. Instead, you can add the component to the [Components] section of your answer file to prevent the setup program from installing it. This is a great technique to prevent the operating system from installing things like games, but it doesn't prevent components like Movie Maker from installing because the [Components] section doesn't contain settings for those components. However, you can use it to prevent the installation of Windows Media Player and Windows Messenger, which are two 303
Extending the Windows Components Wizard Just because you don't see a component in the Windows Components Wizard doesn't mean Windows XP isn't prepared to remove it. The Sysoc.inf file controls which components
appear in the wizard. This file is located in %SYSTEMROOT%\Inf, and Listing 15.3 shows its default contents. You need to show super-hidden files to see the Inf folder: In Windows Explorer, click Tools, Folder Options. On the View tab, select the Show hidden files and folders check box. Listing 15-3 Sysoc.inf [Version] Signature = "$Windows NT$" DriverVer=07/01/2001,5.1.2600.0 [Components] NtComponents=ntoc.dll,NtOcSetupProc,,4 WBEM=ocgen.dll,OcEntry ,wbemoc.inf,hide,7 Display=desk.cpl,DisplayOcSetupProc,,7 Fax=fxsocm.dll,FaxOcmSetupProc,fxsocm.inf,,7 NetOC=netoc.dll,NetOcSetupProc,netoc.inf,,7 iis=iis. dll,OcEntry,iis.inf,,7 com=comsetup.dll,OcEntry,comnt5.inf,hide,7 dtc=msdtcstp.dll,OcEntry,dtcnt5.inf,hide,7 IndexSrv_System = setupqry.dll,IndexSrv,setupqry. inf,,7 TerminalServer=TsOc.dll, HydraOc, TsOc.inf,hide,2 msmq=msmqocm.dll,MsmqOcm,msmqocm.inf,,6 ims=imsinsnt.dll,OcEntry,ims.inf,,7 fp_extensions=fp40ext .dll,FrontPage4Extensions,fp40ext.inf,,7 AutoUpdate=ocgen.dll,OcEntry,au.inf,hide,7 msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7 RootAutoUpdate=ocgen.dll,OcEntry,rootau .inf,,7 IEAccess=ocgen.dll,OcEntry,ieaccess.inf,,7 Games=ocgen.dll,OcEntry,games.inf,,7 AccessUtil=ocgen.dll,OcEntry,accessor.inf,,7 CommApps=ocgen .dll,OcEntry,communic.inf,HIDE,7 MultiM=ocgen.dll,O cEntry,multimed.inf,HIDE,7 AccessOpt=ocgen.dll,OcEntry,optional.inf,HIDE,7 Pinball=ocgen.dll,OcEntry ,pinball.inf,HIDE,7 MSWordPad=ocgen.dll,OcEntry,wordpad.inf ,HIDE,7 ZoneGames=zoneoc.dll,ZoneSetupProc,igames.inf,,7 [Global] WindowTitle=%WindowTitle% WindowTitle.StandAlone=" *" [Components] msnexplr=ocmsn.dll,OcEntry,msnmsn.inf,,7 [Strings] WindowTitle="Windows Professional Setup" WindowTitle_Standalone="Windows Components Wizard"
The important section in this file is [Components]. Each row in this section is either a specific component or a category of components. If you see the word Hide, Windows XP does not show the 304 Windows Messenger, change the line msmsgs=msgrocm.dll,OcEntry,msmsgs.inf, msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7.
Remove components after installation The first option I gave you allows you to prevent the Windows XP setup program from containing components during installation. The second option allows you to view additional components. Windows Components Wizard. This last option is for scenarios where you want to create components without exposing them in the Windows Components wizard. This is also useful when running the scripted removal so you don't have to go to the desktop. The first step is to locate the component's INF file in %SYSTEMROOT%\Inf. Remember that super-hidden folder, and I gave you instructions on how to view it earlier in this chapter. One way to find the component INF file is to use the search assistant. Search for all files with
Extension containing the name of the component. For example, to find the INF file for Messenger, look for all files with an .inf extension in %SYSTEMROOT%\Inf of this Windows Messenger. You should find Msmsgs.inf file as shown in figure. In the file, look for a section with the words remove or uninstall in it. In this case, the [BLC.Remove] section. Then run the following command, whether in a script or in execution, where Filename.inf is the name of the INF file and Section is the name of the uninstall section: rundll32 advpack.dll,LaunchINFSection %systemroot%\Inf\Filename.inf ,Section
Figure 15-3: Browse the %SYSTEMROOT%\Inf folder for any files with the .inf extension, the name of the component you want to remove. Therefore, to remove Windows Messenger, run the following command: rundll32 advpack.dll,LaunchINFSection %systemroot%\Inf\Msmsgs.inf,BLC.Remove.
305 components, but which provide INF files.
Hiding Unremovable Components None of the methods I've shown will help you get rid of some components, including Tour XP, Movie Maker, Outlook Express, and the Files and Settings Transfer Wizard, which is what worries me in the first place on this killing spree . To prevent users from accessing these applications, you need to get creative. Tour Windows XP is easy to hide, if not get rid of entirely. New subkey in HKLM\Software\Microsoft\Windows\CurrentVersion\Applets\Tour named Create REG_DWORD value RunCount and set it to 0x00. Do this on your disc images Users will not be contacted by Tour Windows XP when they log into the operating system for the first time; can run the tour from the start menu. The remaining bits are not so simple. You can't just remove the program files because Windows protection will restore them immediately. You can turn off Windows file protection, recommend this since it protects users' configurations from accidents and buggy applications that like to replace files they don't need to replace. Instead, hide the shortcuts on your hard drive and use software restriction policies to prevent users from running programs by opening the program files: Prevent Windows XP from creating new shortcuts by using the appropriate values from HKLM\SOFTWARE\Microsoft\ Remove Active Setup\Installed Components . See the Just-in-Time setup control section earlier in this chapter for more information. 1. Hide existing shortcuts to the program (do this on your disc images): Find the shortcut program in %SYSTEMDRIVE%\Documents and Settings\All Users and remove it. → Browse %SYSTEMDRIVE%\Documents and Settings\Default User for shortcuts to the program and remove them. → Browse the default user folder in \\Server\NETLOGON\Default User Share Program's Shortcuts and remove them. → 2. Create a new Group Policy Object (GPO) in Active Directory or locally on your hard drive that prevents users from running the program. 3. This last step requires more explanation. Chapter 6, "Using Registry-Based Policy"
contains information about Group Policy, but I'll get you started. The following instructions assume that software restriction policies are defined in the local Group Policy Object, but the steps are delegated to Network Group Policy: In the left pane of the Group Policy Editor, click Software Restriction Policies. To start the Group Policy Editor, type gpedit.msc in the Run dialog box. Software policies are located under Computer Configuration\Windows Settings\Security Settings. 1. Right-click Software Restriction Policies, and then click Create New Policies. 2. Under Software Restriction Policies, right-click Additional Rules, and then click Rule. 3. Click Browse and select the file that you want to prevent users from running. To prevent users from running the Files and Settings Migration Wizard, %SYSTEMROOT%\system32\usmt\migwiz.exe. 4. 306 Settings Transfer Wizard. Users cannot run an appropriate program. This way users can't trick the system by copying the file somewhere else (clever). If you save the policy, you must log out of Windows XP for the change to take effect. When users use the program, they see an error message stating that Windows cannot open this program, which has been prevented by a software restriction policy. So between hiding the ads that prevent the program file from running, you can prevent programs like the Movie Files and Settings Transfer Wizard from distracting users. Figure 15-4: Without a shortcut to the Files and Settings Transfer Wizard in the Start menu, users typically try to run the wizard. Those who do will see an error message.
Removing policy tattoos Tattoos are a significant problem with System Policy, which was supported on versions of Windows prior to 2000. Tattooing means policies make permanent changes to the registry. Administrator must explicitly remove these policies. For example, if you create a policy with a .pol extension and Windows applies its settings to the registry, removing the file will preserve the settings. To remove these policies, you must remove the settings from the policy file to remove the settings. 307 directory but uses system policy and then deploys Active Directory across the board. The upgrade process does not remove system policy settings from the registry during an upgrade, so these settings are preserved. The shotgun approach is to remove the following keys from each computer's registry and each user's profile structure before upgrading to Windows XP; The surgical approach is to remove individual policies, but that's too much trouble: HKLM\SOFTWARE\Policies • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies • HKCU\Software\Policies • HKCU\Software\Microsoft\Windows\CurrentVersion \Policies • How to remove these keys during upgrade is the question. This is not a problem for disk images
since the problem only occurs during an upgrade. If technicians visit desktops during the upgrade, and I hope they don't, they can remove these keys manually. Otherwise, run the Windows XP Setup program from a batch file or script. Then you can precede the command that starts the setup program with the commands that remove those keys. Listing 15.4 is an example INF file that removes them. To run this INF file from a batch file, save it in a file called Tattos.inf; Then add the %SystemRoot% \System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 Tattoos.inf command to the batch file that starts the Windows XP installation. You can also script this edit using Windows Script Host, which is described in Chapter 9, "Scripting Registry Changes." Listing 15-4 Tattoos.inf [Version] Signature=$CHICAGO$ [DefaultInstall] DelReg=Reg.Settings [Reg.Settings] HKLM,SOFTWARE\Policies HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
However, there are a few major issues with this script. The first is that the user must be an administrator to unregister the policy branches. You can use the techniques described in the next section, "Elevating Process Privileges," to resolve this issue, or you can rely on your software management infrastructure. The second problem is that only the per-machine policies are removed. Policies are not removed from users' profile hives. You cannot use such a script from a login script or allow the user to run it because they do not have the necessary permissions to unregister the policy branches. This is true unless you've moved all users to the local Administrators group, which I hope you haven't. The only sane solution is to load each user's profile structure in the registry editor (regedit) and then remove the two policy branches from it. You can more or less automate this process by writing a script that connects to a remote computer, loads each profilhive file present in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList, removes the policy branches, and then the Hive file unloaded. 308 privilege is a nasty little paradox. On the one hand, you don't want to add users to the Administrators group. Restricting users is a proven technique that prevents human error, mindless distractions, opportunistic viruses, and so on. On the other hand, providing software for restricted users is difficult. You do not have the correct permissions to install most applications, Office XP. Chapter 7, "Managing Registry Security," shows you a variety of features that you can use to strike a good balance between full access and complete lockdown
desktop. In this chapter, I want to show you how to run processes with elevated privileges so that you can perform many of the tasks I've described in locked down environments. The following sections go from elegant to seedy. Group Policy, specifically the InstallAlwaysElevated policy, is one way to allow restricted users to install Windows Installer applications. You can also use the Secondary Login or Scheduled Tasks feature. The "AutoLogon" later in this chapter describes a method that uses SMS, and I tend to like that solution. The last two methods I describe in this section are very dubious and can be used if you are not careful.
Group Policy The InstallAlwaysElevated policy installs Windows Installer-based applications with elevated privileges. This policy is a way to allow users to install Windows Installer-based applications that they would otherwise not be able to install because their accounts are in restricted groups or you have locked the desktops. Be aware of the consequences of using this policy. Users can take full control of their computers from this policy. Users may even be able to permanently change their permissions to bypass your ability to manage their accounts and computers. In addition, this policy opens the floodgates to viruses disguised as Windows Installer package files. For these reasons, I only recommend this in the most necessary scenarios, when no other method is available than throwing users into the local administrators group. For this policy to take effect, you must enable both the per-machine and per-user versions at the same time. In other words, enable it in both computer configuration and user configuration. If you use this policy, I recommend that you enable it for each rollout unit before deploying software to it. Deploy your package, and then immediately remove the policy for that entity. You at least limit your exposure to the hazards that this policy creates. Note If you have Active Directory and Group Policy in place, you should not use the InstallAlwaysElevated policy. The only reason you would use this policy is in place of a software management infrastructure. However, if you have Active Directory and Group Policy in place, you have an elegant solution for small and medium-sized businesses: software installation and maintenance. This feature allows you to deploy software through GPOs. Best of all, you can deploy Windows Installer-based software to restricted users and locked-down desktops since applications you deploy via Group Policy are installed with elevated privileges. The Understanding Software Installation document is an excellent walkthrough topic. The URL http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/sag_ADEconcepts_01. 309
Secondary login, also called Run As, allows users to run programs in the context of accounts other than their own. For example, if I'm logged on to the computer with the Jerry account, which is in the Power Users group, but I need to run a program as an administrator, I hold down Shift and right-click the program's shortcut icon , click Run as, and then enter the administrator account name and password. The program runs under the administrator account. Because secondary login relies on users knowing the credentials (which they don't know), it's not really a useful tool for software deployment. I'm including it here to answer the inevitable question of whether you can use it for this purpose. You can also use secondary login from the command prompt. The following is the syntax for this command: RUNAS [ [/noprofile | /profile] [/env] [/netonly] ] /user:username program RUNAS [ [/noprofile | /profile] [/env] [/netonly] ] /smartcard [/user:username] program
/noprofile Specifies that Runas should not load the user profile. Programs load faster, but often don't work properly. /profile Specifies that Runas should load the user's profile. /env Uses the current environment instead of the user's. /netonly Specifies that the credentials are for remote access only. /savecred Uses the credentials previously saved by the user. /smartcard Specifies that credentials are provided by a smart card. /user username Specifies the account name to use. This should have the form[Email Protected]or domain\user. program Specifies the command to run.
Scheduled Tasks One thing I like about Scheduled Tasks is that you have remote access to the Scheduled Tasks folder on any computer. Also, you can add an account name and password to each task. They don't rely on users to provide the credentials needed to run a job, e.g. B. to install software. Because of this, Scheduled Tasks fails the secondary logon. In My Network Places, locate the computer where you want to add a task. Open the computer's Scheduled Tasks folder, right-click the folder, point to New, click Scheduled Task, and rename the task. Configure the task as follows (see Figure 15-5). In the Run box on the Task tab, type the command you want to run. Remember to keep the command's path relative to the computer you're running it on. • In the Run As box on the Task tab, type the account you want to run the task as, and then click Set Password to set the appropriate password. Enter the account in the form domain\username as shown in Figure 15-5.
• On the Schedule tab, configure the task schedule. In the scenarios I've described (deploying software and settings), you want to schedule the task to run once. • Configure Windows XP on the Settings tab to remove the task from the Scheduled Tasks folder after it runs. No need to leave artifacts behind. Figure 15-5: Scheduled tasks are a useful way to run programs on remote computers with permissions, especially in one-off scenarios. Note Be careful not to schedule tasks that require user interaction. Users only see this when they look in Windows Task Manager and view tasks for all users. For example, if you schedule a task to run on a computer as a local administrator and the current console user, Jerry won't be able to interact with the task. If the task requires interaction, it gets stuck. Many programs, especially setup programs, have command options that they run in the background. Install Office XP without user interaction, e.g. B. with the command line option /qn. Also use this method to install software or run programs that interact with the current console user's profile, since this method affects only the user you entered in the Run As field. In other words, install applications that perform per-machine installs or run programs that interact with HKLM.
AutoLogon This is my preferred method when I don't have a software management infrastructure to deploy software: I use AutoLogon. This is the same feature that allows you to configure files as described in Chapter 12, “Deploying with Response Files,” but you can deploy. Table 15-2 describes the settings you must configure for AutoLogon. To use this feature, you must set the REG_SZ value AutoAdminLogon to 1. Then set the REG_DefaultUserName to the account you want to use and the REG_SZ value DefaultPassword to the account's password. If the username does not include the domain, set REG_DefaultDomainName to the name of the domain that authenticates the account. Remember that 311 recommends using the domain admin account with this technique. Instead, you can use the local administrator account, which is always available. The last value you set is the AutoLogonCount REG_DWORD value. Set this value to the number you want to automatically log on to Windows XP with. Table 15-2: Configuring Autologon Setting Name Type Data HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Enable Autologon AutoAdminLogon REG_SZ 0 | 1 Username DefaultUserName REG_SZ User domain name DefaultDomainName REG_SZ Domain User password DefaultPassword REG_SZ Password Number of logons to Windows XP AutoLogonCount REG_DWORD N HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Program to run Name REG_SZ Command How it works. When the AutoAdminLogon value is 1 and the AutoLogonCount value is 1
not 0, Windows XP automatically logs on to the computer using the credentials specified in the DefaultUserName, DefaultDomainName, and DefaultPassword values. The operating system then decreases the value in AutoLogonCount. When AutoLogonCount reaches zero, Windows XP removes the AutoLogonCount and DefaultPassword values from the registry and no longer automatically logs the user on. The final step is to place the command to be run in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce. Because you put this command in the RunOnce key, Windows XP runs this command once and then removes the value from the registry. Each value in RunOnce is a command. The name of each REG_SZ value doesn't matter, but you store the command line you want to run in it. An example will put everything together for you. I want to deploy an application to a computer, but the users in my organization are restricted and can't install it. I would configure the values described in Table 15-2 so that the operating system automatically logs the domain administrator on to the computer when the current user logs off or when Windows XP is restarted. I know that the application will restart the computer once during the installation process, so I need to set AutoLogonCount to 2. The first time Windows XP logs the user on, the setup program starts, and the second time, the setup program continues. The script shown in Listing 15.5 shows one way to automatically configure Windows XP for this scenario. Listing 15-5 Install.inf [Version] Signature=$CHICAGO$ [DefaultInstall] AddReg=Reg.Settings [Reg.Settings] HKLM,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,AutoAdminLogon,0,"1" HKLM ,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,default username,0\
312 HKLM,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,DefaultPassword,0\ ," PASSWORT" HKLM,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,AutoLogonCount\ ,0x10001,0x02 HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion \RunOnce,Setup,0\ ,"\\Server\Share\Setup.exe"
The last thing to know about this technique is that after Windows XP automatically logs the user in and the task is complete, you want to log the account off the computer. Otherwise, you leave Windows XP vulnerable because anyone walking by the computer has access to the account you're using. The Windows XP Support Tools you
from the Windows XP CD in the Support\Tools folder contain a utility called Shutdown. After installing the application, run the shutdown -l command to log the user out of Windows XP. To restart the computer, run shutdown -r. To chain the application setup program to the Shutdown command, use a batch file and the Start command with the /wait switch, which allows you to run programs synchronously one after the other. To view the command-line options for the shutdown command, type shutdown /? at the command prompt. Type start /? to display the options for the start command.
Separating File Associations There are two scenarios where separating the default file associations is useful for IT pros. The first is if you're worried about users accidentally running scripts they receive as email attachments. If you don't have a virus filter on your mail server and aren't using a mail client like Outlook 2002 that blocks dangerous attachments, you can break the links between the script files' extensions and the program class that opens them. Appendix A, "File Associations," describes how Windows XP associates file extensions with program classes. In the first scenario, you would break the file association between the .vbs and .js file extensions and Windows Script Host. To do this, delete the default values of HKCR\.vbs and HKCR\.js. However, this is not foolproof as you cannot break other dangerous file associations without affecting users' ability to use the operating system. The second common scenario is deploying Office XP in coexistence scenarios. For example, if you need to keep Microsoft Access 97 running until you migrate those databases to Microsoft Access 2002, you can block the Access 2002 installation until a later date. However, some organizations are deploying Access 2002 to coexist with Access 97. Technically this scenario works, but you have to take care of your license agreement. The problem with this scenario is that the default file association for the .mdb extension is Access 2002, which is usually not appropriate. Instead, you should restore the association to Access 97. Better yet, to avoid confusion, do not associate the .mdb file extension with any program class. To do this, delete the
Default value HKCR\.mdb, and then teach users to use one of the following methods to ensure they open each database in the correct version of Access: First, open one of the two versions of Access, and then open the Database about the file menu. • Create a shortcut for each database file that opens the file in the correct version of Access. Note In the second scenario, you want to prevent Access 2002 users from accidentally converting compatible databases to the Access 2002 file format. They achieve this • 313 them. Make sure you enable the Don't prompt to convert older databases policy to prevent accidental database conversions.
Deploy Office XP from Trusted Sources If you're deploying Windows XP, chances are you're deploying Office XP. And when deploying Office XP, chances are you're concerned about security. The security best practices that Microsoft mandates rightly protect your business from most macros. These best practices consist of first setting the security level for all Office XP programs to High, which means users can only run signed macros from trusted sources, and then locking down trusted sources so users cannot add anything. But how are users supposed to work if they can't run macros and add sources to the trusted sources list? When a user opens a document that contains signed code, enables those macros, and adds the source to the trusted sources list, HKCU\Software\Microsoft\VBA\Trusted stores those certificates. To allow the user to add sources to the Trusted Sources List, distribute the Trusted Sources List with Office XP. The deployment tools don't provide a user to do this, so here's my solution: create a document that contains code, and then sign the code with a certificate for deployment. Repeat for each certificate. 1. Install Office XP on a lab computer and set the security levels to High. 2. Open each document that contains a certificate that you want to deploy. Enable the macros, and then add the source to the trusted sources list. Figure 15-6 shows an example. Figure 15-6: Strong security combined with code signing protects your business viruses. 3. Export the HKCU\Software\Microsoft\VBA\Trusted key to a .reg file and include the file in your deployment. Chapter 14, "Deploying Office XP Settings," describes how registry settings work with Office XP. 4.
Enable remote desktop remotely 314 single monitor and keyboard. In a corporate environment, Remote Desktop allows them to connect to their desktop computers from any other computer in the organization. It also allows administrators to remotely manage computers and even install software on remote computers. My main problem with Remote Desktop is that Windows XP doesn't enable it by default. You need to enable it on your disc image or enable it through the System Properties dialog box, Start, Control Panel, Performance and Maintenance, and System. On the Remote tab, select the Allow users to connect to this computer remotely check box.
I have a better solution. Use Regedit to edit the remote computer's registry. Change the REG_DWORD value fDenyTSConnections to 0x00 in the HKLM\SYSTEM\CurrentControlSet\ \Terminal Server key. Setting this value to 0x01 disables Remote Desktop. After this value, you can log on to the computer using Remote Desktop. The account editing this setting must belong to the remote computer's local Administrators group.
Customizing the Windows XP Logon I'll conclude this chapter by showing you how to customize the Windows logon process. First, I want to show you how to customize the screen saver that Windows XP uses to display the Windows logon dialog box. There is no user interface to configure Saver. However, you can change it in the HKU\.DEFAULT \Control Panel\Desktop key. value of SCRNSAVE.EXE to the name of the screen saver file you want to use. The default Logon.scr, which is the logon screensaver. If you want to use the Starfield screen saver, set SCRNSAVE.EXE to Ssstars.scr. The second adjustment is a bit more serious. Businesses often want to display a usage policy when users log on to their computers. You can do this by setting REG_ LegalNoticeCaption to the caption you want to display in the window's title bar and the LegalNoticeText value to the text you want to display in the window. Both values are HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. For example, Company Policy LegalNoticeCaption and Company Policy LegalNoticeText ban this computer from actual work. 315
Appendix List Appendix A: File Associations Appendix B: Per User Settings Appendix C: Per Computer Settings Appendix D: Group Policies
Partial Overview The appendices in this part describe how Windows XP organizes the registry. They also contain some of the more interesting registry settings. They don't describe all the important settings, but they give you the information you need to find your way around. Both power user experts can use this information as a guide to help them navigate through the thousands of settings that the registry contains. 316
Overview Most of the registry's contents reside in HKCR, which is where Microsoft Windows XP maps and class registries are stored. These settings associate different types of file programs that they can open, edit, and print. They also register various classes of programs that Windows XP can use to create objects. Many of the adjustments I make regularly are simple. For example, I like to add commands to the file association for folders so I can open a command prompt with the selected folder as the current working directory. I have commands to the My Computer object so I can quickly access the Registry Editor (Regedit) UI. Once you master the content of HKCR, the possibilities for tweaking Windows XP the way you want are limitless. The HKCR root key is many times more complex than it was in the Microsoft 95 days when I wrote my first registry book. I won't even try to describe all the values you will find in HKCR. Instead, I'll describe the most useful subkeys and values
can customize Windows XP using the same techniques I use.
Merge Algorithm Recall from Chapter 1, "Learning the Basics," that before Microsoft Windows 2000, HKCR was a link to HKLM\SOFTWARE\Classes, but it's more complicated that Windows XP merges HKLM\SOFTWARE\Classes and HKCU\Software\Classes . The data is standard file associations and class registrations, while the data in HKCU is per-associations and class registrations. HKCU\Software\Classes is actually a link to HKU\SID that Windows XP loads when it loads the profile structure into HKU\SID. If both branches have the same value, the value in HKCU\Software\Classes has higher priority and gets the value in HKLM\SOFTWARE\Classes. Chapter 1 described the benefits of this merging algorithm, but in short, it allows users to use applications and use file associations that do not interfere with other users. Thus, two users of the computer can use two different programs to edit the same types of files. When you create a new key in the root of HKCR, Windows XP actually creates HKLM\SOFTWARE\Classes. Windows XP does not provide any user interface other than Notepad to add class registrations to HKCU\Software\Classes as the intent is to register program classes per user. If you edit an existing program class, the change will be reflected in HKLM or HKCU, depending on where the program class already exists in both places, Windows XP only updates the version in HKCU.
File extension keys Files containing certain types of data usually have the same file extension. For Microsoft Word 2002, documents have the file extension .doc. Although three characters is the norm, extensions can be longer. Files with the same extension are members of the 317 menu or even specify a custom icon that Windows Explorer uses for that file type. File associations consist of two parts. The first is a file extension key, HKCR\.ext. When Windows needs information about a file type, it looks for that key. The default value of the file extension contains the name of the program class associated with it, this is the second part. Classes are located in HKCR\progid, where progid is the program ID of the application. The default progid contains the application's friendly name. For example, the file extension key defaults to txtfile. Look for the associated program class in HKCR\txtfile. There you will find the text file description. Figure A-1 illustrates this relationship with the .ani file Figure A-1: The default values of file extension keys associate these keys with programs File extension keys can have a variety of subkeys and values. The following list describes common: PerceivedType. This REG_SZ value indicates the perceived type of the file. Only Windows version of Windows that uses this key. See "PerceivedType" below, information. • Content Type. This REG_SZ value specifies the MIME type. • OpenWithProgids. This subkey contains a list of alternative program classes associated with the file extension. Windows XP displays these programs in the Other Programs Open With dialog box. • OpenWithList. This subkey contains one or more keys named Applications that appear in the Recommended Programs section of the Open With pane. For more information, see "OpenWithList" later in this appendix. •
ShellNew. This subkey defines a template from which Windows XP creates a new user who selects this file type in the New menu. For more information, see ShellNew later in this appendix. •
OpenWithList Sometimes users want to open files with applications that are not associated with the file example. A user may want to open a document in WordPad instead of Microsoft Word 318. The applications you see in the Open With dialog box are registered in HKCR\Applications . contains a subkey for each application, and the subkey bears the name of the executable. You can prevent Windows XP from displaying an application in the dialog box by adding the NoOpenWith REG_SZ value to HKCR\Applications\program .exe.
PerceivedType Perceived types are similar to file types, except that perceived types refer to general categories of format types rather than specific file types. Think of them as super guys. Images, text files, audio files and compressed files are perceived. In Windows XP, you can recognize any file type. For example, the file extensions .bmp, .png, .jpg are perceived as image files. Windows XP defines several perceived file types. In the file extension, set the REG_SZ value PerceivedType to one of the following values: Image • Text • Audio • Video • Compressed • System •
ShellNew When users right-click in a folder and click New, they see a list of the template files they have in the folder. You can add additional file templates to the New menu. First make HKCR contains a file extension key for the type of file you are creating. Then create the subkey under the file extension key. For example, to define a template for files with an extension, create the key HKCR\.inf\ShellNew. Then in ShellNew create one of the values: Command. Runs an application. This is a REG_SZ value command to be executed. For example, you use a command to start a wizard. • Data. Creates a file with specified data. This is a REG_BINARY value that contains the file's data. Windows XP ignores this value if either NullFile or FileName is present. • File name. Creates a file that is a copy of a specified file. This is a REG_SZ containing the path and name of the file to copy. If the file is in the user profile folder, you can omit the path. • Null file. Creates an empty file. This is a REG_SZ value that contains no data. NullFile exists, Windows XP ignores Data and FileName. •
program class key
Program classes define a program and its associated behaviors. Program classes HKCR\progid, where progid is a program identifier. For example, HKCR\txtfile is a program that associates Windows XP file extension keys with program classes using the file extension default values. The default value of the program class contains the user-friendly correct format of a program ID of the class and is application.component.version. Example: Word.Document. 319 program classes contain the following values and subkeys: AlwaysShowExt. This empty REG_SZ value specifies that Windows Explorer should always show the file extension even if the user has hidden it. • CurVer. The default value of this subkey contains the program ID of the latest version. • Default Icon. The default value of this subkey is the default icon that Windows XP displays for files associated with this program class. This value can be either a REG_SZ or REG_EXPAND_SZ string, but it must use the format file,index, where file is the path and name of the file containing the symbol, and index is the symbol's index in the file. Optionally, if you know the exact resource ID, you can use the file,-resource format. For more information, see DefaultIcon on the facing page. • FriendlyTypeName. This REG_SZ value is the display name for the program class. This value is displayed in Windows Explorer. In Windows XP, this value replaces the program class default value that previous versions of Windows still use and that Windows XP retains for backward compatibility. Nevertheless, the default value of the program class and this value should remain the same for reasons of consistency. Windows XP often specifies a resource instead of a string in this value. The format is @file,index or @file,resource. • Edit flags. This is a REG_DWORD value that controls how Windows XP handles file classes associated with this program class. You can also use the EditFlags value to control users' ability to modify certain aspects of these file classes. For more information, see EditFlags later in this appendix. • Info tip. This REG_SZ value contains a short message that Windows XP displays for this program class when users position the mouse pointer over an associated file or folder. This value can be a string or a resource as described for the FriendlyTypeName value. • IsShortcut. This empty REG_SZ value indicates that the file is a shortcut. Windows Explorer displays the shortcut overlay over the file's icon. • NeverShowExt. This empty REG_SZ value specifies that Windows Explorer should never display the file extension, even if the user has configured Windows Explorer to display file extensions for known types. • Sleeve. This subkey contains commands (called verbs) defined for the program class. For example, the txtfile program class defines the commands for opening and printing text
files. For more information, see "Shell" later in this appendix. This is at the heart of most customizations you make in HKCR. • Special program classes The directory, drive and folder program classes are specialized program classes that can be easily adapted. The organization of these program classes is like any other. They contain shell subkeys that you can customize to add, change, and remove the commands you see in their context menus. The trick is to know which program classes apply to which types of objects: Directory. This program class applies to any normal folder that you can view in Windows Explorer. • Journey. This program class only applies to drives that you see under "My Computer". • Folder. This program class applies to all system folders, drives and other folders that you can view in Windows Explorer. • The Folder program class is the most comprehensive. It contains all folders and all special system folders such as Control Panel, My Computer, etc. So this is usually the program class called 320
DefaultIcon Windows XP provides default icons for each type of object you see in Windows Explorer. This includes files, drives, etc. You can customize these icons as described in Chapter 4, Hacking the Registry. The DefaultIcon value of each file class contains the path and name of the file containing the icon. You can assign an icon file with the .ico extension to this value, or you can assign an icon from program files with file, index, or file, resource formats. index is an incremental index number of a resource, and resource is a specific resource ID. To do this, you need to know either the relative position of an icon in a file or the exact resource ID of the icon. To find this value you can use a third party resource editor, many of which are shareware tools that you can download from your favorite shareware website.
EditFlags The EditFlags REG_DWORD value gives you some control over the behavior of a program class. You can also use it to restrict how users can change a program class. Each bit in this value represents a different setting, and Table A-1 describes each bit mask. See chapter 1,
"Learn the Basics" to refresh your memory on using bitmasks. Table A-1: Bits in EditFlags Bitmask Description 0x00000001 Excludes the file class. 0x00000002 Displays file classes such as folders that are not associated with a file extension. 0x00000004 Indicates that the file class has a file extension. 0x00000008 Prevents users from editing the registry entries associated with this file class. You cannot add new entries or change existing entries. 0x00000010 Prevents users from deleting the registry entries associated with this file class. 0x00000020 Prevents users from adding new verbs to the file class. 0x00000040 Prevents users from changing verbs. 0x00000080 Prevents users from deleting verbs. 0x00000100 Prevents users from changing the description of the file class. 0x00000200 Prevents users from changing the icon assigned to the file class. 0x00000400 Prevents users from changing the default verb. 0x00000800 Prevents users from changing the commands associated with verbs. 0x00001000 Prevents users from changing or deleting verbs. 0x00002000 Prevents users from changing or deleting DDE-related values. 0x00008000 Prevents users from changing the content type associated with this file class. 0x00010000 Allows users to safely use the file class open verb on downloaded files. 0x00020000 Disables the Never Ask check box. 0x00040000 Specifies that the file class filename extension is always displayed, even if the user hides known file extensions in the Folder Options dialog box. 0x00100000 321 Specifies that members of this file class are not added to the Recent Documents folder.
Shell file classes contain verbs, which are commands that Windows XP runs to perform specific actions. Verbs refer to the context menus you see when you right-click a file. Each item in the context menu is a verb. The verbs of a program class reside in HKCR\progid\Shell, which contains a subkey for each verb. For example, HKCR\txtfile\Shell contains the open and print subkeys, which are the Open and Print verbs. The shell key's default value specifies the name of the default verb. For example, if the shell's default value is edit, this indicates that the edit subkey is the default verb. If Shell's default value is blank, Windows XP uses the open verb. If this verb is missing, the first verb is used as the default. Figure A-2 shows an example that associates the shell key with context menus. Figure A-2: This figure shows the relationship of the verbs of a program class to the context menu.
Canonical verbs are built into the operating system. Examples of canonical verbs are open, edit, and print. The special thing about canonical verbs is that Windows XP automatically translates them into different languages if necessary. The following list shows typical canonical verbs, some of which are special verbs that users don't see in menus: Edit. This is usually the same as Open, but allows the user to edit the contents of the file. • Discover. This will open the selected folder in Windows Explorer. • Find. This will open the Search Companion with the selected folder as the default search location. • Open. This is usually the standard verb that opens a file in its associated application. • Open as. This will open the Open With dialog box. • To play. This indicates that the contents of the file will be opened and played instead of just opening the file and waiting for the user to play it. • To press. This will cause the application to print the contents of the file and exit. Applications should display as little user interface as possible. • Print to. This is a special verb that supports drag and drop to printers. Users do not see this verb in context menus. • Preview. This allows users to preview files without having to open or edit them. An example is previewing images instead of opening them to edit them. • Characteristics. This opens the Name Properties dialog box. • Race like. This is a special verb that allows users to open a file or run an application in the context of another user. You can see this verb in context menus by holding down the Shift key while right-clicking the file. • 322 Changing the default verbs. To add verbs to a program class, create a new subkey for that key. The new subkey is HKCR\progid \Shell\ verb. Then set the default value of the verb to be displayed in the context menu. You can precede any character in the description with an ampersand (&). For example, Open in &WordPad makes the letter for that verb. Add the subkey command to the verb and set its default value to the command to run when you select that verb. Figure A-3 shows an example. Figure A-3 Add additional verbs to a program class by creating new subkeys in the shell. The command's default value needs some explanation. First, if the program file path and name contain spaces, you should enclose the command in double quotes. Second, %1 as a placeholder for the filename you right-clicked. For example, assume the Notepad "%1" command. If you right-click on C:\Sample\Text.txt, the Notepad command is "C:\Sample\ Note that you should always put %1 in quotes for the filename command to work. You will see extended verbs only if you press Shift while right-clicking a file.Extended verbs are a handy way to clean up clutter from context menus.For example, you can hide extended verbs that you don't use often in context menus , by hiding them behind the Shift key to make a verb an extended verb verb, add the empty REG_SZvalue extended to the verb subkey verb.
Special Keys When Windows XP queries a file association, it examines the following keys in the following order: Locations lower in the list have higher precedence than locations with higher HKCR\ programs. This is the program class associated with the default value of the file extension key. • HKCR\SystemFileAssociations. This key defines perceived file types and commands with each. For more information, see "SystemFileAssociations" later in this appendix. • HKCR\*. This is the base class for files of all kinds. You see the commands in the context menus of all files. • HKCR\AllFileSystemObjects. This button defines commands for all files and standard, this button only adds the Send To item in context menus. • The following sections describe some of the keys in the previous list and are useful for customizing Windows XP. Specifically, the SystemFileAssociations section on how to customize the commands you see for files that are perceived as a specific type. Applications describes how to customize the Open With dialog box and more. 323 To show an application in the Open With dialog box, that application must be HKCR\Applications. Each subkey in Applications bears the name of the executable. For Notepad is located in HKCR\Applications\Notepad.exe. You must also add the OpenWithList key extension key as described earlier in this appendix. You can find combinations of the following and subkeys in the program's subkeys: NoOpenWith. This blank REG_SZ value indicates that Windows XP should program into the Open With list. • FriendlyAppName. This REG_SZ value contains the application's display name. may contain a string, but more likely it contains a value of the format @file,-resource, file is the name of the program file containing the string identified by resource. • Supported Types. This subkey contains a list of file extensions, including the leading ones, indicating what kind of files the program can open. For HKCR\Applications\mplayer2.exe\SupportedTypes contains the empty REG_SZ and .mp3, indicating that the program can open files with these file extensions. filters the Open With list. •
SystemFileAssociations The HKCR\SystemFileAssociations key is a cool way to customize context menus for their perceived purpose. For example, you can customize the verbs you see for all that are perceived as text files, or all files that you perceive as image files. HKCR\SystemFileAssociations contains subkeys for the different perceived types that you can evaluate PerceivedType against. You learned about this value in PerceivedType earlier in this document. So setting PerceivedType in a file extension key maps the filename extension commands in that key. For example, if you set the PerceivedType value in HKCR\.inf to display the commands in HKCR\SystemFileAssociations\text in the context menu of any .inf extension. Perceived types in SystemFileAssociations include Audio, Image, System,
and videos. However, you can add additional perceived types to SystemFileAssociations. The organization of HKCR\SystemFileAssociations\type is the same as for the program classes discussed in the Program Class Keys section earlier in this appendix.
Unknown When users try to open files whose extension is not registered in HKCR, Windows returns HKCR\Unknown. By default, the only verb in Unknown\Shell is Open As. Windows XP displays the "Open With" dialog box for unknown file types.
COM Class Key The HKCR\CLSID key contains COM class registrations. HKCR\CLSID\ clsid is an individual registry, where clsid is the class ID of the class, which is a GUID. See Chapter 1, "Learning Basics" to learn more about GUIDs. The default value of each class registry contains the name of the class, but that's not so friendly. There is not much to customize in HKCR\CLSID. Register these classes when you install them so that they can create objects from these classes. Class registries sometimes contain the same subkeys as program classes in 324 because they are in the programmer's domain and are not useful to a power user or IT professional customizing Windows XP. However, it is useful to know the class ID of specific COM classes to customize other parts of the registry. For example, if you add some classes to the namespace, you can customize the objects that appear in it. You can also use this to hide icons you see in My Network Places. Chapter 4, "Hacking the Registry," describes how to show and hide desktop icons with these class IDs. Therefore, Table A-2 lists most COM classes that are in HKCR\CLSID. Table A-2: Special Classes in HKCR\CLSID Object Class ID Shell Folder ActiveX Cache {88C6C381-2E85-11D0-94DE-444553540000} Computer Search Results {1F4DE370-D627-11D1-BA4F-00A0C91EEDBA} History {FF393560-C2A7-11CF -BFF4-444553540000} Internet Explorer {871C5380-42A0-1069-A2EA-08002B30309D} My Computer {20D04FE0-3AEA-1069-A2D8-08002B30309D} My Documents {450D8FBA-AD25-11D0-98A8-08002B3 Documents {450D8FBA-AD25-11D0-98A8-08092B3} MyADF25 11D0-98A8-036}1 My2C036 Netzwerk16D8036 3AEA-1069-A2D7-08002B30309D} Offline Files {AFDB1F70-2A4C-11D2-9039-00C04F8EEB3E} Programs {7BE9D83C-A729-4D97-B5A7-1B7313C39E0A} Recycle Bin {645FF040-5081-101B -9F08-00AA002F954E} Search Results {E17D4FC0 -5564-11D1-83F2-00A0C90DC849} Freigegebene Dokumente {59031A47-3F72-44A7-89C5-5595FE6B30EE} Startmenü {48E7CAAB-B918-4E58-A94D-505519C795DC} Temporäre Internetdateien {7BD29E00-76C1- 11CF-9030}4.030 Web.030 Web.030 {BDEADF00-C265-11D0-BCED-00A0C90AB50F} Control Panel Administration folder {D20EA4E1-3957-11D2-A 40B-0C5020524153} Fonts {D20EA4E1-3957-11D2-A40B-0C5020524 152} Network Connections {7007ACC7-3202-11D1-AAD2-00805FC1270E} Printers and Faxes {2227A280-3AEA-1069-A2B3030092}
Scanners and Cameras {E211B736-43FD-11D1-9EFB-0000F8757FCD} Scheduled Tasks {D6277990-4C6A-11CF-8D87-00AA0060F5BF} Control Panel Icons Folder Options {6DFD7C5C-2451-11D3-A299-00C04F8EF6AF} Menu -11D3-A299-00C04F8EF6AF FF21-4412-828E-260A8728E7F1} User Accounts {7A9D77BD-5403-11D2-8785-2E0420524153} Other Add Network Places {D4480A50-BA28-11D1-8E75-00C04FA31A86} Briefcase {85BBD920-42A0-1069- A2E4-08002B30309D} E-mail {2559A1F5-21D7-11D4-BDAF-00C04F60B9F0} Help and Support {2559A1F1-21D7-11D4-BDAF-00C04F60B9F0} 325 Internet {2559A1F4-21D7-11D4-BDAF-00C00} Network Setup Wizard {2728A-04C8A-00C04C8A-0} -316B684C4EA7} Run {2559A1F3-21D7-11D4-BDAF-00C04F60B9F0} Locate {2559A1F0-21D7-11D4-BDAF-00C04F60B9F0} Windows Security {2559A1F3-21D1D7-BDAF2-12D1D7F2-1D1D7F2 -00C04F60B9F0} 326
Overview Chapter 4, "Hacking the Registry" and Chapter 15, "Workaround IT Problems", many useful registry settings. This appendix describes most of the settings in the Microsoft Windows XP registry. The settings in this appendix are per user; You are in HKCU. The root key HKLM contains settings, but the settings in HKCU are more interesting because they often deal with deployment and customization. Also, many of my favorite IT hacks tend to reside in HKCU because they affect individual user behavior rather than the entire computer configuration. to describe each setting in HKCU by the way. Even if I could figure out every setting, it would take hundreds of pages to document them all. Instead, I focus on the most interesting settings in the registry with a dab of just plain cool settings thrown into the mix. The resources I've used to determine these settings vary. Often I only know what does from experience. Other times I've used Microsoft's Developer Network, Knowledge Resource Kits. When I'm really desperate for a setting, I install the Windows Development Kit and then look for the setting in the header files, which gives surprising results. The headings in this appendix follow the organization of HKCU to make information easier to find. So you see top-level headings for HKCU\Control Panel and so on. This appendix describes the relationship of HKCU to HKU and the profile hits that the operating system has however. For more information on this relationship, see Chapter 1, "Learning the Basics."
AppEvents Windows XP associates sounds with specific events. Most notable are the sounds when you log in or out of the operating system. In the sounds and audio devices shown in Figure B-1, you assign sounds to various events, minimize windows, open menus, and so on. To open this dialog box, click Start; Switchboard; sounds, speech, audio devices; Sounds and Audio Devices. Figure B-1 shows which AppEvents subkeys contain the values of this dialog box. Many applications also associate sounds with certain events. Because you can download and install sounds for use with Microsoft Office XP. Provide these sounds
Feedback I missed if they are not available. If you don't like the sound produced by this event, you can change the sound file associated with it. For example, you can create a custom recording that says "You got spam!" and associate this sound file with Messenger's New Mail event. Figure B-1: Associate sounds with events using the Sounds and Audio Devices property panel. These events and their associated sounds are located in HKCU\AppEvents. There are subkeys in AppEvents. The first is EventLabels, which contains a subkey for each event. The subkey's default value is the name of the event as you see it in the Control Panel. The schemes. This is the more interesting subkey as it actually maps to sound file events. You can customize AppEvents, but it's not worth the extra effort. Configure much easier from the control panel. My suggestion is that you configure your sounds as is and then export AppEvents to a .reg file that you can use to configure sounds. Just make sure the sound files are available when using the REG file on another. You can find all these sound files in %SYSTEMROOT%\media.
Console The HKCU\Console key contains the default configuration for the MS-DOS command (console subsystem). This is the environment that hosts all character mode applications. Change the console settings, click the system icon (top left of the window) and click Properties. After changing the properties, Windows XP will prompt you to change the default settings or save the settings for console windows with the same title: If you change the default settings, the operating system saves this HKCU\Console. • If you save the settings for console windows with the same title, the operation creates the subkey HKCU\Console\Title, where Title is the title of the window, and custom settings in it (see Figure B-2). • 328 Figure B-2: Each subkey in Console is the title of a customized console window. This key is typically only visible after launching a command prompt from the Run dialog box. As with AppEvents, there is rarely a good reason to adjust these settings directly. It's a cool hack and there is one user interface available for all these settings. What's cool is that you have your console windows configured the way you want them. You can export the console file. Then, the next time you install Windows XP, import the .reg file to restore your console. You will never configure a command prompt again.
Control Panel The HKCU\Control Panel key offers a wealth of customization options. This is where Windows XP saves most of the settings you configure in the Control Panel. Most of the subkeys are Desktop and Mouse. The following list gives you an overview of what's in subkeys, and I describe the desktop and mouse subkeys in more detail in the following sections: Accessibility. This subkey stores accessibility settings that you set in the Accessibility Options dialog box. To open this dialog box, click Start, Control Panel, Accessibility. The names of the values are self-explanatory and you can easily assign them to the user. •
Looks. This subkey contains values for each scheme that you see in the Display Properties Appearance dialog box. To open this dialog box, click Home, Control Appearance and Themes, Display. Customizing themes in the registry is too cumbersome and reliable, so stick with the UI. • Colours. This subkey defines the color of each element in the Windows XP user ActiveBorder defines, for example, the color of the border of each active window. Any REG_SZ value that contains three decimal numbers that match the notation. • Currently. Windows XP does not use this subkey. • Cursors. This subkey contains values that associate the name of a mouse pointer that contains the mouse pointer. The file has the extension .cur, or if the pointer is the extension .ani. The name of the value is the name of the pointer. The default value of this key contains the name of the current pointer scheme. You don't see any values because you adjusted your pointers in the Pointer dialog box. To open the Pointer dialog box, click Start, Control Panel, Printers and Other Hardware, Mouse. • 329 0xFFFFFF. Writing desk. See "Desktop" on the facing page. • do not load. This subkey specifies which control panel files to load. Windows doesn't load the values in to decide whether to show the file in Control Panel. The system searches for a value whose name matches the file. If the REG_SZ value, the operating system displays the file's icon in Control Panel; Otherwise the icon will not be displayed. • International. This subkey contains a value called Locale, which contains the ID of the locale. See Intl.inf in %SYSTEMROOT%\Inf for a list of available locale IDs. this setting in the Regional and Language Options dialog box. To see this dialog Start; Switchboard; date, time, language and regional options; Regional and options. You will see many other values in this subkey that define settings like currency symbol, date format, list separator, etc. • keyboard. This subkey stores options configured in the Keyboard Properties dialog box. Display the Keyboard Properties dialog box, click Start, Control Panel, Printer Hardware, Keyboard. The most interesting value in this subkey is REG_ InitialKeyboardIndicators. If the value is 0, Windows XP turns NUMLOCK off, if the value is 2, the operating system turns NUMLOCK on. The operating system's current state of NUMLOCK in this value when users log off the computer or restart the computer. • Mouse. See “Mouse” later in this appendix. • PowerCfg. This subkey defines the schemes you see in Power Options. To open the Power Options dialog box, click Start, Control Panel, Performance Maintenance, Power Options. The CurrentPowerPolicy REG_SZ value specifies the power scheme. You can find this scheme in PowerCfg\PowerPolicies. • Screensaver.Name. These subkeys contain settings that are unique to each screen saver. the name of the screensaver. •
Sound. This subkey contains the REG_SZ value Beep, which specifies whether XP beeps on errors. The operating system beeps on errors when this value is Yes. •
Desktop The values in HKCU\Control Panel\Desktop control many aspects of the Windows interface. Many of them do not have a user interface to configure them, but there is a lot of potential for operating system customization in this subkey. The following describes these values: ActiveWndTrkTimeout. This REG_DWORD value specifies the time, in milliseconds, that the mouse pointer must remain over a window before Windows XP activates the window. The default value is 0. • AutoEndTasks. This REG_SZ value determines whether the Windows XP operating system automatically logs off or shuts down when users log off. If the value is 0, the system does not automatically terminate processes; Instead, it waits for the HungAppTimeout to expire and then displays the End Task dialog box. When the value operating system terminates processes automatically. • CaretWidth. This REG_DWORD value specifies the width of the blinking caret. The value is 1. By default, this value is not in the registry. • CoolSwitch. Windows XP does not use this value. • CoolSwitchColumns. This REG_SZ value determines how many columns of icons are displayed in the Task Switcher (Alt+Tab). The default value is 7. • CoolSwitchRows. This REG_SZ value determines how many rows of symbols you allow • 330 to elapse between each blink of the selection cursor. The default value is 530, which is more than half a second. DragFullWindows. This REG_SZ value determines whether users see windows when they drag them. The default value is 1, which means users see the entire window when dragging. Set this value to 0 to only see window outlines. • Drag height. This REG_SZ value specifies the height of the rectangle that determines the start of a drag operation. The default is 4. • DragWidth. This REG_SZ value specifies the width of the rectangle that determines the start of a drag operation. The default is 4. • FontSmoothing. This REG_SZ value determines whether Windows XP smoothes edges of large fonts using anti-aliasing techniques. The default value is 0, which means font smoothing. To enable font smoothing, set it to 2. • ForegroundFlashcount. This REG_DWORD value specifies the number of times the taskbar button blinks to get the user's attention. The default value is 3. When the timeout in ForegroundLockTimeout expires without user input, Windows XP automatically switches to the foreground. • ForegroundLockTimeout. This REG_DWORD value specifies the time in milliseconds
must elapse since the last user input before Windows XP allows Windows to come to the foreground. The default value is 200000 (200 seconds). • Grid granularity. Windows XP does not use this value. • HungAppTimeout. This REG_SZ value controls how long Windows XP waits to exit when users click the End Task button in Task Manager. When the expiration expires, Windows XP displays the End Task dialog box, notifying the user that they did not respond to the request. The default is 5000 or five seconds. • LowPowerActive. This REG_SZ value indicates the status of the low power alarm. Value is 0, no alarm will be activated when battery power is low. This is the default value. 1, an alarm will be activated when the battery power is low. This value only affects computers using Advanced Power Management (APM). • LowPowerTimeOut. This REG_SZ value determines whether a low power timeout has the value 0 and the timeout is not set. This is the default value. If this value is 1, this value only affects computers that use Advanced Power Management (APM). • MenuShowDelay. This REG_SZ value determines the time, in milliseconds, between the user pointing to a menu and Windows XP displaying it. Value is 400, which is almost half a second. • Paint desktop version. This REG_DWORD value determines whether Windows has its version and build number on the desktop. The default is 0, which is not the version. Set this value to 1 to display the version of Windows XP on the desktop. • Sample. This REG_SZ value defines a two-color, 8 pixel by 8 pixel bitmap used background. The default is an empty string. To define a bitmap, set this value to B3 B4 B5 B6 B7 B8. BN is an 8-bit binary number representing a series of 8 pixels. Bits that are 0 show the background color, while bits that are 1 show the foreground color. • ScreenSaveActive. This REG_SZ value determines whether the user has a screen saver. The default value is 1, indicating that a screen saver is active. Set to 0 to indicate no screen saver is active. • ScreenSaverIsSecure. This REG_SZ value has a default value of 0. This value whether the screen saver is password protected or not. A value of 1 indicates that the saver is password protected; 0 indicates that it is not protected. • ScreenSaveTimeOut. This REG_SZ value specifies the time in seconds that the must remain idle before the screen saver starts. The default value is 600, which is 10 minutes. • SCRNSAVE.EXE. This REG_SZ value has no default value. This value indicates • 331 TileWallpaper. This REG_SZ value specifies how the background image is formatted on the screen. If the value is 0, Windows XP centers the background image. This is the default value. If the value is 1, Windows XP tiles the background image. • WaitToKillAppTimeout. This REG_SZ value specifies the time, in milliseconds, that Windows XP waits for processes to end after users log off or shut down Windows XP. if
When the timeout expires and processes are still running, Windows XP displays the End Task dialog box unless you have set the AutoEndTasks value to end processes automatically. The default value is 20000, which is 20 seconds. • Background. This REG_SZ value is the path and filename of the image to use as the background image. The default is an empty string. You don't need to specify the path if the file is in %SYSTEMROOT% or %SYSTEMROOT%\System32. If you want to include a background image in a default user profile, copy the image file to the user profile folder and then specify the full path in this value. • Background style. This REG_SZ value determines how the background image is displayed on the desktop. The default is 0, which centers the bitmap on the desktop. Set this value to 2 to stretch the background image. • WheelScrollLines. This REG_SZ value specifies the number of lines to scroll one notch for each revolution of the mouse wheel when users are not using modifier keys such as Ctrl or Alt. The default value is 3. To disable wheel scrolling, set this value to 0. • I left the UserPreferencesMask value out of the list because it represents some of the most interesting and useful ways to customize Windows XP. It's also more complicated than other values in the list because it's a bitmask containing a large number of settings in one value. Recently, Microsoft has steered clear of using large bitmasks like this, preferring REG_DWORD values that you set to 0x00 to disable a feature and 0x01 to enable a feature. However, this value is a holdover from previous versions of Windows. It's a 4-byte REG_BINARY value, which could just as easily be a REG_DWORD value. The default value is 0x80003E9E, which makes more sense if you know what the different bits in that value represent. Table B-1 describes each bit. Since this is a REG_BINARY value, count the bits from left to right, starting with 0. If this were a REG_DWORD value, you would count the bits from right to left instead. The table gives the bit number of each setting, describes the function it controls, and shows the bit mask. For each feature you see in the table, setting the bit to 0 disables the feature and setting it to 1 enables the feature. For an example of writing a script that changes settings in UserPreferencesMask, see Chapter 4, "Hacking the Registry." Chapter 4 contains a script that updates this value so that Windows XP brings windows to the front when you hover over them. For more information on bitwise math, see Chapter 1, “Learning
the basics.” Table B-1: Bits in UserPreferencesMask Bit Bitmask Default Description 0 0x00000001 0 Active window tracking. Windows gain focus when the user hovers the mouse pointer over them. 1 0x00000002 1 menu animation. This depends on the value of bit 9. 2 0x00000004 1 Combobox animation. The combo boxes slide open. 3 0x00000008 1 List box with smooth scrolling. The list boxes scroll smoothly. 4 0x00000010 1 history labels. The title bars show a progression. 5 0x00000020 0 keyboard hints. Menu hotkeys are underlined only when accessed from the keyboard 332 6 0x00000040 0 Active window tracking Z-order Bring windows focused by active window tracking to the front 7 0x00000080 1 Mouse hot tracking 8 0x00000100 0 Reserved for future use 9 0x00000200 1 animation for hiding menus Menus are hidden on close, otherwise menus use a slide animation 10 0x00000400 1 animation for hiding selection Lists are hidden after user creates a section 11 0x00000800 1 tooltip animation nds on bit 12. 12 0x00001000 1 Tooltip fade animation. Tooltips fade when closed. If the bit is set to 0, tooltips use slide animations. 13 0x00002000 1 cursor shadow. This requires more than 256 colors. 31 0x80000000 1 All user interface effects. This allows for combo box animation, cursor shadow, history labels, hot tracking, smooth scrolling in list boxes, menu animation, menu hotkey underline, selection fade, and tooltip animation.
Desktop\Window Metrics The HKCU\Control Panel\Desktop\Windows Metrics key contains settings that control the dimensions of what you see on the screen. Some of these settings represent dimensions in pixels, while others are actually coordinates. The following list describes the Window Metrics settings that you define by clicking Advanced on the Appearance tab of the Display Properties dialog box, as shown in Figure B-3. Figure B-3: After configuring the settings in this dialog, consider exporting them to a .reg file so you can use the same settings on other computers. frame width. This REG_SZ value determines the width of the borders for all windows that cannot be resized. The default is -15, which is 15 twips. (The minus sign indicates what 1/1440 of an inch is.) Valid values are 0 through -750. • CaptionFont. This REG_BINARY value contains the name of the font to use for captions. The default is Trebuchet MS. • Label height. This REG_SZ value specifies the height of the caption buttons. This is measured in twips and the default value is -375. • Label Width. This REG_SZ value specifies the width of the caption buttons. This
measured in twips, and the default value is -270. • IconFont. This REG_BINARY value contains the name of the font used for display. The default is Tahoma. • Icon Spacing. This REG_SZ value specifies the width of the grid cell used for the large view of an icon. This value is measured in twips and the default value is -1125. • IconTitleWrap. This REG_SZ value determines whether symbol text is wrapped or truncated if it is too long to fit on one line. The default is 1, which causes icon text to be truncated. • IconVerticalSpacing. This REG_SZ value specifies that the vertical distance between values is measured in twips, and the default value is -1125. • MenuFont. This REG_BINARY value specifies the font to use in menu bars. Worth is Tahoma. • 334 menu width. This REG_SZ value specifies the width of buttons on menu bars. This is measured in twips and the default value is -270. • News writing. This REG_BINARY value contains the font name to use fields. The default is Tahoma. • MinAnimate. This REG_SZ value determines whether Windows XP uses animations to minimize and restore windows. The default is 1, which uses an animation. Value to 0 to prevent window animation. • Scroll height. This REG_SZ value specifies the height of the horizontal scroll bars. Value measured in twips is -255. • Scroll Width. This REG_SZ value specifies the width of vertical scroll bars. Value measured in twips is -255. • Shell icon BPP. This REG_SZ value determines the color depth of symbols on the Default value is 4, but valid values include 4 (16 colors), 8 (256 colors), colors, 24 (16,777,216 colors), and 32 (16,777,216 colors) . • Shell icon size. This REG_SZ value specifies the size, in pixels, of the icons displayed by Explorer. The default value is 32. Valid values range from 16 to 48 pixels. • SmCaptionFont. This REG_BINARY value specifies the font to use for small labels. Default is Tahoma. • SmCaptionHeight. This REG_SZ value specifies the height of small subtitles. This is measured in twips and the default value is -255. • SmCaptionWidth. This REG_SZ value specifies the width of small subtitles. This is measured in twips and the default value is -255.
• StatusFont. This REG_BINARY value specifies the font to use in status bars. Worth is Tahoma. •
Mouse The values in HKCU\Control Panel\Mouse configure the mouse. The following list describes values, including their types and default values: DoubleClickHeight. This REG_SZ value specifies the height of the rectangle XP uses to detect double clicks. If two clicks are within the rectangle and within the value specified by the DoubleClickSpeed value, the clicks are combined into a double default of 4. • DoubleClickSpeed. This REG_SZ value specifies the amount of time that elapses between two mouse clicks for Windows XP to consider them as a double click. If the time between clicks is greater than this timeout, the operating system considers separate clicks. The default is 500, which is half a second, and the valid range is 900. • DoubleClickWidth. This REG_SZ value specifies the width of the rectangle XP uses to detect double clicks. If two clicks are within the rectangle and within the value specified by the DoubleClickSpeed value, the clicks are combined into a double default of 4. • MouseSpeed. This REG_SZ value determines how fast the pointer moves when moving the mouse. Valid values are 0, 1, and 2. The default value is 1. In this case, Windows XP does not accelerate the mouse. If this value is 1, Windows XP mouse speed will increase when it exceeds the value in MouseThreshold1. When this Windows XP doubles the mouse speed when it exceeds the value in MouseThreshold1, it quadruples the mouse speed when it exceeds the value in MouseThreshold2. • MouseThreadhold1. This REG_SZ value, measured in pixels, indicates the mouse • 335 triggering four times the mouse acceleration. The default is 10. MouseTrails. This REG_SZ value indicates whether mouse trails are enabled. Setting this value to 0 disables mouse trails. Setting it to 1 activates them. • SnapToDefaultButton. This REG_SZ value determines whether the mouse snaps the standard button when you open a dialog box. The default value is 0, which enables the feature. To enable this feature, set it to 1. • SwapMouseButtons. This REG_SZ value determines whether Windows XP swaps and right mouse buttons. The default value is 0, which disables this feature. Set this value to 1 for mouse buttons. •
Environment The HKCU\Environment key defines user-specific environment variables. Usually all you enter are two values: TEMP and TMP. Both are REG_EXPAND_SZ values. However, you cast environment variables to Environment and then use them inside REG_EXPAND_SZ values and so on. Of course, you can also rely on the user interface
environment variables. Click Start, Control Panel, Performance and Maintenance, System, click Environment Variables on the Advanced tab of the System Properties dialog box. Environment variables are at the top of the dialog box and per-machine environment variables are at the bottom.
Keyboard layout The HKCU\Keyboard Layout key defines the keyboard layouts that you configure in the Regional and Language Options dialog box. Essentially, a keyboard layout maps the physical on your keyboard to the characters they produce. Keyboard layouts allow you to type text using a US English keyboard, for example. This key sometimes contains the REG_DWORD value Attribute, which specifies which key to use for the Caps Lock key. If this Windows XP uses Caps Lock. If this value is 0x10000, the operating system uses the key. Sometimes you will see three subkeys in HKCU\Keyboard Layout: Preload. This subkey contains the ID of each keyboard layout that the user selects in the Regional and Language Options dialog box. Windows XP uses this data for the keyboard layout when the user logs on again. The first value is 1, the second is 2. The value 1 is the default keyboard layout. • Substitutes. This subkey stores the IDs of alternative keyboard layouts. Windows uses this subkey when loading a keyboard layout, and when it finds a replacement it uses that default layout. This button is normally blank until the user selects replacement layouts. • Switch. This subkey specifies the key sequences that toggle between inputs. Contains the REG_SZ value hotkey, which can have one of four values. This indicates that the left Alt+Shift key switches locales. A value of 2 specifies Ctrl+Shift, a total of 3 keystrokes, and 4 specifies the accent key with the default Thai. • 336 The HKCU\Network key contains data about the user's mapped network drives. Each represents a mapped drive that Windows XP will restore the next time the user logs on to the computer. The subkey name is HKCU\Network\Drive, where drive is the drive letter of the network path. The following values are in the subkey of each mapped drive: ConnectionType. This REG_DWORD value specifies how the drive computer is connected. A value of 1 means drive redirection and 2 means print redirection. Value is 1. • Vendor name. This REG_SZ value indicates the network provider of the connection. The default is Microsoft Windows Network. • Provider Type. This REG_DWORD value identifies the provider making the connection. The value for the Microsoft LanMan provider is 0x20000. Other providers use different values. • RemotePath. This REG_SZ value contains the UNC path notation of the network connection \\computer\share. • Username. This REG_SZ value contains the user's name, including the domain.
the user who made the network connection and Windows XP uses it to fill in the field in the Map Network Drive dialog box. •
Printers The HKCU\Printers key defines the user's printer connections. The following list describes subkeys found under this key: Connections. This subkey contains a subkey for each printer connection. The key defines the printer connection: ,,server,printer. Also, values in this subkey Print Providers and Servers. • DevModePerUser. This subkey contains printer settings per user. • Settings. This subkey contains settings for the Add Printer Wizard, including settings from the last time you used the Add Printer Wizard. •
SessionInformation The tiny key HKCU\SessionInformation contains a single value. The REG_DWORD ProgramCount indicates how many programs are running in the foreground. Windows XP increases this value for each program on the desktop. Each time you close a program, Windows XP decreases this value.
Software The HKCU\Software key contains user-specific program settings. Windows XP also stores many configurations in this key. Microsoft has standardized the organization of this key, which makes settings easier because you generally know where to look in the registry for a program's applications that store their settings in HKCU\Software\Vendor\Program\Version\. Vendor is the publisher of the program, Program is the name of the program, and Version is the name of the program. Figure B-4: TechSmith SnagIt stores its settings in HKCU\Software\TechSmith\SnagIt\5. By far the most interesting subkey is Microsoft, as it contains most of the Windows user settings. This subkey is discussed in detail later in this appendix under Software\Microsoft\\CurrentVersion. Other interesting subkeys are Classes and Policies, which are described in the following sections.
Classes The HKCU\Software\Classes key contains user-specific file associations and class registrations. actually a link to HKU\SID_Classes, which you learned about in Chapter 1, "Learning the Basics." Associations in HKCU take precedence over file associations in HKLM. Per-user file associations began with Microsoft Windows 2000 and allow users to install applications without the file associations of other users sharing the same computer. They also allow associations to follow them when roaming user profiles are enabled. The content is the same as HKCR, see Appendix A, "File Associations" for more information.
Microsoft\Command Processor The MS-DOS prompt supports file and folder name completion and function completion. You can configure these features using Tweak UI as described in Chapter 5, “Tweak UI,” or you can hack them directly in the registry. These are settings I apply to every computer I use, so I keep them in a script. The following list describes the
the Command Processor subkey, which configures the MS-DOS prompt: AutoRun. This REG_SZ value, which has no default value, automatically contains a list of commands when you start the MS-DOS prompt. • CompletionChar. This REG_DWORD value specifies the ASCII character code to use to complete the filename. You can set this value from 0x00, 0x01 to 0x1F, 0x40. The Tab key is 0x09 and is the default. • Default color. This REG_DWORD value specifies the default background and color for the MS-DOS prompt. The first hexadecimal digit indicates: • 338 Table B-2: DefaultColor Values Value Color 0 Black 1 Blue 2 Green 3 Aqua 4 Red 5 Purple 6 Yellow 7 White 8 Gray 9 Light Blue A Light Green B Light Aqua C Light Red D Light Purple E Light Yellow F Bright white Delayed expansion. This REG_DWORD value indicates whether the command delays the expansion of the environment variable. If the value is 0x01, the command prompts for the exclamation mark (!) as an environment variable, which is only expanded if the default value is 0x00. • Activate extensions. This REG_DWORD value determines whether command extensions are enabled or not. Setting this value to 0x00 disables extensions. They only disable extensions if they interfere with a scripting language they are compatible with. The default value is 0x01. • PathCompletionChar. This REG_DWORD value specifies the ASCII character key to use for path completion. Set this value to 0x00, 0x01 to 0x1F, 0x20, the Tab key is 0x09. You can use the same key you use for the filename expanding both. •
Microsoft\Internet Connection Wizard The HKCU\Software\Microsoft\Internet Connection Wizard key contains a single value that indicates whether users have run the wizard. Unlike previous versions of Windows, the wizard starts automatically when users open Internet Explorer for the first time, so this value is only of interest for inventory purposes. If the REG_BINARY value Completed is 0x0000, the user has not done this
The value is 0x0001, the user ran the wizard.
Microsoft\Internet Explorer The HKCU\Software\Microsoft\Internet Explorer key contains user-specific settings for the Internet. Many of the subkeys in Internet Explorer are difficult to understand or uninteresting. Settings in this key, but very useful to customize: 339 Online_Support to this subkey, and then set its value to the URL of your Internet Explorer support page. When users click Help, Online Support after adjusting this setting, Internet Explorer opens your support page. As far as I can tell, this is the only option you can redirect. IntelliForms. This subkey contains the AskUser REG_DWORD value, which specifies whether Internet Explorer should ask users if they want to use the AutoComplete feature. You can set this value to 0x00 to prevent the prompt, but in a business environment where you're more likely to disable this feature, you should disable it using Group Policy. • Mainly. This subkey contains many Internet Explorer settings. For example, you can configure whether Internet Explorer displays its status bar and toolbar. • Settings. This subkey contains five values that specify the colors used in Internet Explorer: Anchor Color, Anchor Color Visited, Background Color, Text Color, and Use Anchor Color Hover. Each is a REG_SZ value in the format R,G,B, where you specify each color component, red, green, and blue, with decimal numbers from 0 to 255. • Toolbar. This subkey contains information about the Internet Explorer toolbars. The REG_DWORD value Locked indicates whether the toolbars are locked. The LinksFolderName REG_SZ value contains the name of the pesky Links folder, which you can rename if you like to better match the contents of your Favorites folder. You can also create the REG_SZ value BackBitmap to customize the bitmap you see on the toolbar. • Typed URLs. This subkey contains a list of URLs that users type in the address bar. You can quickly clear this history list by removing this subkey. • The Internet Explorer subkey contains two other subkeys that allow for some pretty cool customization. The first subkey is MenuExt. This subkey allows you to extend Internet Explorer's menus with your own scripts. The second subkey is SearchURL, which makes searching the web a breeze. They add custom search URLs to this subkey and then search the web by typing one of their names in the address bar. It's a real time saver and one of my all-time favorite customizations, which I also detail in Chapter 4, Hacking the Registry.
Microsoft\Internet Explorer\MenuExt Right-click a web page and Internet Explorer displays a context menu. You can
Customize this context menu by adding commands to it that you associate with scripts in an HTML file. For example, you can add a command to the context menu that opens the current web page in a new window or highlights the selected text in it. Internet Explorer looks for extensions in HKCU\Software\Microsoft\Internet Explorer\MenuExt. Add this key if it doesn't exist, then add a subkey for each command you want to add. Then set the default value of this subkey to the path and name of the HTML file that contains the script that runs the command. For example, to add the Magnify command to the context menu that runs the script in the HTML file C:\Windows\Web\Magnify.htm, add the Magnify subkey and set its default value to C:\Windows\Web\Magnify . hmmm Choosing this command from the Internet Explorer context menu runs the script that contains the file. Then you need to create Magnify.htm. Listing B-1 on the next page is Magnify.htm. external.menuArguments is a property that contains the widget in which you ran the command. Since you have access to the window object, you can do almost anything in this window, e.g. B. reformat the content, etc. Listing B-1: Magnify.htm
340 var objRange = objSel.createRange(); objRange.execCommand( "Font Size", 0, "+2");
You can choose the context menus to which Internet Explorer adds your command. In the subkey you created for the extension, add contexts to the REG_DWORD value and apply the bitmasks shown in Table B-3 to it. For example, to restrict the previous example so that Internet Explorer only displays it for text selections, add the REG_DWORD value contexts to Magnify and set it to 0x10. Table B-3: Internet Explorer Menu Extensions Bitmask Menu 0x01 Standard 0x02 Image 0x04 Control 0x08 Table 0x10 Text Selection 0x11 Anchor 0x12 Unknown
Microsoft\Internet Explorer\SearchURL Search URLs are a convenient way to use various Internet search engines. For example, you have a search URL called Shop that searches eBay. As shown in Figure B-5, type shop casino chip (yes, I collect them) in the address bar to automatically search eBay for any items containing the words casino and chip. Figure B-5: Customizing the SearchURL key is the ultimate shortcut for searching the web. Create search URLs under HKCU\Software\Microsoft\Internet Explorer\SearchURL. If you don't see this subkey, create it. Then add a subkey for each search prefix you want to use. To use the example I just gave you, create the shop subkey. Set the default value of the prefix subkey to the URL of the search engine. Use %s as a wildcard for the search string. Internet Explorer replaces the %s with whatever text you type to the right of the prefix. In my example, set it to http://search.ebay.com/search/search.dll?MfcISAPIComm and =GetResult&ht=1&SortProperty=MetaEndSort&query=%s. Add the REG_SZ values shown in Table B-4 to the prefix key you created. These values describe what should be replaced with special characters in your search string, including spaces, percent signs (%), ampersands (&), and plus signs (+). These characters have special meaning when submitting forms to websites, so you must replace, for example, a plus sign with a space or %26 with an ampersand. Therefore, the browser translates the string Casino & Chip to Casino+%26+Chip. Table B-4: Values in SearchURLs 341 Name Data + % %25 & %26 + %2B Finding the URL to use is easy. Open the search engine you want to add to Internet Explorer's search URLs, and then search for something. When the browser displays the results, copy from the address bar to the default value of the search URL you are creating and replace your word with a %s. For example, if you searched eBay for samples, the result will be http://search.ebay.com/search/search.dll?MfcISAPICommand=GetResult&ht=1&SortPrope rty=MetaEndSort&query= Replacesamplewith%to http://search.ebay.com/ search /search.dll?MfcISAPICommand=GetResult&ht=1&SortPrope rty= MetaEndSort&query=%s.
Microsoft\MessengerService The HKCU\Software\Microsoft\MessengerService key contains the settings for Windows
Messenger: Always On Top. This REG_BINARY value is 0x01 if you have configured Windows Messenger to display on top of other windows; otherwise it is 0x00. • DSBkgndMode. When users close Windows Messenger for the first time, this REG_BINARY will show a prompt telling them it's running in the background. Setting this REG_ value to 0x01 disables this prompt. • First time users. This REG_BINARY value is 0x01 for first time users and for veterans. That's the best explanation I have. • Ft receiving folder. This REG_BINARY value contains the folder where Messenger downloads received files. The default is My Received Files in the user's My Documents folder. • PassportBalloon. This REG_BINARY value is the number of times Messenger has displayed its prompt to sign up for a Passport. Set this value to 0x0a to avoid being prompted to create a passport. (Remember to reverse the bits because of the REG_BINARY value.) • PassportWizard. This REG_BINARY value indicates whether the user has the Passport Assistant. If this value is 0x01, the user ran the wizard. • servers. This REG_SZ value specifies the server to which Windows Messenger connects. messenger.hotmail.com;64.4.13.143:1863 is the default. • Status Bar. This REG_BINARY value specifies whether to show the status bar. value is 0x01, you will see the status bar. • ShowHideTabs. This REG_BINARY value specifies which tabs to show or hide. • Toolbar. This REG_BINARY value is 0x01 if Windows Messenger displays it, 0x00 otherwise. • WindowMax. This REG_BINARY value is 0x01 when the Windows Messenger window is maximized; otherwise it is 0x00. • WindowRect. This REG_BINARY value specifies the coordinates of the normal Messenger window. • 342 This is where Office XP saves its user-specific settings. In reality, most IT pros use the tools described in Chapter 14, "Deploying Office XP Settings," instead of customizing them for deployment. A quick tour of these settings is useful, however, and a handful of settings are important enough to explain in a little more detail here. First, I'll describe what's in HKCU\Software\Microsoft\Office. At the beginning of this key, you will create a subkey for each version of Office that is installed on the computer. For example, you get subkeys 10.0 and 9.0. Version 10.0 is Office XP. Note that the Office XP 9.0 and 10.0 installation creates even though you do not have Office 2000 or an earlier version of the Office computer. At the top of Office, you'll also see a subkey for the various programs in Office.
User settings are in HKCU\Software\Microsoft\Office\version, information is in addHKCU\Software\Microsoft\Office\program, and all Office applications share this information. The 10.0 subkey contains most of the Office XP settings, while the rest contain only a handful of settings. For example, in the 10.0 key, you see the Application, Excel, FrontPage, Outlook, Word, and so on subkeys. You also see the General subkey, which contains settings common to all programs in Office XP. Some of these settings are important for two reasons. First, the more you understand about it, the more successful you will be in customizing Office XP. Second, you can provide some Office XP settings as registry values in the Custom Installation Wizard. Simply put, the only way to customize the REG_BINARY value in the Custom Installation Wizard is to use the Add/Remove Registry screen. You cannot customize these settings on the Change Office User Settings screen. Description of these and other important settings: Initial settings. When a user starts one of the Office XP programs for the first time, it goes through its first-run process to configure the computer for the user. For example, it prompts his or her name and initials and customizes the settings HKCU\Software\Microsoft\Office. A handful of values prevent the first run process from starting a second time. These values are located in HKCU\Software\Microsoft \Office\ UserData value in the Common subkey is 0x01 after the first run process. You will also appreciate each program's subkey. A second, related setting is FirstRun. This indicates whether the initial run process is complete or not. You can find this value in subkeys of HKCU\Software\Microsoft\Office\version: HKCU\Software\Microsoft\Office\10.0\Common\General → HKCU\Software\Microsoft\Office\10.0\Excel\Options → HKCU\Software\Microsoft \Office\10.0\Outlook\Setup → HKCU\Software\Microsoft\Office\10.0\PowerPoint\First Run → HKCU\Software\Microsoft\Office\10.0\Word\Options → • Toolbar Settings. Office XP stores most programs' toolbar settings in REG_BINARY. This means that you cannot customize them using the Modify Custom Installation of Office User Settings Wizard. You can capture these toolbar settings using the profile described in Chapter 14, but what if you don't want to provide an OPS file? The solution customizes the toolbars and then HKCU\Software\Microsoft\Office\10.0\Common\Toolbars into a .reg file. Import these into your transform using the Add/Remove Registry Entries screen of the Custom Install Wizard. Office XP maintains a number of other REG_BINARY values that you can use in the same way. If you don't find a setting on the Change Office User Settings screen, use the techniques you learned in Chapter 8, "Determining Settings," to decrease the setting. The setting is probably a REG_BINARY value. • 343 The HKCU\Software\Microsoft\Search Assistant key contains the configuration for Explorer and Internet Explorer Search Assistant. The Actor REG_SZ value contains the character that the assistant uses. The REG_DWORD value UseAdvancedSearchAlways if you configured the wizard to always display its advanced search capabilities. You don't appreciate SocialUI REG_DWORD unless you disabled the animated character. If this value
You see the animated character. If this value is 0x00, you won't do it. Most people don't like the search interface and can restore it to a more Windows-like interface by setting SocialUI to 0x00 and UseAdvancedSearchAlways to 0x01. I'll admit I like that, so I usually leave SocialUI set to 0x01 but use the advanced search features. The Search Companion history list is located in the ACMru subkey. This subkey contains a variety depending on the type of things you were looking for. For example, when you search folders, you will see subkey 5603, and this subkey contains a list of the different searches you search the web using Search Companion, you will see subkey 5001. You can remove the subkey individually to clear a history list of one specific query type, or you can remove that to clear all Search Companion history lists. Table B-5 lists the subkeys available in ACMru. Table B-5: History Lists in Search Companion Subkey Description 5001 Internet 5603 Files and Folders 5604 Pictures, Music, and Videos 5647 Printers, Computers, and People
Microsoft\VBA\Trusted The HKCU\Software\Microsoft\VBA\Trusted key is an important subkey when deploying XP. This is where Office XP stores its list of trusted sources. When users open a document that contains signed code, enable those macros, and then add the source to the list of trusted Office XP stores that store those certificates in that key. The reason this key is important is that companies should lock down the trusted sources list so users can't add anything, and then set the security level to high. This prevents users from accidentally running malicious code. The problem with this scenario is that users cannot run legitimate macros that require them jobs. The solution is to distribute the trusted sources list with Office XP, but the tools don't provide a user interface to do so. So here's my solution: create a document that contains code, and then sign the code using a certificate deployment. Repeat for each certificate. 1. Install Office XP on a lab computer and set the security levels to High. 2. Open each document that contains a certificate that you want to deploy. Enable the macros, and then add the source to the trusted sources list. Figure B-6 shows an example. 3. 344 Figure B-6: Strong security combined with code signing protects your business viruses. Export the HKCU\Software\Microsoft\VBA\Trusted key to a .reg file and include the file in your deployment. Chapter 14, "Microsoft Office XP Settings," describes how registry settings work with Office XP. 4.
Policies Windows XP stores policies in the HKCU\Software\Policies key, which are the preferred registry-based policies. These are user-specific policies, so they reside in the HKCU branch registry. Restricted users do not have permission to modify the Policies subkey, which prevents bypassing policies by editing the registry. Windows XP supports hundreds of
Empower IT pros to control user experiences, lock the desktop, and more. "Using Registry-Based Policies" shows you how to customize policies by creating administrative templates. Appendix D, "Group Policy," lists all of the policies that Windows includes in this key. Very often, using policies is the best and most interesting way to customize Windows. For example, many of the customizations you learn about in Chapter 4, “Hacking the Registry,” are policy settings in the registry to change behaviors. Some of the most interesting guidelines in Chapter 4 are changing how the Start menu and taskbar look and feel. Still other guidelines to wipe out annoying behavior. Ever wanted to prevent Windows Messenger from being sent? You can set a policy in this subkey that will do that. Although editing the registry directly is one way to customize these policies, there are better ways. The first way is to use the Group Policy Editor to edit the local GPO ( provides a user interface for the policies and restricts your settings to valid options. Chapters like To create a local GPO. Briefly type gpedit.msc in the Run dialog box and then Policies under Computer Configuration and User Configuration in Administrative Templates.The second way is to write scripts that change policies.I use scripts when I want to repeat e.g. when I configure my user profile on multiple computers, Windows XP repeats reinstall on computers, Chapter 9, "Scripting Registry Modifications" you will learn how to write scripts to edit the registry My personal favorite method is to write INF 345 This branch of HKCU is one of the most interesting because here you can find the user settings specific to Windows XP. The following list describes some of the more interesting ones and the following sections we discuss them in more detail: Applets. This subkey contains subkeys for many of the various programs included with Windows XP. For example, it contains the Regedit, SysTray, Tour, and Control subkeys. For example, if you don't want to see the tour when you create a new user profile, set REG_DWORD RunCount to 0x00 in the Tour subkey. • Internet Settings. This subkey contains Internet Explorer settings. A large number of settings are security settings, e.g. B. Security Zones. • NetCache. This subkey contains Windows XP offline files settings contains the AssignedOfflineFolders subkey, which is a list of offline folders that the user uses through Group Policy. • Policies. This subkey is the per-user policy branch that Windows XP inherits from versions of Windows. You learn more about policies in Chapter 6, "Using Registry-Based Policies." Appendix D, "Group Policies," lists the policies available in this key, which are the best customizations for Windows XP. • Carry out. This subkey contains programs that run after the user logs on to the computer. The name of each REG_SZ value is arbitrary. The value's data contains the command that is run after the user logs on to the computer. • RunOnce. This subkey contains programs that run after the user logs on to the computer. The name. The name of each REG_SZ value is arbitrary, and the value's data contains the command that is run after the user logs on to the computer. The difference between this key is that Windows XP removes commands from this key after they are run were, so they only
Time. • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer is one of the most interesting in the registry. For this reason, the remaining sections of this appendix will focus on starting with the Advanced subkey.
Explorer\Advanced HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced contains Windows Explorer and the Start Menu. You configure these settings in two places. The Folder Options dialog box. The second dialog B-6 of the properties of the taskbar and start menu describes these settings. Table B-6: Start Menu Settings Name Data Folder Options dialog box ClassicViewState 0x00 - Use Classic Folder View 0x01 - Do not use Classic Folder View SeparateProcess 0x00 - Do not run folders in separate processes 0x01 - Start folders in separate processes DisableThumbnailCache 0x00 - Cache thumbnails 346 0x01 - Do not cache thumbnails FolderContentsInfoTip 0x00 - Do not show file sizes in folder tips 0x01 - Show file sizes in folder tips FriendlyTree 0x00 - Do not show simple folder tree 0x01 - Show simple folder tree in folder list Hidden 0x01 - Do not show hidden files and folders 0x02 - Show hidden files and folders HideFileExt 0x00 - Known file extensions show 0x01 - Do not show known file extensions NoNetCrawling 0x00 - Do not search for network folders and printers 0x01 - Search for network folders, printers PersistBrowsers 0x00 - Previous folders do not restore 0x01 - Restore previous folders on login ShowCompColor 0x00 - Do not show compressed files in color 0x01 - Show compressed files in color ShowInfoTip 0x00 - No tips for folders, show desktop items 0x01 - Tips for folders, show desktop items ShowSuperHidden 0x00 - Do not show protected operating system files 0x01 - Show protected operating system files WebViewBarricade 0x00 - Do not show system contents folders 0x01 - Show contents of system folders Customize Classic Start Menu Dialog StartMenuAdminTools NO - Hide Administration YES - Show Administration CascadeControlPanel NO - Show Control Panel as Link YES - Control Panel as Menu CascadeMyDocuments NO - Show my documents as a link YES - Show my documents as a menu CascadeMyPictures NO - Show my pictures as a link YES - Show my pictures as a menu CascadePrinters NO - Show printers as a link YES - Show printer as a menu
IntelliMenus 0x00 - Do not use personalized menus 347 0x01 - Use personalized menus CascadeNetworkConnections NO - Show network connections as a link YES - Show network connections as a menu Start_LargeMFUIcons 0x00 - Show small icons in start menu 0x01 - Show large icons in start menu StartMenuChange 0x00 - Disable drag and drop 0x01 - Enable drag and drop StartMenuFavorites 0x00 - Hide favorites 0x01 - Show favorites StartMenuLogoff 0x00 - Hide logoff 0x01 - Show logoff StartMenuRun 0x00 - Hide run command 0x01 - Show run command StartMenuScrollPrograms NO - Do not scroll program menu YES - Scroll program menu Customize Start Menu dialog Start_ShowControlPanel 0x00 - Control Panel Hide 0x01 - Show control panel as link 0x02 - Show control panel as menu Start_EnableDragDrop 0x00 - Disable drag and drop 0x01 - Enable drag and drop StartMenuFavorites 0x00 - Favorite Hide Menu 0x01 - Show Favorites Menu Start_ShowMyComputer 0x00 - Hide My Computer 0x01 - Show My Computer as Link 0x02 - Show My Computer as Menu Start_ShowMyDocs 0x00 - Hide My Documents 0x01 - Show My Documents as Link 0x02 - Show My Documents as Menu Start_ShowMyMusic 0x00 - Hide My Music 0x01 - Show my music as link 0x02 - Show my music as menu 348 Start_ShowMyPics 0x00 - Hide my pictures 0x01 - Show my pictures as link 0x02 - Show my pictures as menu Start_ShowNetConn 0x00 - Hide network connections 0x01 - Show network connections as link 0x02 - Network connections as Show menu Start_AdminToolsTemp 0x00 - Hide Administration 0x01 - Show in All Programs menu 0x02 - Show in All Programs menu and Start menu Start_ShowHelp 0x00 - Hide Help and Support 0x01 - Show Help and Support Start_ShowNetPlaces 0x00 - Hide My Network Places 0 x01 - Show network environment Start_ShowOEMLink 0x00 - Hide manufacturer link 0x01 - Show manufacturer link Start_ShowPrinters 0x00 - Hide printers and fax machines
0x01 - show printers and faxes Start_ShowRun 0x00 - hide run command 0x01 - show run command Start_ShowSearch 0x00 - hide search command 0x01 - show search command Start_ScrollPrograms 0x00 - do not scroll programs menu 0x01 - scroll programs menu Windows XP defines templates, similar to the policy templates, that define how policies for these settings are collected. You can find these templates in the following locations: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Start Menu\ contains templates for the settings in the Advanced Start Menu Options dialog box Customize Classic Start Menu. To open this dialog box, click Start, Control appearance and themes, and Taskbar and Start menu. Then, from the Start menu, click the Classic Start Menu option and click Customize. • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Start Menu\ contains templates for the settings on the Advanced tab of the Customize Start Menu panel. To open this dialog box, click Start, Control Panel, Appearance and Themes, Taskbar and Start Menu. Then, on the Start Menu tab, select the Start menu and click Customize. • Tab 349. To open this dialog box, click Start, Control Panel, Appearance and Themes, Folder Options.
Explorer\AutoComplete The AutoComplete subkey contains a single value that controls AutoComplete Windows Explorer. If the REG_SZ value is AutoComplete Yes, Windows Explorer will AutoComplete; otherwise not.
Explorer\ComDlg32 The ComDlg32 subkey contains two subkeys. Both are history lists. To clear the history that common dialog boxes use, delete both subkeys. The first is LastVisitedMRU, which contains folders that you have opened. The second is OpenSaveMRU, which is a bit more complicated. Within the OpenSaveMRU key are subkeys for different file types. For example, you will see that the doc subkey in OpenSaveMRU lists all files with a .doc extension that you have open. The * subkey contains files that you have opened in the common dialog boxes, regardless of their extensions. Therefore, the dialog boxes can show a history list by type or show all files in history.
Explorer\HideDesktopIcons In HideDesktopIcons you will see two subkeys: ClassicStartMenu and NewStartPanel. This determines which icons are hidden when Windows XP uses the classic Start menu. This determines which icons are hidden when Windows XP uses the new Start menu. REG_DWORD value, named after the icon's class ID, for one of the subkeys to hide it in this view. value to 0x01. Hide the trash can icon by creating a REG_DWORD value {645FF040-5081-101B-9F08-00AA002F954E} in the HideDesktopIcons\NewStartPanel subkey.
for example, and then set it to 0x01. Click on the desktop and then press F5 to refresh. Appendix "File Associations" lists the class IDs that you may want to hide.
Explorer\HideMyComputerIcons You can use the HideMyComputerIcons key to hide icons in My Computer. To hide computers, add a REG_DWORD value to HideMyComputerIcons - the name is the class icon you want to hide - and set it to 0x01. See Appendix A, “File Associations” for A-IDs. Refresh Windows Explorer to see your changes.
Explorer\MenuOrder HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder contains the sorting of the favorites menu and the start menu. The Favorites subkey contains the sort order of the menu. The StartMenu subkey contains the sort order of the classic Start Menu and StartMenu2 contains the sort order of the new Start Menu. Decrypting the contents of keys is almost ridiculous, but you can remove any of them to rearrange the appropriate alphabetical order. For example, to restore the All Programs menu in alphabetical order, subkey Start Menu2. To restore the Favorites menu in Windows Explorer and Explorer, remove the Favorites subkey. 350 The RecentDocs subkey is the list of recent documents you see on the Start menu. Keys are subkeys for different types of files and folders. For example, in the subkey you will see all the files with the extension .txt that you have open. Remove this subkey to clear your recent documents list. Along with this subkey, you must remove the document shortcuts that Windows XP creates in your %USERPROFILE%\Recent profile folder.
Explorer\RunMRU The RunMRU subkey contains a list of programs that you have run from the Run dialog box. Remove individual programs from this list or delete the RunMRU subkey to clear the list
Explorer\User Shell Folders Special folders include My Documents, My Pictures, and Favorites folders, among others. Table B-7 shows the special folders that Windows XP creates after a clean installation with default paths. The first column contains the internal name of each folder as known to Windows XP programs. The second column contains the default path of each folder, which almost starts with %USERPROFILE%, making those folders part of each user's profile folder. “Deploying User Profiles” describes these user profile folders in detail. Table B-7: Special Folder Name Default Path AppData %USERPROFILE%\Application Data Cache %USERPROFILE%\Local Settings\Temporary Internet Files Cookies %USERPROFILE%\Cookies Desktop %USERPROFILE%\Desktop Favorites %USERPROFILE%\Favorites History %USERPROFILE%\Local Settings\History Local Application Data %USERPROFILE%\Local Settings\Application Data Local Settings %USERPROFILE%\Local Settings My Pictures %USERPROFILE%\My Documents\My Pictures NetHood %USERPROFILE%\NetHood Personal %USERPROFILE%\My Documents PrintHood %USERPROFILE%\ PrintHood Programs %USERPROFILE%\Start Menu\Programs
Recent %USERPROFILE%\Recent SendTo %USERPROFILE%\SendTo Start Menu %USERPROFILE%\Start Menu Startup %USERPROFILE%\Start Menu\Programs\Startup Templates %USERPROFILE%\Templates HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell folders are the Windows XP stores that store the special per-user folders. Each value in this key folder as shown in Table B-7. These are REG_EXPAND_SZ values, so you can use environment variables in them. Use %USERPROFILE% in a path to direct the folder somewhere in 351 \\Server\Share\%USERNAME%\Favorites where \\Server\Share is the server and share the folders. WindowsXP updates a second key, \Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folder, with the paths of folders the next time the user logs into the operating system so you don't have to update the fact, Microsoft's documentation says, that Windows XP does not use shell folders. 352
Overview In Appendix B, “User-Specific Settings,” you learned about many of the settings that Microsoft XP creates for users in the registry. These settings reside in HKCU. This appendix contains per-machine settings in HKLM. The HKLM\SOFTWARE branch is similar to HKCU\Software. In fact, the organization is almost identical. The difference is that these settings are computer-oriented; They affect who logs on to the computer. However, some settings can be found in both locations, HKLM\SOFTWARE and HKCU\Software. This is common, for example, with Microsoft Office XP and many of the XP policies. Most of the time, when a setting is in both places, the version in HKLM takes precedence over the same setting in HKCU. Only when an administrator removes the setting from (restricted users typically don't have permission to change settings in HKLM) do settings have any meaning. The only exception to this rule is the SOFTWARE\Classes file associations in both root keys. File associations in HKCU take precedence over associations in HKLM. This ranking is required for users to have associations. However, other branches in HKLM are unique. Windows XP stores the computer configuration HKLM\SYSTEM. This branch also contains the sub-settings of the operating system. The settings below include the configuration of the computer's network connections, device drivers, etc. Windows XP also stores local security data in HKLM. Another unique thing is that it has more links than HKCU. Remember that links are aliases for other subkeys. Windows XP uses links in HKLM to support features such as hardware profiles and configuration sets. This appendix describes these links to help you understand how different registries relate to each other. This appendix outlines the organization of HKLM and describes its interesting and useful subkeys. By no means do I cover the entire contents of this root key. Instead, I've focused on settings that are most likely to need adjustment or understanding as a power user or IT professional. Likewise,
Describe the Hive files or how Windows XP loads them into HKLM, since Chapter 1, "Learning Basics," already covers that.
HARDWARE Windows XP rebuilds HKLM\HARDWARE each time the operating system starts. contains configuration data that the operating system recognizes at startup. This branch only needs to adjust a few values since the contents of the branch are volatile. However, some values in it inventory the hardware of the computer. For example, you can read its settings into the computer's processor. You can find this value and similar values in HKLM\HARDWARE\DESCRIPTION and they are easy to read REG_SZ values. The following list is an overview of the HARDWARE key subkeys, and the following sections provide more details on some of them: ACPI. This subkey describes the computer's ACPI BIOS. The values in this subkey are cryptic. • 353 DEVICE CARD. This subkey maps the devices that the hardware detection detects device drivers in the SYSTEM branch of HKLM. • RESOURCE MAP. This subkey maps the computer's resources to the devices. Like the ACPI subkey, this subkey is difficult to understand. Resources RESOURCEMAP subkey maps include bus number, DMA channels, interrupt buckets, and I/O ports. Tip You can use System Information to view the computer's hardware configuration. Windows XP consumes its resources. To use this feature, type msinfo32 in the field. The data showing system information is comprehensive. It is particularly helpful that you can use it to view the configurations of remote computers. It's probably better to look in the registry for the same information. •
DESCRIPTION Every time Windows XP starts, its hardware detection collects information about the hardware and stores it in HKLM\HARDWARE\DESCRIPTION\System. In this branch you have subkeys: CentralProcessor. This subkey contains a subkey for each CPU that the discovery finds on the computer. CentralProcessor\0 is the subkey for the first CentralProcessor\1 is the second and so on. Each subkey contains values that describe the processor. For example, the value ~MHz describes the approximate speed of the • FloatingPointProcessor. This subkey contains a subkey for each FPU hardware detection found on the computer. The organization is similar to CentralProcessor. Since Pentium-compatible processors contain a built-in subkey, this is usually equivalent to CentralProcessor. • Multifunction adapter. This subkey contains a subkey for each bus that the recognizer recognizes. The subkeys are 0, 1, etc. Each subkey contains the value Identifier, which is a description of the bus: PCI and ISA. Under the subkeys of each bus that describe the devices attached to the bus. This key only describes devices; it is not all inclusive. •
DEVICEMAP The DEVICEMAP subkey is another interesting subkey of HKLM\HARDWARE. It maps the services detected by hardware detection to the services that drive them. Different device classes have different subkeys in DEVICEMAP. For example, this subkey typically contains the KeyboardClass and the PointerClass. You won't find subkeys for every device in the computer. It contains subkeys only for the devices that Windows XP needs to start the computer. You won't find subkeys for sound cards and the like. These subkeys contain one or more values. The names of the values are the names of the devices. Data points to the subkeys that define the services associated with those devices. For example, the DEVICEMAP\KeyboardClass subkey contains the value \Device\KeyboardClass0 and \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Kbdclass. This indicates that driving the keyboard is in the registry, in HKLM, and in the class SYSTEM\ControlSet001\Services\Kbd. 354 The HKLM\SAM\SAM key is a link to HKLM\SECURITY\SAM. You will learn more about the subkey in the next section. In this key, the Security Account Manager (SAM) creates the computer's security database. It's interesting to examine the contents of this key, but adjust it. A better way is to manage local security through the User Accounts dialog box. Windows XP protects the SAM key by preventing access to it. The key's access control doesn't even allow the Administrators group to read its contents, let alone members or power user groups. However, you can grant yourself read permission to view the key if you are a member of the Administrators group, since that group owns the SAM key. If you need a key, do it on a lab computer. Do not tamper with the SAM key on a production computer. itself read permission, select HKLM\SAM\SAM; Click Edit, Permissions; Administrators group; and then select the Read check box in the Allow column. If you don't have a lab computer available, just look at Figure C-1, which shows the contents of this key. Figure C-1: Normally you cannot see the contents of the SAM key, but this figure shows what can be seen if you grant read permission to the Administrators group. The HKLM\SAM\SAM\Domains key contains two subkeys. The first subkey, Account, Local Computer Accounts, User Accounts, and Groups. The second subkey, Builtin, describes accounts and groups. You manage these subkeys using the User Accounts dialog box. Subkeys contain the same three subkeys: aliases, groups, and users. These subkeys contain the computer's local accounts and the computer's local group memberships.
SECURITY The HKLM\SECURITY key contains Windows XP security data. Normally you cannot see the key of this key, but you can give the Administrators group permission to read it so that you can read it. The SAM section on the opposite page shows you how. The SECURITY key of the SAM subkey. It also contains the Policies subkey. This subkey defines non-registry-based policies for the computer. The Policies\Accounts key has a subkey SID in the local security database. Each SID contains four subkeys: 355 SecDesc. This subkey contains the security descriptor of the SID. • Sid. This subkey defines the groups to which the SID belongs. •
SOFTWARE The HKLM\SOFTWARE key is of interest only after HKCU\Software. It contains software settings, including many Windows XP settings. Because Windows XP
Applications store settings as user-specific settings, this branch is a bit slimmer than HKCU but still contains numerous settings useful for customization. The types of settings found in HKLM\SOFTWARE are typically defined by an administrator. HKLM\SOFTWARE contains settings per computer. Any changes you make here affect who logs on to the computer. Also, restricted users do not have permission to modify HKLM. The HKLM\SOTWARE key is organized similarly to HKCU\Software the application store settings in HKLM\SOFTWARE\Vendor\Program\Version\. Provider is the publisher of the program, program is the name of the program, and version is the number of the program. Version is often CurrentVersion. This branch also contains a handful of subkeys that follow this organization. For example, HKLM\SOFTWARE\Policies contains per computer. The following sections describe the most interesting and useful HKLM\SOFTWARE.
Classes The HKLM\CLASSES key contains file associations per computer. This key contains most file associations, unlike HKCU\Classes which contains per associations. Windows XP merges both subkeys to form HKCR. Appendix A, "File Associations," describes HKCR in detail.
Clients The HKLM\SOFTWARE\Clients key defines the client programs that Internet Explorer supports with various Internet services. You configure these clients on the Programs tab of the Options dialog box, as shown in Figure C-2. For example, you can choose the email client that Explorer uses when you click a mailto link, or you can choose the news client that is used when a news link is used. This selection also determines the programs that Internet Explorer starts. Choose one of the tools in the Tools menu. Figure C-2: You associate client programs with Internet services using the Programs key. By default, the Clients key contains six subkeys: Contacts, Internet Call, Mail, Media, StartMenuInternet. The default value of each subkey specifies the name of the application, the default tool for that category. For example, if the default HKLM\SOFTWARE\Clients\Mail is Outlook Express, then Outlook Express is the default that launches Internet Explorer when you click a mailto link. If you dig a little further down, you'll find a subkey for each client program. For example, Clients\ contains the Hotmail, MSN Explorer, and Outlook Express subkeys. The organization of the subkeys is almost identical to the organization of the subkeys in HKCR. Typically, you subkey Protocols and Shell under each client program's subkey. The Protocols subkey is associated with the application. For example, HKLM\SOFTWARE\Clients\Mail\Outlook Express\Protocols describes the command for users to click a mailto link on a web page. The subkey shell defines the command to run and select an option from Internet Explorer's Tools menu.
Microsoft\Active Setup A large number of Windows XP components, particularly Internet Explorer components, still use Active. The HKLM\SOFTWARE\Microsoft\Active Setup key contains these components.
Registrations. 357 The HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components key is the registry of each component. Each subkey is a component. Example: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} is for NetShow. Within each subkey multiple values, some more interesting than others. First, the REG_BINARY value indicates whether the component is installed or not. The value is 0x0001 if the component is installed; if not, the value is 0x0000. The REG_SZ value Version contains the StubPath of the component. The most interesting value is the REG_EXPAND_SZ StubPath value. If this value is present, XP will run the command it contains after the operating system creates a new user profile. If this value is not displayed, nothing happens. To prevent Windows XP from running the command, the StubPath value from this component subkey in Installed Components.
Microsoft\Command Processor The MS-DOS prompt supports file and folder name completion and function completion. You can configure these features using Tweak UI as described in Chapter 5, “Tweak UI,” or you can hack them directly in the registry. This key is HKCU\Software\Microsoft\Command Processor. The difference is that this key applies while the key in HKCU only applies to the current console user. The following list describes settings in the Command Processor subkey that configure the MS-DOS prompt: AutoRun. This REG_SZ value, which has no default value, contains a list of commands that appear automatically when you start the MS-DOS prompt. • CompletionChar. This is a REG_DWORD value. It specifies the ASCII character with which the file name is completed. You can set this value to 0x00, 0x01 to 0x20 or 0x40. The tab key is 0x09 and represents the default setting. • DefaultColor. This REG_DWORD value is 0 by default. Valid values range from 0xFE. It specifies the default MS-DOS prompt background and foreground color. The first hexadecimal digit specifies the background color and the second specifies the foreground color. The numbers correspond to the colors shown in the table on the next page. Table C-1: Values for DefaultColor Value Color 0 Black 1 Blue 2 Green 3 Aqua 4 Red 5 Purple 6 Yellow 7 White 8 Gray 9 Light Blue A Light Green • 358 B Light Aqua
C Light red D Light violet E Light yellow F Light white Delayed expansion. This is a REG_DWORD value with a default value of 0x00. whether the command prompt delays the expansion of the environment variable. If the value from the command prompt interprets the exclamation mark (!) as an environment variable, it will only be expanded when used. • Activate extensions. This REG_DWORD value has a default value of 0x01. It whether command processor extensions are enabled or not. Setting this value disables extensions. You only need to disable extensions if they affect a language they are incompatible with. • PathCompletionChar. This is a REG_DWORD value that specifies the ASCII code of the key to use for path completion. Set this value to 0x00, 0x01 to 0x40. The tab key is 0x09. You can use the same key you use for completion, which expands both. •
Microsoft\Driver Signing The HKLM\SOFTWARE\Microsoft\Driver Signing key contains values that configure the XP driver signing feature. Microsoft digitally signs driver files so that Windows XP can test the driver file and that the file has not changed since Microsoft tested it. The single Policy value controls how Windows XP handles unsigned driver files. Possible values here: 0x00. Windows XP installs unsigned device drivers (Ignore). • 0x01. Windows XP warns the user that the device driver is unsigned and allows them to choose whether or not to install it (Warn). • 0x02. Windows XP does not install unsigned device drivers (block). • This setting comes from the Driver Signing Options dialog box shown in Figure C-3. It applies users unless you uncheck the Set this action as the system default check box. The numerical values associated with each option. 359 Figure C-3: In a corporate environment, blocking unsigned device drivers is the safest way
Microsoft\InternetExplorer The HKLM\SOFTWARE\Microsoft\Internet Explorer key contains Internet Explorer settings that apply to each user who logs on to the computer. For example, the AboutURLs subkey URLs of web pages that Internet Explorer displays in specific scenarios. AdvancedOptions defines templates for the options on the Internet Options dialog box tab.
Microsoft\Sysprep HKLM\SOFTWARE\Microsoft\Sysprep appears on your computer only if you are using Windows XP from a Syspreped disk image. Chapter 13, "Cloning Sysprep," describes how to use this tool. The values in this subkey are useful for understanding what Sysprep did: CriticalDevicesInstalled. This value is 0x01 if Sysprep installed the critical devices. Chapter 13 for more information.
• SidsGenerated. This value is 0x01 if Sysprep regenerated the computer's SID. •
Microsoft\Windows NT\CurrentVersion The HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion key contains useful information to learn more about Windows XP, but not to customize it. The values in this subkey describe the current version of Windows XP, the registered owner, and the path where you installed the operating system. For IT pros, the three most useful subkeys are in the following hotfix. This key contains a subkey for each hotfix installed on the computer. Installed is 0x01 if the hotfix is installed; otherwise it is 0x00. The HotFix key fills out • 360, which extracts the contents of this key and dumps it into text files on the network. profile list. This key contains a subkey for each user profile that you see in the Users dialog box. • Windows login. This key contains values that define the logon process and the person who logged on to the computer. There are two interesting adjustments that you'll learn about in Chapter 15, Bypassing IT Problems. The first is that a legal notice is displayed when users log into the operating system. The second is that you use this key to automatically log into the computer with a specific account. that a certain number of times. For example, you can configure this key to automatically log in as an administrator, install an application, and then log out of the operating system. Chapter 15 has more information on this useful IT trick. •
Policies Windows XP stores per-machine policies in the HKLM\SOFTWARE\Policies key, the registry-based policies branch. Restricted users do not have permission to change subkeys, preventing them from circumventing policies by editing the registry. Windows supports hundreds of policies that allow IT professionals to control how the computer is configured. Chapter 6, "Using Registry-Based Policies," shows you how to customize policies by creating administrative templates. Appendix D, "Group Policy," lists all of the policies that Windows creates in this key. Very often, using policies is the best and most interesting way to customize Windows. For example, many of the customizations you learn about in Chapter 4, “Hacking the Registry,” are policy settings in the registry to change behaviors. Some policies allow you to change what annoys you. In this regard, the user-specific policies in HKCU\Software\Policies provide customization over the policies found in HKLM\SOFTWARE\Policies. While editing the registry directly is certainly one way to customize policies, there are ways. The first is to use the Group Policy Editor to edit the local GPO ( provides a user interface for the policies and restricts your settings to valid choices. Chapter on editing the local GPO. In short, type gpedit.msc in the Run dialog box a box and then Policies under Computer Configuration and User Configuration in Administrative Templates. The second option is to write scripts that change policies. I use scripts when I need to repeat the setting many times, such as when I configure multiple computers or when I reinstall XP frequently on computers Chapter 9, “Scripting Registry Changes,” shows you how to write and edit the registry.
SOFTWARE\Microsoft\Windows\CurrentVersion The HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion key and all its subkeys contain the most interesting settings in HKLM. First, this key has a number of interesting REG_REG_EXPAND_SZ values: CommonFilesDir. This value contains the path of the common Windows XP files. The location is C:\Program Files\Common Files. • Device path. This value defines the locations where Windows XP finds device files. %SystemRoot%\inf;%SystemDrive%\Windows\Drivers is the default for this • 361 MediaPathUnexpanded. This value is identical to MediaPath except for the REG_EXPAND_SZ value, which contains environment variables. • PF_AccessoriesName. This value defines the name of the Programs menu of the Accessories group. The default is Accessories. • Product ID. This value contains the Windows XP product ID. This is not the product you entered when registering Windows XP. • ProgramFilesDir. This value contains the location of profile files. The default is C:\Programs. • Program files path. This value is the same as ProgramFilesDir except that environment variables. The default value is %ProgramFiles%. • SM_accessory_name. This value contains the name of the Accessories group menu. The default is Accessories. • SM_GamesName. This value contains the name of the games group at startup. The default is Games. • WallPaperDir. This value contains the default location for Windows XP wallpapers. The default value is %SystemRoot%\Web\Wallpaper. •
App Paths The App Paths subkey specifies the paths of specific program files. It allows you to run it from the Run dialog box or MS-DOS prompt without specifying the path. Because you can type Wordpad.exe in the Run dialog box and Windows XP will search for the program's App Path key. The default value for App Paths\Filename, where filename is the name of the program file including the .exe file extension, contains the command that runs the program. Example: valueofAppPaths\Wordpad.execontains%ProgramFiles%\ W NT\Accessories\WORDPAD.EXE. You can add other programs to the App Paths subkey that you can run without entering their paths. The Path value is optional and specifies the path for the program; H. the path where the program will find additional program files. is usually located in the folder that contains the program file.
Applets The Applets subkey contains computer-specific settings for Windows XP accessories. By default you will find a single subkey, DeluxeCD, but other accessory settings stored here per computer run it. However, the more interesting accessory settings are HKCU\Software\Microsoft\Windows\CurrentVersion\Applets.
Explorer The Explorer key contains Windows Explorer settings. These are per-machine settings, they're not as interesting to customize as the same subkey in HKCU. The subkey Expands the settings you see in the Folder Options dialog box. There's not much to customize here since they're templates, but it's interesting to see how Windows Explorer defines and collects settings. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlers is the key where you can find associations between different media types and the applications that handle them. When Windows XP detects that you have inserted a CD, DVD, or removable disk, it automatically runs the program associated with the type of content on that disk. Find the type of content you want to customize. Then open the subkey shown in the EventHandlers column. In that subkey, add any of the following handlers as an empty value: MSCDBurningOnArrival • MSGenericVolumeArrival • MSOpenFolder • MSPlayCDAudioOnArrival • MSPlayDVDMovieOnArrival • MSPlayMediaOnArrival • MSPlayMusicFilesOnArrival • MSPlayVideoFilesOnArrival • MSPrintPicturesOnArrival • MSPromptEachTime • MSPromptEachTimeNoContent • MSShowPicturesOnArrival • MSTakeNoAction • MSVideoCameraArrival • MSWiaEventHandler • Table C-2: Values in AutoplayHandlers Media Subkey Generic GenericVolumeArrival Blank CDR HandleCDBurningOnArrival Mixed Content MixedContentOnArrival CD Audio PlayCDAudioOnArrival DVD PlayDVDMovieOnArrival Music files PlayMusicFilesOnArrival Video files PlayVideoFilesOnArrival Digital images ShowPicturesOnArrival Video camera VideoCameraArrival
Explorer\Desktop\NameSpace The Desktop\Namespace subkey defines the objects you see on Windows XP, contains a subkey for each object, and the name is the class ID of the object's class in HKCR. Appendix A, "File Associations," provides more information about HKCR. However, do not use subkeys to hide desktop icons. The best way is to use HideDesktopIcons, more on that later in this appendix.
Explorer\FindExtensions The FindExtensions subkey defines the various extensions that you can use for searching. Static contains three subkeys: ShellSearch, WabFind, and WebSearch. The ShellSearch 363 WebSearch subkey defines the extensions that allow you to search the web.
Explorer\HideDesktopIcons The HideDesktopIcons subkey specifies which icons to show or hide on the desktop. You subkey under the HideDesktopIcons key. The first is ClassicStartMenu. It concerns the classic menu. This subkey contains REG_DWORD values. The names of these values are the object's class registration. The value is either 0x01, indicating Windows XP should show the icon, or 0x00, indicating Windows XP should not hide the icon. The NewStartPanel affects the new start menu. Its organization is similar to the ClassicStartMenu.
Explorer\HideMyComputerIcons The HideMyComputerIcons subkey specifies which icons to show or hide in the My folder. This subkey contains REG_DWORD values. The names of these values are the object's class registration. The value is either 0x01, indicating Windows XP should show the icon, or 0x00, indicating Windows XP should not hide the icon.
Explorer\MyComputer The MyComputer subkey specifies the path and filename of the special tools you see when you right-click a drive in My Computer and then click Properties. The following subkeys define paths: BackupPath. The default value of this subkey contains the command to run. Right-click a drive in My Computer, click Properties, and then click Back Up Now on the tab. • Cleanup Path. The default value of this subkey contains the command to run. Right-click a drive in My Computer, click Properties, and then click the Disk Cleanup General tab. • DefragPath. The default value of this subkey contains the command to run when you right-click a drive in My Computer, click Properties, and then click the Disk Defragmentation Tools tab. • The MyComputer\NameSpace subkey also serves a similar purpose as Desktop\NameSpace. It defines the objects you see in My Computer. By default, this does not contain GUIDs. However, you can add subkeys to this subkey named for adding objects to the object's workspace.
Explorer\NetworkNeighborhood\NameSpace The NetworkNeighborhood\Namespace subkey defines the objects you see in the My Places folder. It contains a subkey for each object and the name is the class id of the class registry in HKCR. By default, you see icons for Network Setup Wizard and Add
Location. 364 The RemoteComputer\NameSpace subkey defines the objects you see when you browse computers in the My Network Places folder. It contains a subkey for each object and the class ID of the object's class registry in HKCR. Icons for the Printers and Tasks folders appear on remote computers. If browsing remote computers is a slow process, remove the subkeys in the RemoteComputer\NameSpace key. This prevents Windows from looking up the remote printers and scheduled tasks on remote computers and could do a little browsing.
Explorer\StartMenu The StartMenu subkey defines templates for the settings you see in the Taskbar and Properties dialog box. Since these are templates, they often do not make sense to adapt. The utility for you as a power user or IT professional is to find out where Windows settings are and the values of each setting in the registry.
Explorer\User Shell Folder Windows XP maintains a number of shared folders in the All Users profile folder, %SYSTEMROOT%\Documents and Settings. The operating system specifies the path folders in user shell folders under HKLM. Table C-3 on the next page describes each finding in user shell folders and the default path. The first column is the internal of the folder, the second is the default path. You can redirect these folders to other locations by changing the path in the user shell folders. Table C-3: Special Folders Name Default Path Common AppData %ALLUSERSPROFILE%\Application Data Common Desktop %ALLUSERSPROFILE%\Desktop Common Documents %ALLUSERSPROFILE%\Documents Common Favorites %ALLUSERSPROFILE%\Favorites Common Programs %ALLUSERSPROFILE%\Start Menu\Programs Common Start Menu %ALLUSERSPROFILE%\Start Menu Common Startup %ALLUSERSPROFILE%\Start Menu\Programs\Startup Common Templates %ALLUSERSPROFILE%\Templates The values in Table C-3 are REG_EXPAND_SZ values so you can use them in the environment. Use %ALLUSERSPROFILE% in a path to direct the folder anywhere within the profile folder. To redirect the General Favorites folder to the network, set the Favorites value to \\Server\Share. At the next start of the Windows XP operating system, second key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell folder, Paths of user shell folders. Windows XP doesn't really use the values in shell folders.
Explorer\VisualEffects The VisualEffects subkey contains templates for the settings you see in the Performance dialog box. They're not useful for customizing Windows XP, but they're handy for mapping settings to the appropriate registry settings. 365 The HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies key is the policy branch that Windows XP inherits from earlier versions of Windows. Windows XP still stores many policy branches, although the new, preferred policy branch is HKLM\SOFTWARE\Policies.
Settings you'll find in this key are leftovers from old policy files that tattooed us
Run Windows XP runs the commands in the Run subkey for each user who logs on. The name of each value in this subkey is arbitrary. However, the operating system executes the REG_SZ value command. So if you don't want to use the startup group in the program files that run programs when you log on to the computer, you can add the command to run custom commands. The chapter "Workaround IT problems" describes a useful workaround with this subkey.
RunOnce The RunOnce subkey is similar to the Run subkey. The difference is that Windows XP commands are run from the RunOnce subkey after they have run. Therefore, commands in RunOnce are executed only once.
Uninstall The Uninstall key describes how to remove applications using the Add or Remove Programs box. Each subkey, Uninstall\Name, describes how to remove the program. For example, the Remove Programs dialog box uses the DisplayName REG_SZ value to display the programs in the list, and the UninstallString REG_SZ value contains the command used to uninstall the program. Some programs store additional information in the uninstall key. For example, TechSmith saves SnagIt in Uninstall\ the location where you installed the program so it can find the files to remove. Some programs save the location of any shortcuts they create in Uninstall\ You can remove them when you remove the program.
SYSTEM The subkeys in HKLM\SYSTEM are ControlSetN, where N is a number starting with 001. are control records and describe the configuration of the computer. Of all the configurations in the registry, this is by far the most important. Windows XP maintains at least two checks that the operating system can always start. If the first fails, you can start by selecting Last Known Good Configuration from the boot options menu. The CurrentControlSet subkey is a link to the current control set, ControlSetN. Windows identifies the current control record with the HKLM\SYSTEM\Select key. The REG_DWORD Current contains the number of the current control set. The REG_DWORD value LastKnownGood contains the number of the last tax record that worked properly. This is the set of controls that XP loads when users select Last Known Good Configuration. 366
CurrentControlSet\Control The CurrentControlSet\Control subkey contains values that control how Windows XP defines the components to load and their configurations. The following list describes interesting subkeys of Control: BackupRestore. This subkey contains subkeys that identify the files and registry that Windows XP does not back up or restore. You can learn more about this subkey in the registry chapter."
• Class. This subkey stores configuration data for classes of hardware devices. • Crash Control. This subkey contains values that specify what happens when Windows locks, fails, or terminates abnormally. • CriticalDeviceDatabase. This subkey contains the critical device database described in Chapter 13, "Cloning Disks with Sysprep." It contains configuration data devices that Windows XP must install and start before starting the components that the system normally installs. • File system. This subkey contains file system configurations. • Graphics driver. This subkey contains DirectX and graphics driver settings. • Group order list. This subkey contains the order in which Windows XP loads the Services service group when the operating system starts. • Hivelist. This subkey defines the locations of Hive files loaded into the registry. You learned about this subkey in Chapter 1, "Learning the Basics." • IDConfigDB. This subkey contains settings that identify the current hardware configuration for Windows XP. • Lsa. This subkey contains configuration data for the Local Security Authority (LSA). • Network. This subkey contains network settings. • Internet providers. This subkey contains network provider settings. • To press. This subkey contains printer settings that apply to all users. • Priority control. This subkey specifies the relative priority of background applications to foreground applications. • SafeBoot. This subkey contains data about the computer's safe mode settings. Chapter 3, "Backing Up the Registry" to learn more about boot options. • SecurePipeServer. This subkey contains the winreg subkey, which controls access to the registry. See Chapter 7, “Managing Registry Security” to learn how subkeys secure remote registry access. • ServiceGroupOrder. This subkey contains a list of all service groups in the order in which they were loaded by Windows XP. • Service Provider. This subkey contains data about the installed service providers. • Session Manager. This subkey contains session manager data. • To update. This subkey contains configuration data for the system policy. The Registry Based Policy chapter describes how to use this subkey. • VirtualDeviceDrivers. This subkey contains data for virtual device drivers. • Windows. This subkey contains data for the Win32 subsystem. • WOW. This subkey contains settings that control MS-DOS-based applications Applications built for 16-bit versions of Windows • 367
The CurrentControlSet\Enum subkey is a database of all the devices on the computer that Windows has detected. This database stores configuration data for hardware devices separately from the device drivers they use. This database is an important part of Plug and Play in Windows. Tip The most common reason for hacking CurrentControlSet\Enum is to remove devices that appear in Device Manager. Windows XP offers a better and safer alternative. Manager, click View, Show hidden devices; Then remove the devices from which you want to remove the Enum subkey.
CurrentControlSet\Hardware Profiles The CurrentControlSet\Hardware Profiles subkey stores hardware profiles created for laptops that have configurations for their docked and undocked hardware profile that include changes to the original hardware profile configured in HKLM\SOFTWARE and HKLM\SYSTEMkeys. Windows XP does not change the original value, so hardware profiles can be created easily. You use the Hardware Profiles dialog box to create and select profiles. In addition, Windows XP automatically creates hardware profiles when it determines that scenarios require them. Each hardware profile is located in the Hardware Profiles\N subkey, where N is an incremental value starting at 0000. These subkeys look like stripped down versions of the HKLM\SOFTWARE HKLM\SYSTEM keys. They only contain the values that the hardware profile changes, ie if Windows XP uses a hardware profile, the settings in the profile override the settings in SOFTWARE and SYSTEM. They represent a powerful way to customize the system for different scenarios, which is especially important for laptop users. The HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current subkey is a link to the hardware profile. HKCC is also a link to the current hardware profile (which explains why there is a separate section for HKCC in this appendix). If you change a value in one of those three places, the same value changes in the remaining two places. Windows XP maintains information about all of its hardware profiles in HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB. This key contains the REG_DWORD CurrentConfig, which specifies the number of the current hardware profile. The Profiles subkey in IDConfigDB defines each hardware profile in more detail. For example, each hardware profile defines the friendly name of the hardware profile.
CurrentControlSet\Services The CurrentControlSet\Services subkey defines services such as device drivers, file system, and Win32 services. The settings are different for each service. Any subkey in the service name of the service that uses it. This is often the name of the file from which Windows loads the service. Some of the subkeys in Services represent devices and services that are installed and running on the computer. Others are not installed or not activated. While services may have unique values and subkeys, they all have the following and common values: DependOnGroup. This REG_MULTI_SZ value specifies the service groups that XP must load before loading this service. This value ensures that all prerequisites are met. • 368
are fulfilled. Count. You see this subkey in Services storing values for device driver services that control devices. It stores information about the service associated with the hardware. • Error control. This REG_DWORD value specifies how to proceed if the device is to load or initialize properly. The following values are possible: 0x00 (Ignore) Ignore the error and continue to start Windows XP. → 0x01 (Normal) Displays a warning and continues booting Windows XP. → 0x02 (Fatal) Reboot to the last known good configuration and continue booting Windows XP. → 0x03 (Critical) Reboot with the last known good configuration, otherwise continue booting Windows XP. → • group. This REG_DWORD value specifies the service group to which the service belongs. If this value does not exist, the service does not belong to any group and the service loads all service groups. • Image path. This REG_EXPAND_SZ value specifies the path and name of the executable. Network adapters do not use this value. • Shortcut. This subkey contains data for binding network components. They connect services with protocols and devices that support them. • Internet provider. This subkey contains the name of the device, provider, provider order for a network service. • Object name. This REG_SZ value specifies the name of a driver object that the I/ uses to load the device driver. This value exists in services that are kernel-mode system drivers. • Parameters. This subkey contains entries specific to each service. • Perfomance. This subkey contains data for the service's performance counter. • Security. This subkey contains information about the permissions of a driver or service. • Beginning. This REG_DWORD value specifies how Windows XP loads or starts the service. The following values are possible: 0x00 (boot) The kernel loader loads the driver when booting Windows XP. → 0x01 (system) The I/O subsystem loads the driver during kernel initialization. → 0x02 (Automatic) The Session Control Manager starts the service automatically. → 0x03 (Manual) The service must be started manually. → 0x04 (Disabled) The service is never started. → • Mark. This REG_DWORD value specifies the service tag, which is unique within the service group. • Type. This REG_DWORD value indicates the type of service. The following is possible:
0x01 kernel mode device driver → 0x02 file system driver → 0x04 arguments to an adapter → 0x08 file system driver services → 0x10 Win32 programs running their own processes → 0x20 Win32 programs sharing processes → 0x110 Win32 programs running in their own processes → 0x120 Win32 programs that share processes and interact with users → • 369 Microsoft Windows XP provides six Administrative Templates. This appendix references each policy in these templates with its registry setting. Each section in this appendix contains a table with the template settings. Each table has three columns. The first is the location of the policy in the Group Policy Editor. The second is the name of the policy. The third column is the registry value of the policy. Use this appendix along with the descriptions that you see in the Group Policy Editor to determine where in the registry Windows XP stores each policy.
Conf.adm Tabelle 19-1: Richtlinien in Conf.adm Speicherort Name Schlüssel Computer Configuration\Administrative Templates\Windows Components\NetMeeting Disable remote Desktop Sharing HKLM\Software\Policies\Microsoft\Conferencing\NoRDS User Configuration\Administrative Templates\Windows Components\ NetMeeting\Application Sharing Application Sharing deaktivieren HKCU\Software\Policies\Microsoft\Conferencing\NoAppSharing User Configuration\Administrative Templates\Windows Components\NetMeeting\Application Sharing Prevent Sharing HKCU\Software\Policies\Microsoft\Conferencing\NoSharing User Configuration\Administrative Templates\ Windows-Komponenten\NetMeeting\Anwendungsfreigabe Desktopfreigabe verhindern HKCU\Software\Policies\Microsoft\Conferencing\NoSharingDesktop
Benutzerkonfiguration\Administrative Vorlagen\Windows-Komponenten\NetMeeting\Application Sharing Prevent Sharing Command Prompts HKCU\Software\Policies\Microsoft\Conferencing\NoSharingDosWindows User Configuration\Administrative Templates\Windows Components\NetMeeting\Application Sharing Prevent Sharing Explorer windows HKCU\Software\Policies \Microsoft\Conferencing\NoSharingExplorer User Configuration\Administrative Templates\Windows Components\NetMeeting\Application Sharing Prevent Control HKCU\Software\Policies\Microsoft\Conferencing\NoAllowControl User Configuration\Administrative Templates\Windows Components\NetMeeting\Application Sharing Prevent Application Sharing in true color HKCU\Software\Policies\Microsoft\Conferencing\NoTrueColorSharing User Configuration\Administrative Templates\Windows Components\NetMeeting\Audio & Video Beschränken Sie die Bandbreite von Audio und Video HKCU\Software\Policies\Microsoft\Conferencing\MaximumBandwidth User Configuration\Administrative Templates\ Windows Com ponents\NetMeeting\Audio & Video Disable Audio HKCU\Software\Policies\Microsoft\Conferencing\NoAudio User Configuration\Administrative Templates\Windows Disable full duplex Audio HKCU\Software\Policies\Microsoft\Conferencing\NoFullDuplex
370 Components\NetMeeting\Audio & Video User Configuration\Administrative Templates\Windows Components\NetMeeting\Audio & Video Prevent changes
DirectSound-Audioeinstellung HKCU\Software\Policies\Microsoft\Conferencing\NoChangeDirectSound User Configuration\Administrative Templates\Windows Components\NetMeeting\Audio & Video Video senden verhindern HKCU\Software\Policies\Microsoft\Conferencing\NoSendingVideo User Configuration\Administrative Templates\Windows Components \NetMeeting\Audio & Video Videoempfang verhindern HKCU\Software\Policies\Microsoft\Conferencing\NoReceivingVideo User Configuration\Administrative Templates\Windows Components\NetMeeting\Options Page Hide the General page HKCU\Software\Policies\Microsoft\Conferencing\NoGeneralPage User Configuration \Administrative Templates\Windows Components\NetMeeting\Options Page Deaktivieren Sie die Schaltfläche Advanced Calling HKCU\Software\Policies\Microsoft\Conferencing\NoAdvancedCalling User Configuration\Administrative Templates\Windows Components\NetMeeting\Options Page Hide the Security page HKCU\Software\Policies\ Microsoft\Conferencing\NoSecurityPage User Configuration\Administrative T emplates\Windows Components\NetMeeting\Options Page Hide the Audio page HKCU\Software\Policies\Microsoft\Conferencing\NoAudioPage User Configuration\Administrative Templates\Windows Components\NetMeeting\Options Page Hide the Video page HKCU\Software\Policies\Microsoft\Conferencing \NoVideoPage User Configuration\Administrative Templates\Windows Components\NetMeeting Enable Automatic Configuration HKCU\Software\Policies\Microsoft\Conferencing\ConfigFile
User Configuration\Administrative Templates\Windows Components\NetMeeting Disable Directory Services HKCU\Software\Policies\Microsoft\Conferencing\NoDirectoryServices User Configuration\Administrative Templates\Windows Components\NetMeeting Prevent adding directory servers HKCU\Software\Policies\Microsoft\Conferencing\ NoAddingDirectoryServers User Configuration \Administrative Templates\Windows Components\NetMeeting Prevent display of web directory HKCU\Software\Policies\Microsoft\Conferencing\NoWebDirectory IntranetSupportURL User Configuration\Administrative Templates\Windows Components\NetMeeting Set Call Security Options HKCU\Software\Policies\Microsoft\Conferencing\CallSecurity User Configuration\Administrative Templates\Windows Components\NetMeeting Prevent changing call transfer method HKCU\Software\Policies\Microsoft\Conferencing\NoChangingCallMode
371 User Configuration\Administrative Templates\Windows Components\NetMeeting Prevent automatic acceptance of calls HKCU\Software\Policies\Microsoft\Conferencing\NoAutoAcceptCalls User Configuration\Administrative Templates\Windows Components\NetMeeting Prevent sending files HKCU\Software\Policies\Microsoft\Conferencing \ NoSendingFiles User Configuration\Administrative
Templates\Windows Components\NetMeeting Prevent receiving files HKCU\Software\Policies\Microsoft\Conferencing\NoReceivingFiles User Configuration\Administrative Templates\Windows Components\NetMeeting Limit size of sent files HKCU\Software\Policies\Microsoft\Conferencing\MaxFileSendSize User Configuration\Administrative Templates\Windows Components\NetMeeting Disable Chat HKCU\Software\Policies\Microsoft\Conferencing\NoChat User Configuration\Administrative Templates\Windows Components\NetMeeting Disable NetMeeting 2.x Whiteboard HKCU\Software\Policies\Microsoft\Conferencing\NoOldWhiteBoard User Configuration\ Disable Administrative Templates\Windows Components\NetMeeting Whiteboard HKCU\Software\Policies\Microsoft\Conferencing\NoNewWhiteBoard
Inetcorp.adm Table 19-2: Policies in Inetcorp.adm Location Name Key Computer Configuration\Administrative Templates\Code Download Code Download HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CodeBaseSearchPath Computer Configuration\Administrative Templates\Related Sites and Errors Related Sites HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b00aa003c157a} Computer Configuration\Administrative Templates\Temporary Internet Files (Machine) Temporary Internet Files (Machine) HKLM\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\5.0 \Cache\Content\CacheLimit Computer Configuration\Administrative Templates\Temporary Internet Files (Machine)
User Profiles HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem User Configuration\Administrative Templates\Temporary Internet Files (User) Temporary Internet Files (User) HKCU\Software\Microsoft\Windows\CurrentVersion\ Internet Settings\SyncMode5 User Configuration \Administrative Templates\Temporary Internet Files (User) Temporary Internet Files (User) HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit
Inetres.adm Table 19-3: Policies in Inetres.adm Site name key
372 Computer Configuration\Administrative Templates\Windows Components\Internet Explorer Security Zones: Use only machine settings HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only Computer Configuration\Administrative Templates\Windows Components\Internet Explorer Security Zones: Do Don't allow users to change policies HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit Computer Configuration\Administrative Templates\Windows Components\Internet Explorer Security Zones: Don't allow users to add/delete sites
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_zones_map_edit Computer Configuration\Administrative Templates\Windows Components\Internet Explorer Make proxy settings per computer (instead of per user) HKLM\Software\Policies\Microsoft\Windows\ CurrentVersion\ Internet Settings\ProxySettingsPerUser Computer Configuration\Administrative Templates\Windows Components\Internet Explorer Disable automatic installation of Internet Explorer components HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoJITSetup Computer Configuration\Administrative Templates\Windows Components\Internet Explorer Disable periodic check for Internet Explorer software updates HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoUpdateCheck Computer Configuration\Administrative Templates\Windows Components\Internet Explorer Disable shell notifications about software updates on program startup HKLM\Software\Microsoft\ Windows\CurrentVersion\Policies\ Explorer\NoMSAppLogo5ChannelNotify Computer Configuration\Administrative Templates\Windows Components\Internet Explorer Disable display of splash screen
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoSplash User Configuration\Administrative Templates\Windows Components\Internet Explorer Search: Disable Search Customization HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoSearchCustomization User Configuration \Administrative Templates\Windows Components\Internet Explorer Search: Disable Find Files via F3 within the browser HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFindFiles User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable external branding of Internet Explorer HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoExternalBranding
373 User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable Import and Export Favorites HKCU\Software\Policies\Microsoft\Internet Explorer\DisableImportExportFavorites User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel Disable the General page HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\GeneralTab User Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel Disable Security Page HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel Disable Content Page HKCU \Software\Policies\Microsoft\Internet Explorer\Control Panel\ContentTab User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel Disable the Connections page HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\ConnectionsTab User Configuration\ Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel Page Disable Programs HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\ProgramsTab User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel Page Disable Advanced HKCU\ Software\Policies\Microsoft\Internet Explorer\Control Panel\Advance dTab User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable changing advanced page settings HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Advanced User Configuration\Administrative Templates\Windows
Components\Internet Explorer Disable changing home page settings HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage User Configuration\Administrative Templates\Windows Components\Internet Explorer Use automatic detection for dial-up connections HKCU\Software\Policies\Microsoft\Windows \ CurrentVersion\Internet Settings\DialupAutodetect User Configuration\Administrative Templates\Windows Components\Internet Disable caching of auto-proxy scripts HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoProxyResultCache
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisplayScriptDownloadFailureUI User Configuration\Administrative Templates\Windows Components\Internet Disable Explorer Modification Temporary Internet Files Settings HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable Modification
History Settings HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\History User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable changing color settings HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Colors User Configuration \Administrative Templates\Windows Components\Internet Explorer Disable changing link color settings HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\links User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable changing font settings HKCU \Software\ Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Fonts User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable changing language settings HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Languages User Configuration \Administrative Template es\Windows Components\Internet Explorer Disable the change accessibility setting ngs HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Accessibility User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable Internet
Connection Wizard HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Connwiz Admin Lock User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable changing connection settings HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ Connection Settings User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable Modifying Proxy Settings HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy User Configuration\Administrative Templates\Windows Components\Internet Disable Modifying Automatic Configuration HKCU\ Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Autoconfig
375 Explorer Settings User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable Modifying Rating Settings HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Ratings User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable Modifying Certificate Settings HKCU \ Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Certificates User Configuration\Administrative Templates\Windows
Components\Internet Explorer Disable changing profile wizard settings HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Profiles User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable autocomplete for forms HKCU\Software\Policies\Microsoft\Windows \ CurrentVersion\Internet Settings\FormSuggest User Configuration\Administrative Templates\Windows Components\Internet Explorer Do not allow AutoComplete to save passwords HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\FormSuggest Passwords User Configuration\Administrative Templates\Windows Components\ Internet Explorer Disable changing messaging settings HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Messaging User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable changing calendar and contacts settings HKCU\Software\Policies\Micro soft\Windows\CurrentVersion \Internet Settings\CalendarContact User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable the "Reset Web Settings" feature.
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ResetWebSettings User Configuration\Administrative Templates\Windows Components\Internet Explorer Disable changing the default browser check HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Check_If_Default User Configuration \Administrative Templates\Windows Components\Internet Explorer Identity Manager: Prevent users from using identities HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\ Identities\Locked Down User Configuration\Administrative Templates\Windows Components\Internet Explorer Configure Outlook Express HKCU\Software\Microsoft\Outlook Express\BlockExeAttachments User Configuration\Administrative Templates\Windows Components\Internet Configure Media Explorer Bar HKCU\Software\Microsoft\Internet Explorer\media\Autoplay
376 Explorer User Configuration\Administrative Templates\Windows Components\Internet Explorer\Offline Pages Disable adding channels HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoAddingChannels User Configuration\Administrative Templates\Windows Components\Internet Explorer\Disable Offline Pages Remove channels HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoRemovingChannels User Configuration\Administrative Templates\Windows Components\Internet Explorer\Offline Pages Disable adding schedules for offline pages HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoAddingSubscriptions User Configuration\Administrative Templates \Windows Components\Internet Explorer\Offline Pages Disable offline page editing schedules HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoEditingSubscriptions User Configuration\Administrative Templates\Windows Components\Internet Explorer\Offline Pages Disable removal of offline page schedules HKCU \Software \Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoRemovingSubscriptions User Configuration\Administrative Templates\Windows Components\Internet Explorer\Offline Pages Disable logging of access to offline pages HKCU\Software\Policies\Mic rosoft\Internet Explorer\Infodelivery\Restrictions\NoChannelLogging User Configuration\Administrative Templates\Windows Components\Internet Explorer\Offline Pages Disable all scheduled offline pages HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoScheduledUpdates User Configuration\Administrative Templates \Windows Components\Internet Explorer\Offline Pages Disable channel UI Full HKCU\Software\Policies\Microsoft\Internet
Explorer\Infodelivery\Restrictions\NoChannelUI User Configuration\Administrative Templates\Windows Components\Internet Explorer\Offline Pages Disable downloading of site subscription content HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoSubscriptionContent User Configuration\Administrative Templates \Windows Components\Internet Explorer\Offline Pages Disable Editing and Schedule Group Creation HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoEditingScheduleGroups User Configuration\Administrative Templates\Windows Components\Internet Explorer\Offline Pages Subscription Limits HKCU\ Software\ Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\MaxWebcrawlLevels User Configuration\Administrative Templates\Windows Components\Internet File menu: Disable the Save As menu option HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\ NoBrowserSaveAs
377 Explorer\Browser menus User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus File menu: Disable New menu option HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFileNew User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus File menu: Disable the Open menu option.
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFileOpen User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus File menu: Disable Save As Web Page Complete HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\ Restrictions\NoBrowserSaveWebComplete User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus File menu: Disable closing browser and explorer windows HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoBrowserClose User Configuration\Administrative Templates \Windows Components\Internet Explorer\Browser Menus View Menu: Disable Source Menu Option HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoViewSource User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser Menus View Menu: Disable Full Screen Menu option HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restriction s\NoTheaterMode User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus Hide Favorites menu HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoFavorites User Configuration\Administrative Templates\Windows Components\ Internet Explorer\Browser menus tool menu:
Disable Internet Options menu option HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoBrowserOptions User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus Help menu: Remove the Tip of the Day menu option HKCU\Software\ Policies\Microsoft\Internet Explorer\Restrictions\NoHelpItemTipOfTheDay User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus Help menu: Remove 'For Netscape Users' menu option HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoHelpItemNetscapeHelp User Configuration \Administrative Templates\Windows Components\Internet Explorer\Browser Menus Help Menu: Remove Send Feedback Menu Option HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoHelpItemSendFeedback User Configuration\Administrative Templates\Disable Windows Context Menu HKCU\ Software\Policies\Microsoft\ Internet Explorer\Restrictions s\NoBrowserContextMenu
378 Components\Internet Explorer\Browser Menus User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser Menus Uncheck the menu option Open in new window HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoOpeninNewWnd User
Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus Disable Save this program to disk option HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoSelectDownloadDir User Configuration\Administrative Templates\Windows Components\Internet Explorer\Toolbars Disable this Customize browser toolbar buttons HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\NoToolbarCustomize User Configuration\Administrative Templates\Windows Components\Internet Explorer\Toolbars Disable browser toolbar customization HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer \NoBandCustomize User Configuration\Administrative Templates\Windows Components\Internet Explorer\Toolbars Configure Toolbar Buttons HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\Btn_Encoding User Configuration\Administrative Templates\Windows Components\Internet Explorer\Persistence Behavior File Size Desc Local Computer Limitations Zone HKCU\Software\Polici es\Microsoft\Internet Explorer\Persistence\0\DocumentLimit User Configuration\Administrative Templates\Windows Components\Internet Explorer\Persistence Behavior File size limits for the intranet zone HKCU\Software\Policies\Microsoft\Internet
Explorer\Persistence\1\DocumentLimit User Configuration\Administrative Templates\Windows Components\Internet Explorer\Persistence Behavior File size limits for the Trusted Sites Zone HKCU\Software\Policies\Microsoft\Internet Explorer\Persistence\2\DocumentLimit User Configuration\Administrative Templates\ Windows -Components\Internet Explorer\Persistence Behavior File Size Limits for Internet Zone HKCU\Software\Policies\Microsoft\Internet Explorer\Persistence\3\DocumentLimit User Configuration\Administrative Templates\Windows Components\Internet Explorer\Persistence Behavior File Size Limits for Restricted Sites zone HKCU\Software \Policies\Microsoft\Internet Explorer\Persistence\4\DocumentLimit User Configuration\Administrative Templates\Windows HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls\{22D6F312-B0F6-11D0-94AB-0080C74C7E95}
379 Components\Internet Explorer\Administrator Allowed Controls User Configuration\Administrative Templates\Windows Components\Internet Explorer\Administrator Allowed Controls HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls\{F5131C24-E56D-11CF- B78A- 444553540000} User Configuration\Administrative Templates\Windows Components\Internet Explorer\Admin Allowed Controls HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F} User Configuration\ Administrative Templates\Windows
Components\Internet Explorer\Administrator Allowed Controls HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls\{D6526FE0-E651-11CF-99CB-00C04FD64497} User Configuration\Administrative Templates\Windows Components\Internet Explorer\Administrator Approved controls Microsoft Survey Control HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls\{BD1F006E-174F-11D2-95C0-00C04F9A8CFA} User Configuration\Administrative Templates\Windows Components\Internet Explorer\Administrator Approved Controls Shockwave Flash HKCU \Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls\{D27CDB6E-AE6D-11CF-96B8-444553540000} User Configuration\Administrative Templates\Windows Components\Internet Explorer\Administrator Approved Controls NetShow File Transfer Control HKCU\Software \Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls\{26F24A93-1DA2-11D0-A334 -00AA004A5FC5} User Configuration\Administrative Templates\Windows Components\Internet Explorer\Administrator Approved Controls DHTML EditControl HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls\{2D360201-FFF5-11D1-8D03-00A0C959BC0A} User Configuration \Administrative Templates\ Windows Components\Internet Explorer\Administrative Allowed Controls Microsoft Scriptlet Component HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls\{AE24FDAE-03C6-11D1-8B76-0080C744F389} User Configuration\Administrative Templates\Windows Components\Internet Explorer\Administrator
Allowed Controls HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls\{DED22F57-FEE2-11D0-953B-00C04FD9152D} User Configuration\Administrative Templates\Windows HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings \Allowed controls\{52ADE293-85E8-11D2-BB22-00104B0EA281}
380 Components\Internet Explorer\Administratively Approved Controls User Configuration\Administrative Templates\Windows Components\Internet Explorer\Administratively Approved Controls HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls\{2FF18E10-DE11-11D1 -8161-00A0C90DD90C}
Inetset.adm Table 19-4: Policies in Inetset.adm Location Name Key Computer Configuration\Administrative Templates\Component Updates Periodic check for Internet Explorer and Internet Tools updates HKLM\Software\Microsoft\Internet Explorer\Main\Update_Check_Interval Computer Configuration\Administrative Templates\Component Updates Help Menu > About Internet Explorer HKLM\Software\Microsoft\Windows\CurrentVersion\IEAKUpdateUrl User Configuration\Administrative Templates\Advanced settings Connection HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial User Configuration\Administrative Templates\ Advanced Settings Browse HKCU\SOFTWARE\Microsoft\Ftp\Error Dlg Displayed On Every Error User Configuration\Administrative Templates\Advanced settings Multimedia HKCU\SOFTWARE\Microsoft\Internet Explorer\Show image placeholders
User Configuration\Administrative Templates\Advanced Settings Security HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonZoneCrossing User Configuration\Administrative Templates\Advanced Settings Microsoft VM HKCU\Software\Microsoft\Java VM\EnableJIT User Configuration\Administrative Templates\Advanced Settings Print HKCU\ Software\Microsoft\Java VM\Print_Background User Configuration\Administrative Templates\Advanced Settings Search HKCU\Software\Microsoft\Internet Explorer\SearchURL\AutoSearch User Configuration\Administrative Templates\Advanced Settings HTTP 1.1 Settings HKCU\SOFTWARE\Microsoft\ Windows\CurrentVersion\Internet Settings\ProxyHttp1.1 User Configuration\Administrative Signup Settings HKCU\Software\Microsoft\IEAK\NoAutomaticSignup
381 Templates\Advanced Settings User Configuration\Administrative Templates\Advanced Settings Internet Connection Wizard Settings HKCU\Software\Microsoft\Internet Connection Wizard\Completed User Configuration\Administrative Templates\AutoComplete AutoComplete Settings HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ AutoComplete \ FormSuggest PW Ask User Configuration\Administrative Templates\Display settings Text Size HKCU\Software\Microsoft\Internet Explorer\International\Scripts\Default_IEFontSize User Configuration\Administrative Templates\Display settings
Allgemein Farben HKCU\Software\Microsoft\Internet Explorer\Main\Use_DlgBox_Colors User Configuration\Administrative Templates\Display settings Linkfarben HKCU\Software\Microsoft\Internet Explorer\Main\Anchor Color Hover User Configuration\Administrative Templates\URL Encoding URL Encoding HKCU\ Software\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
System.adm Table 19-5: Policies in System.adm Location Name Key Computer Configuration\Administrative Templates\Network Background Intelligent Transfer Service (BITS) Inactive job timeout HKLM\Software\Policies\Microsoft\Windows\BITS\JobInactivityTimeout Computer Configuration\Administrative Templates\Network How often a DFS client discovers DCs HKLM\Software\Policies\Microsoft\System\DFSClient\DfsDcNameDelay Computer Configuration\Administrative Templates\Network\DNS Client Primary DNS Suffix HKLM\Software\Policies\Microsoft\System\DNSClient\NV PrimaryDnsSuffix Computer Configuration\Administrative Templates\Network\DNS Client Dynamic Update HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\RegistrationEnabled Computer Configuration\Administrative Templates\Network\DNS Client DNS Suffix Search List HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\SearchList Computer Configuration\Administrative Templates\Network\DNS Client Primary DNS Suffix Devolution HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\UseDomainNameDevolution Computer Configuration\Administrative Templates\Network\DNS Client Register PTR Records HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\RegisterReverseLookup Computer Configuration\Administrative Templates\ Network\DNS Client Registration Refresh Interval HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\RegistrationRefreshInterval Computer Configuration\Administrative
Templates\Network\DNS Client Replace Addresses In Conflicts HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\ RegistrationOverwritesInConflict Computer Configuration\Administrative Templates\Network\DNS Client DNS Servers HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\NameServer Computer Configuration\Administrative Templates\Network\DNS Client Connection-Specific DNS Suffix HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\AdapterDomainName Computer Configuration\Administrative Templates\Network\DNS Client DNS-Einträge mit verbindungsspezifischem HKLM\Software\Policies registrieren\ Microsoft\Windows NT\DNSClient\RegisterAdapterName
382 DNS Suffix Computer Configuration\Administrative Templates\Network\DNS Client TTL Set in A and PTR records HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\RegistrationTtl Computer Configuration\Administrative Templates\Network\DNS Client Update Security Level HKLM\ Software\Policies\Microsoft\Windows NT\DNSClient\UpdateSecurityLevel Computer Configuration\Administrative Templates\Network\DNS Client Update Top Level Domain Zones HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\ UpdateTopLevelDomainZones Computer Configuration\Administrative Templates\ Network\Network Connections Prohibit use of Internet Connection Sharing in your DNS domain network HKLM\Software\Policies\Microsoft\Windows\Network Connections\ NC_ShowSharedAccessUI Computer Configuration\Administrative Templates\Network\Network Connections Prohibit use of Internet Connection Firewall in your DNS domain network HKLM\Software \Policies\Microsoft\Windows\Network Connection s\ NC_PersonalFirewallConfig Computer Configuration\Administrative Templates\Network\Network Connections Prevent installation and configuration of network bridge in your DNS domain network
HKLM\Software\Policies\Microsoft\Windows\Network Connections\ NC_AllowNetBridge_NLA Computer Configuration\Administrative Templates\Network\Network Connections IEEE 802.1x Certificate Authority for Machine Authentication HKLM\Software\Policies\Microsoft\Windows\Network Connections\ 8021X\8021XCARootHash Computer Configuration \Administrative Templates\Network\Offline Files Verwendung der Offlinedateien-Funktion zulassen oder verbieten HKLM\Software\Policies\Microsoft\Windows\NetCache\Enabled Computer Configuration\Administrative Templates\Network\Offline Files Benutzerkonfiguration von Offlinedateien verbieten HKLM\Software\ Policies\Microsoft\Windows\NetCache\NoConfigCache Computer Configuration\Administrative Templates\Network\Offline Files Synchronize all offline files when login HKLM\Software\Policies\Microsoft\Windows\NetCache\SyncAtLogon Computer Configuration\Administrative Templates\Network\Offline Files Synchronize alle Offlinedateien, bevor Sie sich von HKLM\Software\Policies\Microsoft\Windows abmelden \NetCache\SyncAtLogoff Computer Configuration\Administrative Templates\Network\Offline Files Synchronize offline files before suspend HKLM\Software\Policies\Microsoft\Windows\NetCache\SyncAtSuspend Computer Configuration\Administrative Templates\Network\Offline Files Default cache size HKLM\Software\Policies \Microsoft\Windows\NetCache\DefCacheSize Computer Configuration\Administrative Templates\Network\Offline Files Action on server disconnect HKLM\Software\Policies\Microsoft\Windows\NetCache\GoOfflineAction Computer Configuration\Administrative Templates\Network\Offline Files Nicht standardmäßige Servertrennung Aktionen HKLM\Software\Policies\Microsoft\Windows\NetCache\CustomGoOfflineActions\ Computer Configuration\Administrative Templates\Network\Offline Files Remove 'Make Available Offline' HKLM\Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOffline Computer Configuration\Administrative Templates\ Netzwerk\Offlinedateien Verwendung des Ordners „Offlinedateien“ verhindern HKLM\Software\Policies\ Microsoft\Windows\NetCache\NoCacheViewer-Computer
Configuration\Administrative Templates\Network\Offline Files Files not cached HKLM\Software\Policies\Microsoft\Windows\NetCache\ExcludeExtensions Computer Configuration\Administrative Templates\Network\Offline Files Vom Administrator zugewiesene Offlinedateien HKLM\Software\Policies\Microsoft\Windows\NetCache \AssignedOfflineFolders\ Computer Configuration\Administrative Templates\Network\Offline Files Erinnerungssprechblasen deaktivieren HKLM\Software\Policies\Microsoft\Windows\NetCache\NoReminders
383 Computer Configuration\Administrative Templates\Network\Offline Files Balloon Reminder Frequency HKLM\Software\Policies\Microsoft\Windows\NetCache\ReminderFreqMinutes \ NetCache\InitialBalloonTimeoutSeconds Computer Configuration\Administrative Templates\Network\Offline Files Reminder Balloon Lifetime HKLM\Software\Policies\Microsoft\Windows\ NetCache\ ReminderBalloonTimeoutSeconds Computer Configuration\Administrative Templates\Network\Offline Files Delete local copy of user offline files on logoff HKLM\Software\Policies\Microsoft\Windows\ NetCache\PurgeOnlyAutoCacheAtLogoff Computer Configuration\Administrative Templates\Network\Offline Files Event Logging Level HKLM\Software\ Policies\Microsoft\Windows\NetCache\EventLoggingLevel Computer Configuration\Administrative Templates\Network\Offline Files Subfolders always available offline HKL M\Software\Policies\Microsoft\Windows\NetCache\AlwaysPinSubFolders Computer Configuration\Administrative Templates\Network\Offline Files Encrypt the Offline Files cache HKLM\Software\Policies\Microsoft\Windows\NetCache\EncryptCache Computer Configuration\Administrative Templates\Network\Offline Files prohibit "Make available offline" for these files and folders NetCache\SlowLinkSpeed
Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler Limit Reservable Bandwidth HKLM\Software\Policies\Microsoft\Windows\Psched\NonBestEffortLimit Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler Limit Pending Packets HKLM\Software\Policies\Microsoft\Windows \Psched\MaxOutstandingSends Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler Set timer resolution HKLM\Software\Policies\Microsoft\Windows\Psched\TimerResolution Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP value of compliant packets service type HKLM \Software\Policies\Microsoft\Windows\Psched\ DiffservByteMappingConforming\ServiceTypeBestEffort Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP Compliant Packet Value Controlled Load Service Type HKLM\Software\Policies\Microsoft\Windows\Psched\ DiffservByteMappingConforming\ServiceTypeControlledLoad Computer Configuration\Ad ministrative Templates\Network\QoS Packet Scheduler\DSCP value of conforming packets Guaranteed Service Type HKLM\Software\Policies\Microsoft\Windows\Psched\ DiffservByteMappingConforming\ServiceTypeGuaranteed Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP value of conforming packets Network Control Service Type HKLM\Software\Policies\Microsoft\Windows\Psched\ DiffservByteMappingConforming\ServiceTypeNetworkControl Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP Compliant Packet Value Qualitative Service Type HKLM\Software\Policies\Microsoft\Windows\ Psched\ DiffservByteMappingConforming\ServiceTypeQualitative Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP value of non-conforming packets Best Effort service type HKLM\Software\Policies\Microsoft\Windows\Psched\ DiffservByteMappingNonConforming\ServiceTypeBestEffort
384
Computer Configuration\Administrative Templates\QoS Packet Scheduler\DSCP value of non-conforming packets Controlled load service type HKLM\ Software\Policies\Microsoft\Windows\Psched\ DiffservByteMappingNonConforming\ServiceTypeControlledLoad Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP value von nicht konformen Paketen Garantierter Diensttyp HKLM\ Software\Richtlinien\Microsoft\Windows\Psched\ DiffservByteMappingNonConforming\ServiceTypeGuaranteed Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP-Wert nicht konformer Pakete Netzwerksteuerungsdiensttyp HKLM\Software\ Policies\Microsoft\Windows\Psched\ DiffservByteMappingNonConforming\ServiceTypeNetworkControl Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\DSCP value of non-conforming packets Qualitative service type HKLM\Software\Policies\Microsoft\Windows\Psched\ DiffservByteMappingNonConforming\ServiceTypeQualitative Computer Configura tion\Administrative Templates\Network\QoS Packet Scheduler\Layer-2 priority value Non-conforming packets HKLM\Software\Policies\Microsoft\Windows\Psched\ UserPriorityMapping\ServiceTypeNonConforming Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\Layer-2 Prioritätswert Best-Effort-Diensttyp HKLM\Software\Policies\Microsoft\Windows\Psched\ UserPriorityMapping\ServiceTypeBestEffort Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\Layer-2 Prioritätswert Kontrollierter Ladediensttyp HKLM\Software\Policies\Microsoft\ Windows\Psched\ UserPriorityMapping\ServiceTypeControlledLoad Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\Layer-2 Prioritätswert Garantierter Diensttyp HKLM\Software\Policies\Microsoft\Windows\Psched\ UserPriorityMapping\ServiceTypeGuaranteed Computer Configuration\Administrative Templates\Network\ QoS-Paket
Scheduler\Layer-2-Prioritätswert Netzwerksteuerungsdiensttyp HKLM\Software\Policies\Microsoft\Windows\Psched\ UserPriorityMapping\ServiceTypeNetworkControl Computer Configuration\Administrative Templates\Network\QoS Packet Scheduler\Layer-2-Prioritätswert Qualitativer Diensttyp HKLM\Software\ Richtlinien\Microsoft\Windows\Psched\ UserPriorityMapping\ServiceTypeQualitative Computer Configuration\Administrative Templates\Network\SNMP Communities HKLM\Software\Policies\SNMP\Parameters\ValidCommunities\ Computer Configuration\Administrative Templates\Network\SNMP Permitted Managers HKLM\Software\Policies\ SNMP\Parameters\PermittedManagers\ Computer Configuration\Administrative Templates\Network\SNMP Traps for Public community HKLM\Software\Policies\SNMP\Parameters\TrapDestinations\ Computer Configuration\Administrative Templates\Printers Drucker dürfen veröffentlicht werden HKLM\Software\Policies\Microsoft \Windows NT\Printers\PublishPrinters Computer Configuration\Administrative Templates\Printers Bereinigung veröffentlichter Drucker zulassen HKLM\Software\Policies\Microsoft\Windows NT\Printers\Immortal Computer Configuration\Administrative Templates\Printers Neue Drucker automatisch in Active Directory veröffentlichen HKLM\Software\Policies\Microsoft\Windows NT\Printers\ Wizard\Auto Publishing Computer Configuration\Administrative Check Published State HKLM\Software\Policies\Microsoft\Windows NT\Printers\VerifyPublishedState
385 Templates\Printers Computer Configuration\Administrative Templates\Printers Computer Location HKLM\Software\Policies\Microsoft\Windows NT\Printers\PhysicalLocation Computer Configuration\Administrative Templates\Printers Benutzerdefinierte Support-URL im linken Bereich des Druckerordners HKLM\Software\Policies\Microsoft \Windows NT\Printers\SupportLink Computer Configuration\Administrative Templates\Printers Directory Pruning Interval HKLM\Software\Policies\Microsoft\Windows NT\Printers\PruningInterval Computer
Configuration\Administrative Templates\Printers Directory Pruning Priority HKLM\Software\Policies\Microsoft\Windows NT\Printers\PruningPriority Computer Configuration\Administrative Templates\Printers Directory Pruning Retry HKLM\Software\Policies\Microsoft\Windows NT\Printers\PruningRetries Computer Configuration\ Administrative Vorlagen\Drucker Installation von Druckern mit Kernelmodustreibern nicht zulassen HKLM\Software\Policies\Microsoft\Windows NT\Printers\KMPrintersAreBlocked Computer Configuration\Administrative Templates\Printers Log directory pruning retry events HKLM\Software\Policies\Microsoft\Windows NT\ Printers\PruningRetryLog Computer Configuration\Administrative Templates\Printers Text für Druckersuchort vorab ausfüllen HKLM\Software\Policies\Microsoft\Windows NT\Printers\PhysicalLocationSupport Computer Configuration\Administrative Templates\Printers Printer browse HKLM\Software\Policies\Microsoft\Windows NT \Printers\ServerThread Computer Configuration\Administrative T emplates\Printers Drucker entfernen, die nicht automatisch neu veröffentlicht werden HKLM\Software\Policies\Microsoft\Windows NT\Printers\PruneDownlevel Computer Configuration\Administrative Templates\Printers Webbasiertes Drucken HKLM\Software\Policies\Microsoft\Windows NT\Printers\DisableWebPrinting Computer Configuration\Administrative Templates\System Display Shutdown Event Tracker HKLM\Software\Policies\Microsoft\Windows NT\Reliability\ShutdownReasonUI Computer Configuration\Administrative Templates\System Geben Sie den Speicherort der Windows-Installationsdatei an HKLM\Software\Policies\Microsoft\Windows NT\Setup\SourcePath Computer Configuration\Administrative Templates\System Geben Sie den Speicherort der Windows Service Pack-Installationsdatei an HKLM\Software\Policies\Microsoft\Windows NT\Setup\ServicePackSourcePath Computer Configuration\Administrative Templates\System Remove Boot/ Shutdown/Logon/ Logoff status messages HKLM\Software\Microsoft \Windows\AktuelleVersion\
Policies\System\DisableStatusMessages Computer Configuration\Administrative Templates\System Verbose vs. Normal Status Messages HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\VerboseStatus Computer Configuration\Administrative Templates\System Restrict the launch of these programs via Help HKLM\Software \Policies\Microsoft\Windows\System\DisableInHelp Computer Configuration\Administrative Templates\System Turn off Autoplay HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\NoDriveTypeAutoRun Computer Configuration\Administrative Templates\System Do not automatically encrypt files that are encrypted in folder HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\NoEncryptOnMove Computer Configuration\Administrative Templates\System Download missing COM components HKLM\Software\Policies\Microsoft\Windows\App Management\COMClassStore Computer Configuration\Administrative Templates\ System\Disk Quotas Hard Drive enable disk quotas HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota\Enable
386 Computer Configuration\Administrative Templates\System\Disk Quotas Enforce disk quota limit HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota\Enforce Computer Configuration\Administrative Templates\System\Disk Quotas Default quota limit and warning level HKLM\Software\Policies \Microsoft \Windows NT\DiskQuota\ThresholdUnits Computer Configuration\Administrative Templates\System\Disk Quotas Log event when quota limit exceeded HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota\LogEventOverLimit Computer Configuration\Administrative Templates\System\Disk Quotas Log event when exceeded quota warning level HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota\LogEventOverThreshold Computer Configuration\Administrative Templates\System\Disk Quotas Apply policy to removable media HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota\ ApplyToRemovableMedia Computer Configuration\Management
Templates\System\Error Reporting Display Error Notification HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\DW\DWAllowHeadless Computer Configuration\Administrative Templates\System\Error Reporting Report Errors HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\DW\ DWReporteeName Computer Configuration\Administrative Templates\System\Error Reporting\Advanced Error Reporting settings Default application reporting settings HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\IncludeWindowsApps Computer Configuration\Administrative Templates\System\Error Reporting\Advanced Error Reporting settings List of applications Always reporting errors for HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\InclusionList\ Computer Configuration\Administrative Templates\System\Error Reporting\Advanced Error Reporting settings List of applications never reporting errors for HKLM\Software\Policies\Microsoft report \PCHealth\ErrorReporting\ExclusionList\ Computer Configuration\A Administrative Templates\System\Error Reporting\Advanced Error Reporting settings Report OS Errors HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\IncludeKernelFaults Computer Configuration\Administrative Templates\System\Error Reporting\Advanced Error Reporting settings Report Unscheduled Shutdown HKLM\ Software\ Policies\Microsoft\PCHealth\ErrorReporting\IncludeShutdownErrs Computer Configuration\Administrative Templates\System\Group Policy Disable Group Policy Background Refresh HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ DisableBkGndGroupPolicy Computer Configuration\Administrative Templates\System\Group Policy Group Policy -Computer Refresh Interval HKLM\Software\Policies\Microsoft\Windows\System\GroupPolicyRefreshTimeOffset Computer Configuration\Administrative Templates\System\Group Policy Group Policy Refresh Interval for domain controllers HKLM\Software\Policies\M microsoft\Windows\System\GroupPolicyRefreshTimeOffsetDC
Computer Configuration\Administrative Templates\System\Group Policy User Group Policy Loopback Processing Mode HKLM\Software\Policies\Microsoft\Windows\System\UserPolicyMode Computer Configuration\Administrative Templates\System\Group Policy Group Policy Slow Link Detection HKLM\Software\Policies\ Microsoft\Windows\System \GroupPolicyMinTransferRate Computer Configuration\Administrative Templates\System\Group Policy Disable RSoP logging HKLM\Software\Policies\Microsoft\Windows\System\RSoPLogging Computer Configuration\Administrative Templates\System\Group Policy Ability to remove users to invoke machine policy update HKLM\Software\Policies\ Microsoft\Windows\System\DenyUsersFromMachGP
387 Computer Configuration\Administrative Templates\System\Group Policy Interaktiven Benutzern das Generieren von Resultant Set of Policy data verweigern HKLM\Software\Policies\Microsoft\Windows\System\DenyRsopToInteractiveUser Computer Configuration\Administrative Templates\System\Group Policy Registry policy processing HKLM\Software \Policies\Microsoft\Windows\Group Policy\ {35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges Computer Configuration\Administrative Templates\System\Group Policy Internet Explorer Maintenance policy processing HKLM\Software\Policies\Microsoft\Windows\Group Policy \ {A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}\NoGPOListChanges Computer Configuration\Administrative Templates\System\Group Policy Software Installation policy processing HKLM\Software\Policies\Microsoft\Windows\Group Policy\ {c6dc5466-785a-11d2-84d0- 00c04fb169f7}\NoGPOListChanges Computer Configuration\Administrative Templates\System\Group Policy Folder Redirection policy processing HKLM\Software\Policies\Mi crosoft\Windows\Group Policy\ {25537BA6-77A8-11D2-9B6C-0000F8080861}\NoGPOListChanges Computer Configuration\Administrative Templates\System\Group Policy Scripts policy processing HKLM\Software\Policies\Microsoft\Windows\Group Policy\ {42B5FAAE-6536 -11d2-AE5A-0000F87571E3}\NoGPOListChanges-Computer
Configuration\Administrative Templates\System\Group Policy Security policy processing HKLM\Software\Policies\Microsoft\Windows\Group Policy\ {827D319E-6EAC-11D2-A4EA-00C04F79F83A}\NoGPOListChanges Computer Configuration\Administrative Templates\System\Group Policy IP Security Policy Processing HKLM\Software\Policies\Microsoft\Windows\Group Policy\ {e437bc1c-aa7d-11d2-a382-00c04f991e27}\NoGPOListChanges Computer Configuration\Administrative Templates\System\Group Policy EFS Recovery Policy Processing HKLM\Software\Policies\Microsoft\ Windows\Group Policy\ {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}\NoGPOListChanges Computer Configuration\Administrative Templates\System\Group Policy Disk Quota policy processing HKLM\Software\Policies\Microsoft\Windows\Group Policy\ {3610eda5-77ef- 11d2-8dc5-00c04fa31a66}\NoGPOListChanges Computer Configuration\Administrative Templates\System\Logon Begrüßungsbildschirm „Erste Schritte“ bei der Anmeldung nicht anzeigen HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\NoWelcomeScreen Computer Configuration\Administrative Templates\System\Logon Immer die klassische Anmeldung verwenden HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LogonType Computer Configuration\Administrative Templates\System\Logon Diese Programme bei der Benutzeranmeldung ausführen HKLM\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ Computer Configuration\Administrative Templates\System\Logon Run Once-Liste nicht verarbeiten HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisableLocalMachineRunOnce Computer Configuration\Administrative Templates\System \Logon Legacy-Ausführungsliste nicht verarbeiten HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisableLocalMachineRun Computer Configuration\Administrative Templates\System\Logon Beim Computerstart immer auf das Netzwerk warten und anmelden HKLM\Software\Policies\Microsoft \Windows NT\CurrentVersion\ Winlogon\SyncForegroundPolicy Computer Configuration\Administrative Templates\System\Net Logon Expect ed Einwählverzögerung bei der Anmeldung
HKLM\Software\Policies\Microsoft\Netlogon\Parameters\ExpectedDialupDelay Computer Configuration\Administrative Templates\System\Net Logon Site Name HKLM\Software\Policies\Microsoft\Netlogon\Parameters\SiteName Computer Configuration\Administrative Templates\System\Net Logon Negative DC Discovery Cache Setting HKLM\Software\Policies\Microsoft\Netlogon\Parameters\NegativeCachePeriod Computer Configuration\Administrative Templates\System\Net Logon Initial DC Discovery Retry Setting for Background Callers HKLM\Software\Policies\Microsoft\Netlogon\Parameters\BackgroundRetryInitialPeriod Computer Configuration\ Administrative Templates\System\Net Logon Maximum DC Discovery Retry Interval Setting for Background Callers HKLM\Software\Policies\Microsoft\Netlogon\Parameters\ BackgroundRetryMaximumPeriod Computer Configuration\Administrative Final DC Discovery Retry Setting for HKLM\Software\Policies\Microsoft\Netlogon\Parameters \BackgroundRetryQuitTime
388 Templates\System\Net Logon Background Callers Computer Configuration\Administrative Templates\System\Net Logon Positive Periodic DC Cache Refresh for Background Callers HKLM\Software\Policies\Microsoft\Netlogon\Parameters\ BackgroundSuccessfulRefreshPeriod Computer Configuration\Administrative Templates\System\Net Logon Positive periodic DC cache refresh for non-background callers HKLM\Software\Policies\Microsoft\Netlogon\Parameters\ NonBackgroundSuccessfulRefreshPeriod Computer Configuration\Administrative Templates\System\Net Logon Scavenge Interval HKLM\Software\Policies\Microsoft\Netlogon\Parameters\ScavengeInterval Computer Configuration \ Administrative Templates\System\Net Logon Contact PDC on logon failure HKLM\Software\Policies\Microsoft\Netlogon\Parameters\AvoidPdcOnWan Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records Dynamic registration of DC Locator DNS Records HKLM \Software\ Policies\Microsoft\Netlogon\Param eters\UseDynamicDns C Computer Configuration\Management
Templates\System\Net Logon\DC Locator DNS Records DC Locator or DNS records not registered by the DCs HKLM\Software\Policies\Microsoft\Netlogon\Parameters\ DnsAvoidRegisterRecords Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records Refresh Interval of DC Locator DNS Records HKLM\Software\Policies\Microsoft\Netlogon\Parameters\DnsRefreshInterval Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records In the DC Locator DNS SRV records set weight SRV records HKLM\Software\Policies\ Microsoft\Netlogon\Parameters\LdapSrvWeight Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records Priority Set in the DC Locator DNS SRV Records HKLM\Software\Policies \Microsoft\Netlogon\Parameters\LdapSrvPriority Computer Configuration\Administrative Templates\ System\Net Logon\DC Locator DNS Records TTL Set in the DC Locator DNS Records HKLM\Software\Policies\Microsoft\Netl ogon\Parameters\DnsTtl Computer Configuration\ Administrative Templates\System\Net Logon\DC Locator DNS Records Automated Site Coverage by the DC Locator DNS SRV Records HKLM\Software\Policies\Microsoft\Netlogon\Parameters\AutoSiteCoverage Computer Configuration\Administrative Templates\System \Net Logon\DC Locator DNS Records Sites Covered by the DC Locator DNS SRV Records HKLM\Software\Policies\Microsoft\Netlogon\Parameters\SiteCoverage Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records Sites Covered by the GC Locator DNS SRV Records HKLM\Software\Policies\Microsoft\Netlogon\Parameters\GcSiteCoverage Computer Configuration\Administrative
Templates\System\Net Logon\DC Locator DNS Records Sites Covered by the Application Directory Partition Locator DNS SRV Records HKLM\Software\Policies\Microsoft\Netlogon\Parameters\NdncSiteCoverage Computer Configuration\Administrative Templates\System\Net Logon\DC Locator DNS Records Location of domain controllers hosting a domain with single-label DNS names HKLM\Software\Policies\Microsoft\Netlogon\Parameters\ AllowSingleLabelDnsDomain Computer requested remote computer HKLM\Software\policies\Microsoft\Windows NT\Terminal Services\
389 Configuration\Administrative Templates\System\Remote Assistance Assistance MaxTicketExpiryUnits Computer Configuration\Administrative Templates\System\Remote Assistance Offer Remote Assistance HKLM\Software\policies\Microsoft\Windows NT\Terminal Services\RAUnsolicit\fAllowUnsolicitedFullControl Computer Configuration\Administrative Templates\System\ Remote Procedure Call RPC Troubleshooting State Information HKLM\Software\Policies\Microsoft\Windows NT\Rpc\StateInformation Computer Configuration\Administrative Templates\System\Remote Procedure Call Propagation of extended error information HKLM\Software\Policies\Microsoft\Windows NT\Rpc\ ExtErrorInfoExceptions Computer Configuration\Administrative Templates\System\Scripts Anmeldeskripts synchron ausführen HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ System\RunLogonScriptSync Computer Configuration\Administrative Templates\System\Scripts Startskripts asynchron ausführen HKLM\Software\Microsoft\Windows\ AktuelleVersion\Richtlinie s\ System\RunStartupScriptSync Computer Configuration\Administrative Templates\System\Scripts Startskripts ausführen sichtbar HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ System\HideStartupScripts Computer Configuration\Administrative Templates\System\Scripts
Run shutdown scripts visible HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ System\HideShutdownScripts Computer Configuration\Administrative Templates\System\Scripts Maximum wait time for Group Policy scripts HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ System\MaxGPOScriptWait Computer Configuration \Administrative Templates\System\System Restore Disable System Restore HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\ DisableSR Computer Configuration\Administrative Templates\System\System Restore Disable Configuration HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig Computer Configuration\Administrative Templates\System\User Profiles Delete cached copies of roaming profiles HKLM\Software\Policies\Microsoft\Windows\System\DeleteRoamingCache Computer Configuration\Administrative Templates\System\User Profiles Does not detect slow network connections HKLM\Software \Policies\Microsoft\Windows\System\SlowLinkDetectEnabled Computer Configuration\Administrative Templates\System\User Profiles Slow network connection timeout for user profiles HKLM\Software\Policies\Microsoft\Windows\System\SlowLinkTimeOut Computer Configuration\Administrative Templates\System\User Profiles Wait for remote user profile HKLM\Software\Policies\ Microsoft\Windows\System\SlowLinkProfileDefault Computer Configuration\Administrative Templates\System\User Profiles Prompt user when slow link is detected HKLM\Software\Policies\Microsoft\Windows\System\SlowLinkUIEnabled Computer Configuration\Administrative Templates\System\User Profiles Timeout for dialog boxes HKLM\Software\Policies\Microsoft\Windows\System\ProfileDlgTimeOut Computer Configuration\Administrative Templates\System\User Profiles Log off user when roaming profile fails HKLM\Software\Policies\ Microsoft\Windows\System\ProfileErrorAction Computer Configuration\ Administrative Templates\ System\User Profiles Allow maximum retries
Unload and update the user profile HKLM\Software\Policies\Microsoft\Windows\System\ProfileUnloadTimeout Computer Configuration\Administrative Templates\System\User Profiles Add the Administrators security group to roaming user profiles HKLM\Software\Policies\Microsoft\Windows\System\AddAdminGroupToRUP Computer Configuration\Prevent administrative roaming profile changes HKLM\Software\Policies\Microsoft\Windows\System\ReadOnlyProfile
390 Templates\System\User Profiles von propagation to the server Computer Configuration\Administrative Templates\System\User Profiles Only allow local user profiles HKLM\Software\Policies\Microsoft\Windows\System\LocalProfile Computer Configuration\Administrative Templates\System\Windows File Protection Set Windows File Protection scannen HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection\SfcScan Computer Configuration\Administrative Templates\System\Windows File Protection Fortschrittsfenster des Dateiscans ausblenden HKLM\Software\Policies\Microsoft\Windows NT\ Windows File Protection\SfcShowProgress Computer Configuration\Administrative Templates\System\Windows File Protection Limit Windows File Protection Cachegröße HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection\SfcQuota Computer Configuration\Administrative Templates\System\Windows File Protection Angeben Speicherort des Windows-Dateischutz-Cache HKLM\Software\Policies\Microsoft\Windows NT\ Windows File P schutz\SFCDllCacheDir Computer Configuration\Administrative Templates\System\Windows Time Service Global Configuration Settings HKLM\Software\Policies\Microsoft\W32Time\Config\MinPollInterval Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers Enable Windows NTP Client HKLM\ Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\Enabled Computer Configuration\Administrative
Templates\System\Windows Time Service\Time Providers Configure Windows NTP Client HKLM\Software\Policies\Microsoft\W32time\Parameters\EventLogFlags Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers Enable Windows NTP Server HKLM\Software\Policies \Microsoft\W32Time\TimeProviders\NtpServer\Enabled Computer Configuration\Administrative Templates\Windows Components\Task Scheduler Hide Property Pages HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Property Pages Computer Configuration\Administrative Templates\Windows Components\ Taskplaner Aufgabenausführung verhindern oder beenden HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Execution Computer Configuration\Administrative Templates\Windows Components\Task Scheduler Drag-and-Drop verbieten HKLM\Software\Policies\Microsoft\Windows\ Taskplaner 5.0\DragAndDrop Computer Configuration\Administrative Templates\Windows Components\Task Scheduler Prohibit New Task Creation HKLM\Software\Policies\Mic rosoft\Windows\Task Scheduler5.0\Task Creation Computer Configuration\Administrative Templates\Windows Components\Task Scheduler Prohibit Task Deletion HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Task Deletion Computer Configuration\Administrative Templates\Windows Components \Task Scheduler Remove Advanced Menu HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Disable Advanced Computer Configuration\Administrative Templates\Windows Components\Task Scheduler Prohibit Browse HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0 \Allow Browse Computer Configuration\Administrative Templates\Windows Components\Terminal Services Keep-Alive Messages HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services \KeepAliveInterval
391 Computer Configuration\Administrative Templates\Windows Components\Terminal Services Restrict users to one remote session
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ fSingleSessionPerUser Computer Configuration\Administrative Templates\Windows Components\Terminal Services Enforce Removal of Remote Desktop Wallpaper HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ fNoRemoteDesktopWallpaper Computer Configuration\ Administrative Templates\Windows Components\Terminal Services\Client/Server Data Redirection Disallow clipboard redirection HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableClip Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection smart card - Disallow device redirection HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fEnableSmartCard Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Client/Server Data Redirection Allow audio redirection HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ fDisableCam Computer Configu rati on\Administrative Templates\Windows Components\Terminal Services\Client/Server Data Redirection Disallow COM port redirection HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ fDisableCcm Computer Configuration\Administrative Templates\Windows Components\Terminal Services\ Client/Server Data Redirection Disallow Client Printer Redirection HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ fDisableCpm Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Client/Server Data Redirection Disallow LPT Port Redirection HKLM\ SOFTWARE\Policies\Microsoft \Windows NT\Terminal Services\fDisableLPT Computer Configuration\Administrative Templates\Windows
Components\Terminal Services\Client/Server Data Redirection Disallow drive redirection HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Client/Server Data Redirection Do not set the default client printer as the default printer in a session HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fForceClientLptDef Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Encryption and Security Always prompt the client for password on connection HKLM\SOFTWARE \Policies\ Microsoft\Windows NT\Terminal Services\ fPromptForPassword Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Encryption and Security Set Encryption Level for Client Connection HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ MinEncryptionLevel Computer Configuration\ Administrative Templates\Windows -Components\Terminal Services Connections Limit HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ MaxInstanceCount
392 Computer Configuration\Administrative Templates\Windows Components\Terminal Services Limit Maximum Color Depth HKLM\SOFTWARE\Policies\Microsoft\Windows NT\ Terminal Services ColorDepth Computer Configuration\Administrative Templates\Windows Components\Terminal Services Do not allow new client connections HKLM\ SOFTWARE \Policies\ Microsoft\Windows NT\Terminal Services\ fDenyTSConnections VALUE NUMERIC 0 Computer Configuration\Administrative Templates\Windows Components\Terminal Services Do not allow local administrators to customize permissions
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ fWritableTSCCPermTab Computer Configuration\Administrative Templates\Windows Components\Terminal Services Remove Windows Security item from Start menu HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\NoNTSecurity Computer Configuration \Administrative Templates\Windows Components\Terminal Services Remove Disconnect item from Shut Down dialog HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\NoDisconnect Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Licensing Prevent License Upgrade HKLM\Software \Policies\Microsoft\Windows NT\Terminal Services\ fPreventLicenseUpgrade Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Temporary folders Do not use temp folders per session HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\ PerSessionTempDir Computer Configuration \Administrative Vorlagen\Windows-Komponenten\Termin al Services\Temporary folders Temp-Ordner beim Beenden nicht löschen HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\ DeleteTempDirsOnExit Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Session Directory Session Directory Active HKLM\SOFTWARE\Policies\ Microsoft\Windows NT\Terminal Services\ SessionDirectoryActive Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Session Directory Session Directory Server HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ SessionDirectoryLocation Computer Configuration\Administrative Templates\Windows Components\ Terminaldienste\Sitzungsverzeichnis Clustername des Sitzungsverzeichnisses HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ SessionDirectoryClusterName Computer
Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions Set timeout for disconnected sessions HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ MaxDisconnectionTime Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions Set timeout for active sessions HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ MaxConnectionTime Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions Set idle session timeout HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ MaxIdleTime REQUIRED Computer Configuration \Administrative Templates\Windows Components\Terminal Services\Sessions Allow reconnection from originating client only HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ fReconnectSame
393 Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions Sitzung beenden, wenn Zeitlimits erreicht sind HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ fResetBroken Computer Configuration\Administrative Templates\Windows Components\Terminal Services Pfad festlegen für TS-Roaming-Profile HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ WFProfilePath Computer Configuration\Administrative Templates\Windows Components\Terminal Services TS User Home Directory HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ WFHomeDirDrive Computer Configuration \Administrative Templates\Windows Components\Terminal Services Remote Control settings HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Shadow Computer Configuration\Administrative Templates\Windows
Components\Terminal Services Start program on connection HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\WorkDirectory Computer Configuration\Administrative Templates\Windows Components\Windows Installer Disable Windows Installer HKLM\Software\Policies\Microsoft\Windows\Installer\ DisableMSI Computer Configuration\Administrative Templates\Windows Components\Windows Installer Always install with elevated privileges HKLM\Software\olicies\Microsoft\Windows\Installer\AlwaysInstallElevated Computer Configuration\Administrative Templates\Windows Components\Windows Installer Prohibit rollback HKLM\Software\Policies\Microsoft\Windows \Installer\DisableRollback Computer Configuration\Administrative Templates\Windows Components\Windows Installer Remove Browse New Source Dialog Box HKLM\Software\Policies\Microsoft\Windows\Installer\DisableBrowse Computer Configuration\Administrative Templates\Windows Components\Windows Installer Prohibit Patching HKLM\ Software\Policy HKLM\Software\Policies\Microsoft\Windows\Installer\SafeForScripting Computer Configuration\Administrative Templates\Windows Components\ Windows Installer Enable user control over installations HKLM\Software\Policies\Microsoft\Windows\Installer\EnableUserControl Computer Configuration\Administrative Templates\Windows Components\Windows Installer Allow users to browse sources while HKLM\Software\Policies\Microsoft\Windows\ Installer\AllowLockdownBrowse Computer is elevated Configuration\Administrative Templates\Windows Components\Windows Installer Allow user to use media source while elevated Software\Policies\Microsoft\Windows \Installer\AllowLockdownPatch
Computer Configuration\Administrative Templates\Windows Components\Windows Installer Allow administrator to install from Terminal Services session HKLM\Software\Policies\Microsoft\Windows\Installer\EnableAdminTSRemote Computer Configuration\Administrative Templates\Windows Components\Windows Installer Cache transforms to a safe location on the workstation HKLM\Software\Policies\Microsoft\Windows\Installer\TransformsSecure Logging HKLM\Software\Policies\Microsoft\Windows\Installer\Logging
394 Computer Configuration\Administrative Templates\Windows Components\Windows Installer Computer Configuration\Administrative Templates\Windows Components\Windows Installer Prohibit user installations HKLM\Software\Policies\Microsoft\Windows\Installer\DisableUserInstalls Computer Configuration\Administrative Templates\Windows Components\Windows Installer creation Disable System Restore checkpoints HKLM\Software\Policies\Microsoft\Windows\Installer\LimitSystemRestoreCheckpointing Computer Configuration\Administrative Templates\Windows Components\Windows Messenger Do not allow Windows Messenger to run HKLM\Software\Policies\Microsoft\Messenger\Client \PreventRun Computer Configuration\Administrative Templates\Windows Components\Windows Messenger Do not start Windows Messenger automatically HKLM\Software\Policies\Microsoft\Messenger\Client\PreventAutoRun User Configuration\Administrative Templates\Control Panel Control Panel access ver HKCU\Software\Microsoft\Wind ows\CurrentVersion\Policies\Explorer\NoControlPanel User Configuration\Administrative Templates\Control Panel Hide Specified Control Panel Applets HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \DisallowCpl\DisallowCpl User Configuration\ Administrative Templates\Control Panel
Show only specific Control Panel applets HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ RestrictCpl\RestrictCpl User Configuration\Administrative Templates\Control Panel Force Classic Control Panel style HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ RestrictCpl\ ForceClassicControlPanel User Configuration\Administrative Templates\Control Panel\Add/Remove Programs Remove Add/Remove Programs Programs HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\ NoAddRemovePrograms User Configuration\Administrative Templates\Control Panel\Add/Remove Programs Page " Change or Remove Programs Hide HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\ NoRemovePage User Configuration\Administrative Templates\Control Panel\Add/Remove Programs Hide Add New Programs Page HKCU\Software\Microsoft\Windows\CurrentVersion \Policies\Uninstall\NoAddPage User Configuration\Adminis Trative Templates\Control Panel\Add/Remove Programs Hide Add/Remove Windows Components Page HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\ NoWindowsSetupPage User Configuration\Administrative Templates\Control Panel\Add/Remove Programs Option Program from CD-ROM or add floppy hide HKCU\Software\Microsoft\ Windows\CurrentVersion\Policies\Uninstall\ NoAddFromCDorFloppy User Configuration\Administrative Templates\Control Panel\Add/Remove Programs Hide the Add Programs from Microsoft Option HKCU\Software\Microsoft\Windows\CurrentVersion\Policies \ Uninstall\NoAddFromInternet User Configuration\Administrative Templates\ Control Panel\Add/Remove Programs Hide the Add programs from your network option HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Uninstall\NoAddFromNetwork User
Configuration\Administrative Templates\Control Panel\Add/Remove Programs Wechseln Sie direkt zu Components Wizard HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Uninstall\NoServices User Configuration\Administrative Templates\Control Panel\Add/Remove Programs Remove Support Information HKCU\ Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoSupportInfo
395 User Configuration\Administrative Templates\Control Panel\Add/Remove Programs Specify the default category for Add New Programs HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\DefaultCategory User Configuration\Administrative Templates\Control Panel\Remove Display Display in Control Panel Panel HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ System\NoDispCPL User Configuration\Administrative Templates\Control Panel\Display Hide Desktop tab HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ System\NoDispBackgroundPage User Configuration\Administrative Templates\ Control Panel\Display Prevent changing wallpaper HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper User Configuration\Administrative Templates\Control Panel\Display Hide Appearance and Themes tab HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop \NoDispAppearancePage User Configuration\Ad administrative Templates\Control Panel\Display Hide Settings tab HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ ActiveDesktop\NoDispSettingsPage User Configuration\Administrative Templates\Control Panel\Display Hide Screen Saver tab HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\ ActiveDesktop\NoDispScrSavPage User Configuration\Administrative Templates\Control Panel\Display Screen Saver HKCU\Software\Policies\Microsoft\Windows\Control Panel\
Desktop\ScreenSaveActive User Configuration\Administrative Templates\Control Panel\Display Screen Saver executable name HKCU\Software\Policies\Microsoft\Windows\Control Panel\ Desktop\SCRNSAVE.EXE User Configuration\Administrative Templates\Control Panel\Display Password protects the Screensaver HKCU\Software\Policies\Microsoft\Windows\Control Panel\ Desktop\ScreenSaverIsSecure User Configuration\Administrative Templates\Control Panel\Display Screen Saver timeout HKCU\Software\Policies\Microsoft\Windows\Control Panel\ Desktop\ScreenSaveTimeOut User Configuration\Administrative Templates\Control Panel\Display\Desktop Themes Remove Theme Option HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\NoThemesTab User Configuration\Administrative Templates\Control Panel\Display\Desktop Themes Prevent selection of window and button styles HKCU\Software \ Microsoft\Windows\CurrentVersion\Policies\System\NoVisualStyleChoice User Configuration\Administr Active Templates\Control Panel\ Display\Desktop Themes Prohibit font size selection HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoSizeChoice User Configuration\Administrative Templates\Control Panel\Display\Desktop Themes Prohibit theme color selection HKCU\Software\Microsoft\ Windows\CurrentVersion \Policies\System\NoColorChoice User Configuration\Administrative Templates\Control Panel\Display\Desktop Themes Load a specific visual style file or force Windows Classic HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\SetVisualStyle User Configuration \Administrative Templates\ Control Panel\Printers Browse a common site for printers HKCU\Software\Policies\Microsoft\Windows NT\Printers\Wizard\Printers Page URL User Configuration\Administrative
Browse the network for printers HKCU\Software\Policies\Microsoft\Windows NT\Printers\Wizard\Downlevel Browse
396 Templates\Control Panel\Printers User Configuration\Administrative Templates\Control Panel\Printers Active Directory default path when searching for printers HKCU\Software\Policies\Microsoft\Windows NT\Printers\Wizard\Default Search Scope User Configuration\Administrative Templates\ Control Panel\Printers Prevent adding printers HKCU\ Software\Policies\Microsoft\Windows NT\Printers\Wizard\NoAddPrinter User Configuration\Administrative Templates\Control Panel\Printers Prevent deleting printers HKCU\ Software\Policies\Microsoft\Windows NT\Printers \ Wizard\NoDeletePrinter User Configuration\Administrative Templates\Control Panel\Regional and Language Options Restrict selection of Windows menus and dialog language HKCU\Software\Policies\Microsoft\Control Panel\Desktop\MultiUILanguageID User Configuration\Administrative Templates\Desktop Hide and disable all items on the Desktop HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\N oDesktop User Configuration\Administrative Templates\Desktop Remove My Documents Icon on Desktop HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum\ {450D8FBA-AD25-11D0-98A8-0800361B1103} User Configuration\Administrative Templates\Desktop Remove My Computer Icon on Desktop HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum\ {20D04FE0-3AEA-1069-A2D8-08002B30309D} User Configuration\Administrative Templates\Desktop Remove Trash Can Icon from Desktop HKCU\Software\Microsoft\Windows\ CurrentVersion\Policies\NonEnum\{645FF040-5081-101B-9F08-00AA002F954E} User Configuration\Administrative Templates\Desktop Remove Properties
from the My Documents context menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoPropertiesMyDocuments User Configuration\Administrative Templates\Desktop Remove Properties from the My Computer context menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoPropertiesMyComputer User Configuration\Administrative Templates\Desktop Remove Properties from the Recycle Bin Shortcut Menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoPropertiesRecycleBin User Configuration\Administrative Templates\Desktop Hide My Network Places icon on desktop HKCU\Software\Microsoft \Windows\CurrentVersion\Policies\Explorer\ NoNetHood User Configuration\Administrative Templates\Desktop Hide Internet Explorer icon on desktop HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoInternetIcon User Configuration\Administrative Templates\Desktop Don't add shares from recent open documents in My Network Places HKCU\ Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoRecentDocsNetHood User Configuration\Administrative Templates\Desktop Prevent users from changing My Documents path HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisablePersonalDirChange User Configuration \Administrative Templates\Desktop Add, drag, drop and close taskbar toolbars HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoCloseDragDropBands User Configuration\Administrative Templates\Desktop Prohibit customizing desktop toolbars HKCU\Software\Microsoft\ Do not save Windows\CurrentVersion\Policies\Explorer\ NoMovingBands User Configuration\ Administrative Templates\Desktop settings
beim Beenden HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoSaveSettings User Configuration\Administrative Templates\Desktop Remove the Desktop Cleanup Wizard HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoDesktopCleanupWizard
397 User Configuration\Administrative Templates\Desktop\Active Desktop Enable Active Desktop HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ ForceActiveDesktopOn User Configuration\Administrative Templates\Desktop\Active Desktop Disable Active Desktop HKCU\Software\Microsoft\Windows\ CurrentVersion\ Policies\Explorer\ NoActiveDesktop User Configuration\Administrative Templates\Desktop\Active Desktop Disable All Items HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\ NoComponents User Configuration\Administrative Templates\Desktop\Active Desktop Prohibit changes HKCU\Software \Microsoft \Windows\CurrentVersion\Policies\Explorer\ NoActiveDesktopChanges User Configuration\Administrative Templates\Desktop\Active Desktop Prohibit adding items HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\ NoAddingComponents User Configuration\Administrative Templates\Desktop\Active Desktop Delete of elements v Require HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\ NoDeletingComponents User Configuration\Administrative Templates\Desktop\Active Desktop Prohibit editing of items HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\ NoEditingComponents User Configuration\Administrative Templates\Desktop\Active Desktop Prohibit closing items HKCU\ Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoClosingComponents User Configuration\Administrative
Vorlagen\Desktop\Active Desktop Elemente hinzufügen/löschen HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\ AdminComponent\Delete User Configuration\Administrative Templates\Desktop\Active Desktop Active Desktop Wallpaper HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\System\WallpaperStyle User Configuration\Administrative Templates\Desktop\Active Desktop Allow only bitmap wallpaper HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\ NoHTMLWallPaper User Configuration\Administrative Templates\Desktop\Active Directory Maximale Größe von Active Directory-Suchen HKCU\Software\Policies\Microsoft\Windows\Directory UI\QueryLimit User Configuration\Administrative Templates\Desktop\Active Directory Filter im Dialogfeld Suchen aktivieren HKCU\Software\Policies\Microsoft\Windows\Directory UI\EnableFilter User Configuration\Administrative Templates\ Desktop\Active Directory Active Directory-Ordner ausblenden HKCU\Software\Policies\Microsoft\Windows\Directory UI\HideD irectoryFolder Benutzerkonfiguration\Administrative Vorlagen\Netzwerk\Netzwerkverbindungen Möglichkeit zum Umbenennen von LAN-Verbindungen oder Fernzugriffsverbindungen, die allen Benutzern zur Verfügung stehen HKCU\Software\Policies\Microsoft\Windows\Netzwerkverbindungen\NC_RenameConnection Benutzerkonfiguration\Administrative Vorlagen\Netzwerk\Netzwerkverbindungen Zugriff verbieten zu Eigenschaften von Komponenten einer LAN-Verbindung HKCU\Software\Policies\Microsoft\Windows\Network Connections\ NC_LanChangeProperties User Configuration\Administrative Templates\Network\Network Connections Zugriff auf Eigenschaften von Komponenten einer RAS-Verbindung verbieten HKCU\Software\Policies\Microsoft \Windows\Netzwerkverbindungen\NC_RasChangeProperties
398 User Configuration\Administrative Templates\Network\Network Connections Prohibit Advanced TCP/IP Configuration HKCU\Software\Policies\Microsoft\Windows\Network Connections\NC_AllowAdvancedTCPIPConfig User Configuration\Administrative Templates\Network\Network Connections Advanced Menu HKCU\Software\Policies\Microsoft\Windows\Network Connections\NC_AdvancedSettings User Configuration\Administrative Templates\Network\Network Connections Prohibit adding and removing components for a LAN or RAS connection HKCU\Software\Policies\Microsoft\Windows\Network Connections \ NC_AddRemoveComponents User Configuration\Administrative Templates\Network\ Network Connections Prohibit access to properties of a Local Area Connection HKCU\Software\Policies\Microsoft\Windows\Network Connections\NC_LanProperties User Configuration\Administrative Templates\Network\Network Connections Prohibit Enable/Disable components of a Local Area Connection HKCU\Sof tware\Policies\Microsoft\Windows\Network Connections\ NC_ChangeBindState User Configuration\Administrative Templates\Network\Network Connections Ability to change properties of a remote access connection for all users HKCU\Software\Policies\Microsoft\Windows\Network Connections\NC_RasAllUserProperties User Configuration\ Administrative Templates\Network\Network Connections Prohibit changing properties of a private remote access connection HKCU\Software\Policies\Microsoft\Windows\Network Connections\NC_RasMyProperties User Configuration\Administrative Templates\Network\Network Connections Prohibit deletion of
Remote Access Connections HKCU\Software\Policies\Microsoft\Windows\ Network Connections\NC_DeleteConnection User Configuration\Administrative Templates\Network\Network Connections Ability to delete all user Remote Access Connections HKCU\Software\Policies\Microsoft\Windows\Network Connections\ NC_DeleteAllUserConnection User Configuration\Administrative Templates\Network\Network Connections Prohibit establishing and disconnecting a remote access connection HKCU\Software\Policies\Microsoft\Windows\Network Connections\NC_RasConnect User Configuration\Administrative Templates\Network\Network Connections Ability to enable/disable a local area connection HKCU \Software\Policies\Microsoft\Windows \Network Connections\NC_LanConnect User Configuration\Administrative Templates\Network\Network Connections Prohibit access to the New Connection Wizard HKCU\Software\Policies\Microsoft\Windows\Network Connections\ NC_NewConnectionWizard User Configuration\Administrative Templates\ Network\Network Connections A Ability to rename LAN connections HKCU\Software\Policies\Microsoft\Windows\Network Connections\ NC_RenameLanConnection User Configuration\Administrative Templates\Network\Network Connections Ability to rename all user remote access connections HKCU\Software\Policies\ Microsoft\Windows\Network Connections\ NC_RenameAllUserRasConnection User Configuration\Administrative Templates\Network\Network Connections Prohibit renaming private remote access connections HKCU\Software\Policies\Microsoft\Windows\Network Connections\ NC_RenameMyRasConnection User Configuration\Administrative Templates\Network\Network Connections Prohibit access to the Dial-up Settings item in Advanced menu HKCU\Software\Policies\Microsoft\Windows\Network Connections\NC_DialupPrefs User
Configuration\Administrative Templates\Network\Network Connections Prohibit display of status for an active connection HKCU\Software\Policies\Microsoft\Windows\Network Connections\NC_Statistics
399 User Configuration\Administrative Templates\Network\Network Connections Enable Windows 2000 network connection settings for administrators HKCU\Software\Policies\Microsoft\Windows\Network Connections\NC_EnableAdminProhibits User Configuration\Administrative Templates\Network\Offline Files Prohibit Offline Files User Configuration HKCU \Software\Policies\Microsoft\Windows \NetCache\NoConfigCache User Configuration\Administrative Templates\Network\Offline Files Synchronize all offline files when login HKCU\Software\Policies\Microsoft\Windows\NetCache\SyncAtLogon User Configuration\Administrative Templates\Network\ Offline Files Synchronize all offline files before logging off User Configuration\Administrative Templates\Network\Offline files action on server disconnect HKCU\Software\Policies\Microsoft\Windows\NetCache\GoOfflineAction User Configuration\Administrative Templates\Network\Offline Files Non-default server steps Actions HKCU\Software\Policies\Microsoft\Windows\NetCache\CustomGoOfflineActions\ User Configuration\Administrative Templates\Network\Offline Files Remove Make Available Offline HKCU\Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOffline User Configuration\Administrative Templates\ Network\Offline Files Prevents use of the Offline Files folder HKCU\Software\Policies\Microsoft\Windows\NetCache\NoCacheViewer User Configuration\Administrative Templates\Network\Offline Files Administratively
Assigned Offline Files HKCU\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders\ User Configuration\Administrative Templates\Network\Offline Files Disable reminder balloons HKCU\Software\Policies\Microsoft\Windows\NetCache\NoReminders User Configuration\Administrative Templates\ Network\Offline Files Reminder Balloon Frequency HKCU\Software\Policies\Microsoft\Windows\NetCache\ReminderFreqMinutes User Configuration\Administrative Templates\Network\Offline Files Initial Reminder Balloon Lifetime HKCU\Software\Policies\Microsoft\Windows\NetCache\ InitialBalloonTimeoutSeconds User Configuration \ Administrative Templates\Network\Offline Files Reminder Balloon Lifetime HKCU\Software\Policies\Microsoft\Windows\NetCache\ ReminderBalloonTimeoutSeconds User Configuration\Administrative Templates\Network\Offline Files Event Logging Level HKCU\Software\Policies\Microsoft\Windows\NetCache\EventLoggingLevel User Configuration\Administrative Templates\Network\Offline Files Prohibit 'Make Available Offline' for these files and folders HKCU\Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOfflineList\ User Configuration\Administrative Templates\Network\Offline Files Do not automatically make redirected folders available offline HKCU \Software\Policies\Microsoft\Windows \NetCache\DisableFRAdminPin User Configuration\Administrative Templates\Shared Folders Allow Sharing of Shared Folders HKCU\Software\Policies\Microsoft\Windows NT\ SharedFolders\PublishSharedFolders User Configuration\Administrative Templates\Shared Folders Sharing of DFS Roots HKCU\Software\Policies\Microsoft\Windows NT\SharedFolders\PublishDfsRoots User Configuration\Administrative Templates\Start Menu and Taskbar Remove user folders from the Start Menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders User Configuration\Administrative Templates\Start Menu and Remove taskbar links en and
Access Windows Update HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWindowsUpdate
400 User Configuration\Administrative Templates\Start Menu and Taskbar Remove Common Program Groups from the Start Menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\NoCommonGroups User Configuration\Administrative Templates\Start Menu and Taskbar Remove the My Documents icon from the Start menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs User Configuration\Administrative Templates\Start Menu and Taskbar Remove Documents menu from Start Menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu User Configuration\Administrative Templates\Start Menu and Taskbar Remove programs in Settings menu HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\NoSetFolders User Configuration\Administrative Templates\Start Menu and Taskbar Remove network connections from Start Menu HKCU\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\ NoNetworkConnections User Configuration\Administrative Templates\Start Menu and Taskbar Remove Favorites Menu from Start Menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu User Configuration\Administrative Templates\Start Menu and Taskbar Remove Search Menu from Start Menu HKCU\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\NoFind User Configuration\Administrative Templates\Start Menu and Taskbar Remove Help menu from Start Menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp User Configuration\Administrative
Templates\Start Menu and Taskbar Remove Run menu from Start Menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun User Configuration\Administrative Templates\Start Menu and Taskbar Remove My Pictures icon from Start Menu HKCU\Software\Microsoft\ Windows\ CurrentVersion\Policies\Explorer\NoSMMyPictures User Configuration\Administrative Templates\Start Menu and Taskbar Remove My Music icon from Start Menu HKCU\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\NoStartMenuMyMusic User Configuration\Administrative Templates\Start Menu and Taskbar Remove My Network Places icon from Start Menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoStartMenuNetworkPlaces User Configuration\Administrative Templates\Start Menu and Taskbar Add Logout to Start Menu HKCU\Software\Microsoft\Windows\ CurrentVersion\ Policies\Explorer\ForceStartMenuLogOff User Configuration\Administrative Templates\Start Menu and Taskbar Remove Logoff on the Start Menu H KCU\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\StartMenuLogOff User Configuration\Administrative Templates\Start Menu and Taskbar Remove and prevent access to the Shutdown Command HKCU\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\NoClose User Configuration\Administrative Templates\Start Menu and Taskbar Remove drag-and-drop context menus in Start Menu HKCU\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\NoChangeStartMenu User Configuration\Administrative Templates\Start Menu and Taskbar Changes prevent from the taskbar and start menu settings
HKCU\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\NoSetTaskbar User Configuration\Administrative Remove access to context menus HKCU\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\NoTrayContextMenu
401 Templates\Start Menu and Taskbar for Taskbar User Configuration\Administrative Templates\Start Menu and Taskbar History of recent documents not saved HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory User Configuration\Administrative Templates\Start Menu and Taskbar History of Recent Delete open documents on exit HKCU\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\ClearRecentDocsOnExit User Configuration\Administrative Templates\Start Menu and Taskbar Disable personalized menus HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\Intellimenus User Configuration \Administrative Templates\Start Menu and Taskbar Disable user tracking HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\NoInstrumentation User Configuration\Administrative Templates\Start Menu and Taskbar Add Run in Separate Memory Space checkbox to run dial ogfelds HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\MemCheckBoxInRunDlg User Configuration\Administrative Templates\Start Menu and Taskbar When resolving shell shortcuts, do not use the HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer search-based method \NoResolveSearch User Configuration\Administrative Templates\Start Menu and Taskbar Do not use the tracking-based method if
Resolving Shell Shortcuts HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\NoResolveTrack User Configuration\Administrative Templates\Start Menu and Taskbar Gray unavailable Windows Installer programs Shortcuts in Start Menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\ GreyMSIAds User Configuration\Administrative Templates\Start Menu and Taskbar Prevent grouping of taskbar items HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\NoTaskGrouping User Configuration\Administrative Templates\Start Menu and Taskbar Disable Notification Area Cleanup HKCU\Software\ Microsoft\Windows\CurrentVersion \Policies\ Explorer\NoAutoTrayNotify User Configuration\Administrative Templates\Start Menu and Taskbar Lock the Taskbar HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\LockTaskbar User Configuration\Administrative Templates\Start Menu and Taskbar Force classic start menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu User Configuration\Administrative Templates\Start Menu and Taskbar Remove Balloon Tips on Start Menu items HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMBalloonTip User Configuration \Administrative Templates\Start Menu and Taskbar Remove pinned program list from the Start Menu HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\NoStartMenuPinnedList User Configuration\Administrative Templates\Start Menu and Taskbar Remove pinned program list from the Start Menu HKCU\Software\Microsoft \Windows\CurrentVersion\Policies\Explorer\ NoStartMenuMFUprogramsList User Configuration\Administrative Templates\Start Menu and Taskbar Remove all
Program List from Start Menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms User Configuration\Administrative Remove and disable HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
402 Templates\Start Menu and Taskbar Computer button User Configuration\Administrative Templates\Start Menu and Taskbar Remove the Undock PC button from the Start Menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoStartMenuEjectPC User Configuration\Administrative Templates\Start Remove menu and taskbar username from Start Menu HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoUserNameInStartMenu User Configuration\Administrative Templates\Start Menu and Taskbar Remove clock from system notification area HKCU\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\ HideClock User Configuration\Administrative Templates\Start Menu and Taskbar Hide notification area HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay User Configuration\Administrative Templates\Start Menu and Taskbar Do not display any custom toolbars in the taskbar HKCU\Software \Microsoft\Windows\CurrentVersion\P olicies\Explorer\NoToolba rsOnTaskbar User Configuration\Administrative Templates\System Don't display the Getting Started welcome screen at logon HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWelcomeScreen User Configuration\Administrative Templates\System Century interpretation for Year 2000 HKCU\Software\Policies\Microsoft\Control Panel\International\Calendar\TwoDigitYearMax\1 User Configuration\Administrative
Templates\System Configure Driver Search Paths HKCU\Software\Policies\Microsoft\Windows\DriverSearching\ DontSearchWindowsUpdate User Configuration\Administrative Templates\System Code Signing for Device Drivers HKCU\Software\Policies\Microsoft\Windows NT\ Driver Signing\BehaviorOnFailedVerify User Configuration\ Administrative Templates\System Custom UI HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell User Configuration\Administrative Templates\System Disable command prompt access HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD User Configuration \Administrative Templates\System access on registry editing tools HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ System\DisableRegistryTools User Configuration\Administrative Templates\System Run only allowed Windows applications HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\RestrictRun\RestrictRun User Conf iguration\Administrative Templates\System Don't Run Certain Windows Applications HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ DisallowRun\DisallowRun User Configuration\Administrative Templates\System Turn off Autoplay HKCU\Software\Microsoft\Windows\CurrentVersion \Policies\ Explorer\NoDriveTypeAutoRun User Configuration\Administrative Templates\System Restrict the launch of these programs via Help HKCU\Software\Policies\Microsoft\Windows\System\DisableInHelp User Configuration\Administrative Templates\System Download missing COM components HKCU\Software\Policies \Microsoft\Windows\App Management\COMClassStore User Configuration\Administrative Templates\System Windows Automatic Updates HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutoUpdate User
Configuration\Administrative Templates\System\Ctrl+Alt+Del Options Remove Task Manager HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\System\DisableTaskMgr User Configuration\Administrative Remove Lock Computer HKCU\Software\Microsoft\Windows\ CurrentVersion\Policies\ System\DisableLockWorkstation
403 Templates\System\Ctrl+Alt+Del Options User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options Remove Change Password HKCU\Software\Microsoft\Windows\ CurrentVersion\Policies\System\DisableChangePassword User Configuration\Administrative Templates\System \Ctrl+Alt+Del Options Remove Logoff HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogoff User Configuration\Administrative Templates\System\Group Policy User Group Policy Refresh Interval HKCU\Software\Policies\Microsoft\Windows\ System \GroupPolicyRefreshTimeOffset User Configuration\Administrative Templates\System\Group Policy Group Policy Slow Link Detection HKCU\Software\Policies\Microsoft\Windows\System\GroupPolicyMinTransferRate User Configuration\Administrative Templates\System\Group Policy Group Policy domain controller selection HKCU\Software\ Policies \Microsoft\Windows\Group Policy Editor\DCOption User Configuration\Administrative Templates\Sys tem\Group Policy Create new Group Policy o Object links disabled by default HKCU\Software\Policies\Microsoft\Windows\ Group Policy Editor\NewGPOLinksDisabled User Configuration\Administrative Templates\System\Group Policy Default name for new Group Policy objects HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor \GPODisplayName User Configuration\Administrative Templates\System\Group Policy Enforce Show Policies Only HKCU\Software\Policies\Microsoft\Windows\ Group Policy Editor\ShowPoliciesOnly User Configuration\Administrative Templates\System\Group Policy Turn off automatic
Update ADM files HKCU\Software\Policies\Microsoft\Windows\ Group Policy Editor\DisableAutoADMUpdate User Configuration\Administrative Templates\System\Group Policy Disallow interactive users from generating RSoP HKCU\Software\Policies\Microsoft\Windows\System\DenyRsopToInteractiveUser User Configuration\Administrative Templates\System\Logon Run these programs at user logon HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ User Configuration\Administrative Templates\System\Logon Do not process the list HKCU once run \Software\ Microsoft\Windows\CurrentVersion\Policies\ Explorer\DisableLocalUserRunOnce User Configuration\Administrative Templates\System\Logon Do not process legacy execution list HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\DisableLocalUserRun User Configuration\Administrative Templates\System\Power Management prompt for password b On resume from hibernate/suspend HKCU\Software\Policies\Microsoft\Windows\System\ Power\ PromptPasswordOnResume User Configuration\Administrative Templates\System\Scripts Run logon scripts synchronously HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ System\RunLogonScriptSync User User Configuration\Administrative Templates\System\Scripts Run logon scripts visible HKCU\Software\Microsoft\Windows\CurrentVersion \Policies\ System\HideLogonScripts User Configuration\Administrative Templates\System\Scripts Run logoff scripts visible HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ System\HideLogoffScripts User Configuration\Administrative Templates\System\User Profiles Connect home directory to root of
die Freigabe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ System\ConnectHomeDirToRoot User Configuration\Administrative Templates\ System\User Profiles Limit profile size HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ System\WarnUserTimeout
404 User Configuration\Administrative Templates\System\User Profiles Exclude directories in roaming profile HKCU\Software\Policies\Microsoft\Windows\System\ExcludeProfileDirs User Configuration\Administrative Templates\Windows Components\Microsoft Management Console Prevent the user from entering author mode HKCU \ Software\Policies\Microsoft\MMC\RestrictAuthorMode User Configuration\Administrative Templates\Windows Components\Microsoft Management Console Restrict users to the explicitly allowed list of snap-ins HKCU\Software\Policies\Microsoft\MMC\RestrictToPermittedSnapins User Configuration\Administrative Templates \Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Active Directory Users and Computers HKCU\Software\Policies\Microsoft\MMC\ {E355E538-1C2E-11D0-8C37-00C04FD8FE93}\Restrict_Run User Configuration\Administrative Templates\Windows Components \Microsoft Management Console\Restricted/Restricted assene snap-ins Active Directory Domains and Trusts HKCU\Softw are\Policies\Microsoft\MMC\{EBC53A38-A23F-11D0-B09B-00C04FD8DCA6}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/ Permitted snap-ins Active Directory Sites and Services HKCU\Software\Policies\Microsoft\MMC\ {D967F824-9968-11D0-B936-00C04FD8D5B0}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted
Snap-Ins ADSI Edit HKCU\Software\Policies\Microsoft\MMC\ {1C5DACFA-16BA-11D2-81D0-0000F87A7AA3}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted Snap-Ins ActiveX Control HKCU \Software\Policies\Microsoft\MMC\ {C96401CF-0E17-11D3-885B-00C04F72C717}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Certificates HKCU\Software\Policies\Microsoft\ MMC\ {53D6AB1D-2488-11D1-A28C-00C04FB94F17}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Component Services HKCU\Software\Policies\Microsoft\MMC\ {C9BC92DF-5B9A -11D1-8F00-00C04FC2C17B}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Computer Management HKCU\Software\Policies\Microsoft\MMC\ {58221C67-EA27-11CF-ADCF-00 AA00A80033}\Restrict_Run User Configuration\Administrative Templates\Windows Device Manager HKCU\Software\Policies\Microsoft\MMC\ {90087284-d6d6-11d0-8353-00a0c90640bf}\Restrict_Run
405 Components\Microsoft Management Console\Restricted/Allowed Snap-ins User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Allowed Snap-ins Disk Management HKCU\Software\Policies\Microsoft\MMC\ {8EAD3A12-B2C1-11d0 -83AA-00A0C92C9D5D}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Disk Defragmenter HKCU\Software\Policies\Microsoft\MMC\ {43668E21-2636-11D1-A1CE-0080C88593A5}\ Restrict_Run User Configuration\Administrative Templates\Windows
Komponenten\Microsoft Management Console\Restricted/Permitted snap-ins Distributed File System HKCU\Software\Policies\Microsoft\MMC\ {677A2D94-28D9-11D1-A95B-008048918FB1}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console \Restricted/Permitted snap-ins Event Viewer HKCU\Software\Policies\Microsoft\MMC\ {975797FC-4E2A-11D0-B702-00C04FD8DBF7}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap- ins FAX Service HKCU\Software\Policies\Microsoft\MMC\ {753EDB4D-2E1B-11D1-9064-00A0C90AB504}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins FrontPage Server Extensions HKCU\ Software\Policies\Microsoft\MMC\ {FF5903A8-78D6-11D1-92F6-006097B01056}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted Snap-Ins Index ing Service HKCU\Software\Policies\Microsoft\MMC\ {95AD72F0-44CE-11D0-AE29-00AA004B9986}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Internet Authentication Service (IAS) HKCU\Software\Policies\Microsoft\MMC\ {8F8F8DC0-5713-11D1-9551-0060B0576642}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Internet Information Services HKCU\Software\Policies \Microsoft\MMC\ {A841B6C2-7577-11D0-BB1F-00A0C922E79C}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management IP Security HKCU\Software\Policies\Microsoft\MMC\
{DEA8AFA0-CC85-11d0-9CE2-0080C7221EBD}\Restrict_Run
406 Konsole\Eingeschränkte/Zugelassene Snap-Ins Benutzerkonfiguration\Administrative Vorlagen\Windows-Komponenten\Microsoft Management Console\Eingeschränkte/Zugelassene Snap-Ins IP Security Policy Management HKCU\Software\Policies\Microsoft\MMC\ {DEA8AFA0-CC85-11d0-9CE2 -0080C7221EBD}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins IP Security Monitor HKCU\Software\Policies\Microsoft\MMC\ {57C596D0-9370-40C0-BA0D-AB491B63255D}\Restrict_Run Benutzerkonfiguration\Administrative Vorlagen\Windows-Komponenten\Microsoft Management Console\Restricted/Permitted snap-ins Link to Web Address HKCU\Software\Policies\Microsoft\MMC\ {C96401D1-0E17-11D3-885B-00C04F72C717}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Local Users and Groups HKCU\Software\Policies\Microsoft\MMC\ {5D6179C8-17EC-11D1-9AA9-00C04FD8FE93}\Restrict_Run User Configuratio n\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Performance Logs and Alerts HKCU\Software\Policies\Microsoft\MMC\ {7478EF61-8C46-11d1-8D99-00A0C913CAD4}\Restrict_Run User Configuration\Administrative Templates \Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins QoS Admission Control HKCU\Software\Policies\Microsoft\MMC\ {FD57D297-4FD9-11D1-854E-00C04FC31FD3}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Verwaltungskonsole\Eingeschränkt/Zugelassen
Snap-Ins Remote Desktops HKCU\Software\Policies\Microsoft\MMC\ {3D5D035E-7721-4B83-A645-6C07A3D403B7}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted Snap-Ins Removable Storage Management HKCU\Software\Policies\Microsoft\MMC\ {3CB6973D-3E6F-11D0-95DB-00A024D77700}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Routing and Remote Access HKCU\Software\ Richtlinien\Microsoft\MMC\ {1AA7F839-C7F5-11D0-A376-00C04FC9DA04}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Security Configuration and Analysis HKCU\Software\Policies\Microsoft\ MMC\ {011BE22D-E453-11D1-945A-00C04FB984F9}\Restrict_Run
407 User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins Security Templates HKCU\Software\Policies\Microsoft\MMC\ {5ADF5BF6-E452-11D1-945A-00C04FB984F9}\Restrict_Run User Configuration\Administrative Templates \Windows-Komponenten\Microsoft Management Console\Restricted/Permitted Snap-Ins Services HKCU\Software\Policies\Microsoft\MMC\ {58221C66-EA27-11CF-ADCF-00AA00A80033}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console \Restricted/Permitted snap-ins Shared Folders HKCU\Software\Policies\Microsoft\MMC\ {58221C65-EA27-11CF-ADCF-00AA00A80033}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap- ins System Information HKCU\Software\Policies\Microsoft\MMC\ {45ac8c63-23e2-11d1-a696-00c04fd58bc3}\Restrict_Run
Benutzerkonfiguration\Administrative Vorlagen\Windows-Komponenten\Microsoft Management Console\Restricted/Permitted snap-ins Telephony HKCU\Software\Policies\Microsoft\MMC\ {E26D02A0-4C1F-11D1-9AA1-00C04FC3357A}\Restrict_Run User Configuration\Administrative Templates\Windows Komponenten\Microsoft Management Console\Restricted/Permitted snap-ins Terminal Services Configuration HKCU\Software\Policies\Microsoft\MMC\ {B91B6008-32D2-11D2-9888-00A0C925F917}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console \Restricted/Permitted snap-ins WMI Control HKCU\Software\Policies\Microsoft\MMC\ {5C659257-E236-11D2-8899-00104B2AFB46}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap- ins\Extension snap-ins AppleTalk Routing HKCU\Software\Policies\Microsoft\MMC\ {1AA7F83C-C7F5-11D0-A376-00C04FC9DA04}\Restrict_Run User Configuration\Administrative Templates\Windows Component s\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Certification Authority HKCU\Software\Policies\Microsoft\MMC\ {3F276EB4-70EE-11D1-8A0F-00C04FB93753}\Restrict_Run User Configuration\Administrative Templates\Windows Components \Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Connection Sharing (NAT) HKCU\Software\Policies\Microsoft\MMC\ {C2FE450B-D6C2-11D0-A37B-00C04FC9DA04}\Restrict_Run User Configuration\Administrative DCOM Configuration HKCU\Software\Policies\Microsoft\MMC\ {9EC88934-C774-11d1-87F4-00C04FC2C17B}\Restrict_Run
408 Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Extension User
Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Device Manager HKCU\Software\Policies\Microsoft\MMC\ {74246bfc-4c96-11d0-abef-0020af6b0b7a}\Restrict_Run User Configuration \Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins DHCP Relay Management HKCU\Software\Policies\Microsoft\MMC\ {C2FE4502-D6C2-11D0-A37B-00C04FC9DA04}\Restrict_Run User Configuration \Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Event Viewer HKCU\Software\Policies\Microsoft\MMC\ {394C052E-B830-11D0-9A86-00C04FD8DBF7}\Restrict_Run User Configuration\ Administrative Vorlagen\Windows-Komponenten\Microsoft Management Console\Eingeschränkte/Zugelassene Snap-Ins\Erweiterungs-Snap-Ins Erweiterte Ansicht (Webansicht) HKCU\Software\Policies\Microsoft\MMC\ {B708457E-DB61-4C55-A92F-0D4B5E9B1224}\Restrict_Run Benutzer C onfiguration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins IAS Logging HKCU\Software\Policies\Microsoft\MMC\ {2E19B602-48EB-11d2-83CA-00104BCA42CF}\Restrict_Run User Configuration \Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins IGMP Routing HKCU\Software\Policies\Microsoft\MMC\ {C2FE4508-D6C2-11D0-A37B-00C04FC9DA04}\Restrict_Run User Configuration\ Administrative Vorlagen\Windows-Komponenten\Microsoft Management Console\Eingeschränkte/Zugelassene Snap-Ins\Extension Snap-Ins IP Routing HKCU\Software\Policies\Microsoft\MMC\ {C2FE4500-D6C2-11D0-A37B-00C04FC9DA04}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins IPX RIP Routing HKCU\Software\Policies\Microsoft\MMC\ {90810502-38F1-11D1-9345-00C04FC9DA04}\Restrict_Run
User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Allowed Snap-ins\Extension Snap-ins IPX Routing HKCU\Software\Policies\Microsoft\MMC\{90810500-38F1-11D1-9345-00C04FC9DA04}\ Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft IPX SAP Routing HKCU\Software\Policies\Microsoft\MMC\{90810504-38F1-11D1-9345-00C04FC9DA04}\Restrict_Run
409 Management Console\Restricted/Allowed Snap-ins\Extension Snap-ins User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Allowed Snap-ins\Extension Snap-ins Logical and Mapped Drives HKCU\Software\Policies \Microsoft \MMC\ {6E8E0081-19CD-11D1-AD91-00AA00B8E05A}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins OSPF Routing HKCU\Software\Policies\ Microsoft\ MMC\ {C2FE4506-D6C2-11D0-A37B-00C04FC9DA04}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Public Key Policies HKCU\Software\Policies\ Microsoft\MMC\{34AB8E82-C27E-11D1-A6C0-00C04FB94F17}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins RAS Dialin User Node HKCU\Software\Policies\Microsoft\MMC\{B52C1E50-1DD2-11D1-BC4300C04FC31FD3}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins Remote Access HKCU\Software\Policies\Microsoft \MMC\{5880CD5C-8EC0-11d1-9570-0060B0576642}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted
snap-ins\Extension snap-ins Removable Storage HKCU\Software\Policies\Microsoft\MMC\ {243E20B0-48ED-11D2-97DA-00A024D77700}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap -ins\Extension snap-ins RIP Routing HKCU\Software\Policies\Microsoft\MMC\ {C2FE4504-D6C2-11D0-A37B-00C04FC9DA04}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap- ins\Extension snap-ins Routing HKCU\Software\Policies\Microsoft\MMC\ {DAB1A262-4FD7-11D1-842C-00C04FB6C218}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\ Erweiterungs-Snap-Ins Freigegebene Ordner Ext HKCU\Software\Policies\Microsoft\MMC\ {58221C69-EA27-11CF-ADCF-00AA00A80033}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted Send Console Message e HKCU\Software\Policies\Microsoft\MMC\ {B1AFF7D0-0C49-11D1-BB12-00C04FC9A3A3}\Restrict_Run
410-Snap-ins\Extension Snap-ins User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Allowed Snap-ins\Extension Snap-ins Service Dependencies HKCU\Software\Policies\Microsoft\MMC\{BD95BA60- 2E26- AAD1-AD99-00AA00B8E05A}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins SMTP Protocol HKCU\Software\Policies\Microsoft\MMC\ {03f1f940-a0f2 -11d0 -bb77-00aa00a1eab7}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins SNMP HKCU\Software\Policies\Microsoft\MMC\ {7AF60DD3-4979-11D1 -8A6C -00C04FC33566}\Restrict_Run User Configuration\Administrative Templates\Windows
Komponenten\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins System Properties HKCU\Software\Policies\Microsoft\MMC\ {0F3621F1-23C6-11D1-AD97-00AA00B88E5A}\Restrict_Run User Configuration\Administrative Templates\Windows Components \Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy Group Policy snap-in HKCU\Software\Policies\Microsoft\MMC\ {8FC0B734-A0E1-11D1-A7D3-0000F87571E3}\Restrict_Run User Configuration\Administrative Templates\Windows Components \Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy Group Policy tab for Active Directory Tools HKCU\Software\Policies\Microsoft\MMC\ {D70A2BEA-A63E-11D1-A7D4-0000F87571E3}\Restrict_Run User Configuration\Administrative Templates\ Windows-Komponenten\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy Resultant Set of Policy snap-in HKCU\Software\Policies\Microsoft\MMC\ {6DC3804B-7212-458D-ADB0-9A07E2AE1FA2}\Restrict_Run User Configuration\Administrati ve Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Administrative Templates (Computers) HKCU\Software\Policies\Microsoft\MMC\ {0F6B957D-509E-11D1-A7CC- 0000F87571E3}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Administrative Templates (Users) HKCU\Software\Policies\Microsoft\MMC\ {0F6B957E -509E-11D1-A7CC-0000F87571E3}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted Folder Redirection HKCU\Software\Policies\Microsoft\MMC\ {88E729D6-BDC1-11D1-BD2A-00C04FB9603F} \Restrict_Run
411
Snap-ins\Group Policy\Group Policy Snap-in Extensions User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Allowed Snap-ins\Group Policy\Group Policy Snap-in Extensions Internet Explorer Servicing HKCU\Software\ Policies \Microsoft\MMC\{FC715823-C5FB-11D1-9EEF-00A0C90347FF}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Remote Installation Services HKCU\Software\Policies\Microsoft\MMC\{3060E8CE-7020-11D2-842D-00C04FA372D4}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap - in extension scripts (Logon/Logoff) HKCU\Software\Policies\Microsoft\MMC\{40B66650-4972-11D1-A7CA-0000F87571E3}\Restrict_Run User Configuration\Administrative Templates\Windo ws Components\Microsoft Management Console\R Restricted/Allowed Snap-ins\Group Policy\Group Policy Snap-in Extension Scripts (Startup/Shutdown) HKCU\Software\Policies\Microsoft\MMC\{40B6664F-4972-11D1-A7CA-0000F87571E3} \Restrict_Run User Configuration\Administrative Templates \Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Security Settings HKCU\Software\Policies\Microsoft\MMC\ {803E14A0-B4FB-11D0 -A0D0-00A0C90F574B}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Software Installation (Computers) HKCU\Software\Policies\Microsoft\MMC \{942A8E4F-A261-11D1-A760-00C04FB9603F}\Restrict_Run User Configuration\Administrative Templates\Windows
Komponenten\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions Software Installation (Users) HKCU\Software\Policies\Microsoft\MMC\ {BACF5C8A-A3C7-11D1-A760-00C04FB9603F}\Restrict_Run Benutzerkonfiguration\Administrative Vorlagen\Windows-Komponenten\Microsoft Management Console\Eingeschränkte/Zugelassene Snap-Ins\Gruppenrichtlinie\Resultant Set of Policy Snap-In Extensions Administrative Vorlagen (Computer) HKCU\Software\Policies\Microsoft\MMC\ {B6F9C8AE-EF3A -41C8-A911-37370C331DD4}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted Administrative Templates (Users) HKCU\Software\Policies\Microsoft\MMC\ {B6F9C8AF-EF3A-41C8-A911-37370C331DD4 }\Restrict_Run
412 Snap-ins\Group Policy\Result Set of Policy Snap-ins User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Allowed Snap-ins\Group Policy\Result Set of Policy Snap-ins Folder Redirection HKCU \ Software\Policies\Microsoft\MMC\ {c40d66a0-e90c-46c6-aa3b-473e38c72bf2}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap - in extensions Internet Explorer Maintenance HKCU\Software\Policies\Microsoft\MMC\ {d524927d-6c08-46bf-86af-391534d779d3}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy \Resultant Set of Policy Snap-In Extensions Scripts (Logon/Logoff) HKCU\Software\Policies\Microsoft\MMC\{40B66661-4972-11d1-A7CA-0000F87571E3}\Restrict_Run
Benutzerkonfiguration\Administrative Vorlagen\Windows-Komponenten\Microsoft Management Console\Eingeschränkte/Zugelassene Snap-Ins\Gruppenrichtlinie\Resultant Set of Policy Snap-In Extensions Scripts (Startup/Shutdown) HKCU\Software\Policies\Microsoft\MMC\ {40B66660- 4972-11d1-A7CA-0000F87571E3}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions Security Settings HKCU\Software\Policies\Microsoft \MMC\ {fe883157-cebd-4570-b7a2-e4fe06abe626}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Resultant Set of Policy snap-in extensions Software Installation ( Computer) HKCU\Software\Policies\Microsoft\MMC\ {7E45546F-6D52-4D10-B702-9C2E67232E62}\Restrict_Run User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap -ins\Group Policy\Resultant Set of Policy Snap-In Extensions Software Installation (Users) HKCU\Software\Policies\Microsoft\MMC\ {1BC972D6-555C-4FF7-BE2C-C584021A0A6A}\Restrict_Run User Configuration\Administrative Templates\Windows Components \Task Scheduler Hide Property Pages HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Property Pages User Configuration\Administrative Templates\Windows Prevent Task Run or End HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\ Ausführung
413 Components\Task Scheduler User Configuration\Administrative Templates\Windows Components\Task Scheduler Prohibit Drag-and-Drop HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\DragAndDrop User Configuration\Administrative
Templates\Windows Components\Task Scheduler Prohibit New Task Creation HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Task Creation User Configuration\Administrative Templates\Windows Components\Task Scheduler Prohibit Task Deletion HKCU\Software\Policies\Microsoft\ Windows\Task Scheduler5.0\Task Deletion User Configuration\Administrative Templates\Windows Components\Task Scheduler Remove Advanced Menu HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Disable Advanced User Configuration\Administrative Templates\Windows Components\Task Scheduler Browse verbieten HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Allow Browse User Configuration\Administrative Templates\Windows Components\Terminal Services Start a program on connection HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ fInheritInitialProgram User Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions Zeitlimit für getrennte Sitzungen festlegen HKCU\SOFTWARE \Policies\Microsoft\Windows NT\Terminal Services\ MaxDisconnectionTime User Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions Zeitlimit für aktive Sitzungen festlegen HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ MaxConnectionTime User Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions Zeitlimit für Sitzungen im Leerlauf festlegen HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ MaxIdleTime REQUIRED User Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions Wiederverbindung nur vom ursprünglichen Client zulassen HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fReconnectSame User Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions
Terminate session when timeouts are reached HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fResetBroken User Configuration\Administrative Templates\Windows Components\Terminal Services remote control settings HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Shadow User Configuration\Administrative Templates\Windows Components\Windows Explorer Turn on Classic Shell HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell User Configuration\Administrative Templates\Windows Components\Windows Explorer Removes the Folder Options menu item from the " Tools" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions User Configuration\Administrative Templates\Windows Components\Windows Explorer Remove File menu from Windows Explorer HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoFileMenu User Configuration\Administrative Templates\Windows Components\Windows Explorer Remove Map Ne twork Drive and Disconnect Network Drive HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetConnectDisconnect
Remove Search button from Windows Explorer HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoShellSearchButton User Configuration\Administrative Templates\Windows Components\Windows Explorer Windows Explorer default context menu remove HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\NoViewContextMenu User Configuration\Administrative Templates\Windows Components\Windows Explorer Hides the Manage item in the Windows Explorer context menu HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer \ NoManageMyComputerVerb
User Configuration\Administrative Templates\Windows Components\Windows Explorer Allow per user only or approved shell extensions HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\EnforceShellExtensionSecurity User Configuration\Administrative Templates\Windows Components\Windows Explorer shell shortcuts do not track while roaming HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\LinkResolveIgnoreLinkInfo User Configuration\Administrative Templates\Windows Components\Windows Explorer Hide these specified drives in My Computer HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoDrives User Configuration\Administrative Templates\Windows Components\Windows Explorer Prevent access to drives from My Computer HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive User Configuration\Administrative Templates\Windows Components\Windows Explorer Hardware tab Remove HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoHardwareTab User Configuration\Administrative Templates\Windows Components\Windows Explorer Remove DFS tab HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDFSTab User Configuration\Administrative Templates\Windows Components\Windows Explorer Remove Security tab HKCU\Software\ Microsoft\Windows\CurrentVersion\ Policies\Explorer\NoSecurityTab User Configuration\Administrative Templates\Windows Components\Windows Explorer Remove UI to change menu animation setting HKCU\Software\Microsoft\Windows \CurrentVersion\ Policies\Explorer\NoChangeAnimation User Configuration\Administrative Templates\ Windows Components\Windows Explorer To change the keyboard navigation display setting, remove the user interface
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoChangeKeyboardNavigationIndicators User Configuration\Administrative Templates\Windows Components\Windows Explorer No Computers Near Me in My Network Places HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoComputersNearMe User Configuration\Administrative Templates\Windows Components\Windows Explorer No Entire Network in My Network Places HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\Network\NoEntireNetwork User Configuration\Administrative Templates\Windows Components\Windows Explorer Maximale Anzahl zuletzt verwendeter Dokumente HKCU\ Software\Microsoft\Windows\CurrentVersion\ Policies\Network\MaxRecentDocs User Configuration\Administrative Templates\Windows Components\Windows Explorer Keine alternativen Anmeldeinformationen anfordern HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\Network\NoRunasInstallPrompt User Configuration\Administrative Templates\ Windows-Komponenten\Windows Explorer-Anforderungsberechtigung tials für Netzwerkinstallationen HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\Network\PromptRunasInstallNetPath User Configuration\Administrative Remove CD Burning features HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\Network\NoCDBurning
415 Templates\Windows Components\Windows Explorer User Configuration\Administrative Templates\Windows Components\Windows Explorer Do not move deleted files to the Recycle Bin HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoRecycleFiles User Configuration\Administrative Templates\Windows Components \Windows Explorer show confirmation dialog when deleting files HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network\ConfirmFileDelete User Configuration\Administrative
Templates\Windows Components\Windows Explorer Maximum Recycle Bin Size HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\Network\RecycleBinSize User Configuration\Administrative Templates\Windows Components\Windows Explorer Remove Shared Documents from My Computer HKCU\Software\Microsoft\ Windows\CurrentVersion\ Policies\Network\NoSharedDocuments User Configuration\Administrative Templates\Windows Components\Windows Explorer Disable thumbnail caching HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\Network\NoThumbnailCache User Configuration\Administrative Templates\Windows Components\ Windows Explorer \Common File Open Dialogs Shown in Area Bar HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar\Place4 User Configuration\Administrative Templates\Windows Components\Windows Explorer\Common Open File Dialog Hide the general dialog boxes from bar HKC U\Software\Microsoft\Windows\CurrentVersion\Policies\ comdlg32\Placesbar\NoPla cesBar User Configuration\Administrative Templates\Windows Components\Windows Explorer\Common Open File Dialog Hide the common dialog back button HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\comdlg32\Placesbar\NoBackButton User Configuration\Administrative Templates\Windows Components\Windows Explorer\Common Open File Dialog Hide drop-down list of recent files HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ comdlg32\Placesbar\NoFileMru User Configuration\ Administrative Templates\Windows Components\Windows Installer Always install with elevated privileges HKCU\Software\ Policies\Microsoft\Windows\Installer\AlwaysInstallElevated User Configuration\Administrative Templates\Windows Components\Windows Installer Search Order HKCU\Software\Policies\Microsoft\Windows\Installer\ SearchOrder
User Configuration\Administrative Templates\Windows Components\Prohibit Windows Installer Rollback HKCU\Software\Policies\Microsoft\Windows\Installer\DisableRollback User Configuration\Administrative Templates\Windows Components\Windows Installer Disable removable media source for all installations HKCU\Software\Policies\ Microsoft\ Windows\Installer\DisableMedia User Configuration\Administrative Templates\Windows Components\Windows Messenger Do not allow Windows Messenger to run HKCU\Software\Policies\Microsoft\Messenger\Client\PreventRun User Configuration\Administrative Templates\Windows Components\Windows Do not automatically run Windows Messenger start HKCU\Software\Policies\Microsoft\Messenger\Client\PreventAutoRun
416 Messenger User Configuration\Administrative Templates\Windows Components\Windows Update Access Remove to use all Windows Update features HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess
Wmplayer.adm Tabelle 19-6: Richtlinien in Wmplayer.adm Speicherort Name Key User Configuration\Administrative Templates\Windows Components\Windows Media Player\User Interface Set and Lock Skin HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\DefaultSkin User Configuration\Administrative Templates\Windows Components\Windows Media Player\User Interface Do Not Show Anchor HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\DoNotShowAnchor User Configuration\Administrative Templates\Windows Components\Windows Media Player\Playback Prevent
Codec-Download HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\PreventCodecDownload User Configuration\Administrative Templates\Windows Components\Windows Media Player\Networking Hide Network Tab HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\HideNetworkTab User Configuration\Administrative Templates\Windows Components\ Windows Media Player\Networking Streaming Media Protocols HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\HTTP User Configuration\Administrative Templates\Windows Components\Windows Media Player\Networking Configure HTTP Proxy HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\ HTTP\BypassProxyLocalAddress User Configuration\Administrative Templates\Windows Components\Windows Media Player\Networking Configure MMS Proxy HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\MMS\BypassProxyLocalAddress User Configuration\Administrative Templates\Windows Components\Windows Media Player\Networking Configure Netzwerkpufferung HKCU\Sof tware\Richtlinien\Microsoft\WindowsMediaPlayer\NetworkBuffering
417 Chapter 1: Learning the Basics Figure 1-1: The registry is a hierarchical database that contains most Windows settings. Figure 1-2: The registry allows local and remote administration. Figure 1-3: When playing around with bits, a binary 1 is the same as yes, or a binary 0 is the same as no or wrong. In other words, they are Boolean values. Figure 1-4: If you're familiar with Windows Explorer, and I bet you are, you'll easily understand the structure of the registry, which is similar to that of the file system. Figure 1-5: When one key is linked to another, as in this example, the same subkeys
Values appear in both places. Figure 1-6: Three of the registry's root keys are links to subkeys in HKU and HKLM. Figure 1-7: Each subkey in HKU contains an account's settings. Chapter 2: Using the Registry Editor Figure 2-1: Regedit is much easier to use if you maximize its window to see the full names of the subkeys and the dates of each value in their entirety. Figure 2-2: Use fewer characters and partial matches to get more matches. Use more or request full matches to get fewer hits. Figure 2-3: Bookmark your most used keys for quick return to them. Figure 2-4: The format of Regedit's printer output is the same as the format used when exporting portions of the registry to a text file. Figure 2-5: Be sure to select the file format you want to use, no matter what extension you enter in the File Name field. Figure 2-6: Enter a name that describes what the Hive file contains. Chapter 3: Saving the registry Figure 3-1: Saving values in the registry is like a built-in version tracking feature. Figure 3-2: The main backup desktop settings is a hive with a backup HKCU\Control Panel\Desktop\ that I loaded into the registry. Figure 3-3: TechSmith SnagIt is the best screen recording tool and works well with Windows XP. Figure 3-4: Before proceeding, make sure you save your documents and close any running ones. System Restore restarts your computer. Figure 3-5: System Restore backs up all Hive files so they can be restored if necessary. Managing System Restore Figure 3-6: Normal backup tapes contain all of the server's files; incremental backups contain only files that have changed since the last normal or incremental backup. Figure 3-7: The Backup or Restore Wizard is the default user interface for the backup utility. If you prefer to use the classic interface, click Advanced Mode on the first page. Figure 3-8: Restoring system state data to an alternative location is the best choice when you want to restore a limited number of files or settings. Chapter 4: Hacking the registry Figure 4-1 You can find interesting object classes by searching for ShellFolder subkeys that contain the value Attribute. Also search for LocalizedString. Figure 4-3: You can reorganize the contents of Windows by editing the registry. Figure 4-4: The default value of a file extension key indicates the associated program class. The Shell subkey of the Program class contains commands that you see on the menu. Figure 4-5: When I hover over the registration book folder, I see manuscripts for my latest registration book. Figure 4-6: Windows XP shows the programs that you use frequently. Chapter 5: Mapping Tweak UI Figure 5-1: Many of these settings are located in the Performance Options dialog box. My Computer, click Properties, and in the Performance section of the Advanced tab Properties dialog box, click Settings. Figure 5-2: Use Tweak UI to find suitable values before attempting to set mouse sensitivity values manually. Figure 5-3: Make network document folders easily accessible by adding them to the bar. Figure 5-4: You don't need to download any search add-ins for Internet Explorer
Using your favorite search engines is as simple as that. Chapter 6: Using Registry-Based Policies Figure 6-1: The Advanced and Standard View tabs are new for Windows XP. Click the Advanced tab to view help for the selected policy setting. Figure 6-2: Registry-based policies begin with administrative templates that define available settings and where they are stored in the registry. Figure 6-3: Each policy has three states, Enabled, Disabled or Not configured. Policies collect additional information. Figure 6-4: Administrative Templates, as in this example, define the interface for collecting settings that Notepad stores in the Registry.pol file. Figure 6-5: Use the PART keyword to collect additional data that further refine Figure 6-6: Note the warning that the setting will tattoo the registry. Figure 6-7: The Help and Support Center RSoP report contains the same information as Gpresult.exe, but is more readable and printable. Figure 6-8: The RSoP snap-in is the best tool for determining the policy source when multiple GPOs are applied to a computer. Chapter 7: Managing Registry Security Figure 7-1: This dialog is almost identical to the File System Security dialog. Figure 7-2: Special permissions give you finer control over a user's or group's permissions Use a key, but assigning special permissions is generally not required. Figure 7-3: Monitor keys sparingly as it can severely impact performance. Figure 7-4: You create templates with security templates and analyze and apply templates with security configuration and analysis. Figure 7-5: This dialog allows you to view and edit settings. Chapter 8: Finding Registry Settings Figure 8-1: RegView is an advanced registry editor. Figure 8-3 Word is effective at comparing large .reg files, but much slower than Figure 8-4 Registry monitoring helps you find registry settings. Figure 8-5: Regmon's window quickly fills up with uninteresting information. This regmon window seconds after launch. Chapter 9: Scripting Registry Changes Figure 9-1: The byte parameter specifies which byte of a number you want to mask to. Figure 9-2: The only two file types that create REG files are registry files and Win9x/NT4 registry files (*.reg). Figure 9-3: You create a .wsh file that contains a script file's settings by right-clicking the script, clicking Properties, and then clicking the Script tab. Chapter 10: Deploying User Profiles Figure 10-1 The ProfileList subkeys contain a wealth of information about the profiles that Windows XP has created, including their file system paths. Figure 10-2: Windows XP loads Ntuser.dat in HKU\ SID and then links HKCU Figure 10-3: The user profile folders you see in this figure are the Windows XP default folder installation. Figure 10-4: It is sufficient to enter a path in the "Profile Path" field to enable roaming profiles. Figure 10-5 These policies give you control over how Windows XP uses profiles. Figure 10-6: Copy template user profile using this dialog box; Do not copy Windows Explorer as this will copy artifacts that you do not want in the profile. Chapter 11: Map Windows Installer
Figure 11-1: Windows Installer Clean Up is a user-friendly interface for Msizap. Chapter 12: Deploying with Answer Files Figure 12-1: In addition to creating this folder structure, you must set OEMPreinstall= on your Windows XP answer file. Figure 12-2: The Windows XP Setup Manager has been greatly improved over the Windows 2000 version. Most of the changes are in the user interface, but local admin password encryption is a new feature. Chapter 13: Cloning Disks with Sysprep Figure 13-1: Using disk imaging, you deploy the contents of a sample computer to the hard disks of many other computers. It is an effective way to deploy many desktops. Figure 13-2: Earlier versions of Sysprep had no user interface, hence this look and new. Chapter 14: Microsoft Office XP User Settings Figure 14-1: The Profile Wizard allows you to exclude settings for some Office XP 420 The Migrate User Settings check includes an OPS file in your MST file. Figure 14-4: The Custom Installation Wizard's Change Office User Settings page is located in the System Policy Editor with Office XP policy templates (.adm files) loaded. Figure 14-5 You can also add programs to your installation by customizing the Office Setup.ini file. Chapter 15: Work around IT problems Figure 15-1: Prevent Windows XP from creating shortcuts to Outlook Express by hiding StubPath. Figure 15-2 Removing the StubPath value from the {2C7339CF-2B09-4501-B3F3-F3508C9228ED} subkey prevents Windows XP from configuring the new user interface. Figure 15-3: Browse the %SYSTEMROOT%\Inf folder for any files with the .inf extension that contain the name of the component you want to remove. Figure 15-4: Without a shortcut to the Transfer Files and Settings Wizard in the Start menu, the wizard will normally not attempt to run. Those who do will see an error message. Figure 15-5: Scheduled tasks are a useful way to run programs on remote computers with elevated privileges, especially in one-off scenarios. Figure 15-6: Strong security combined with code signing protects your business viruses. Appendix A: File Associations Figure A-1: The default values of file extension keys associate these keys with program classes. Figure A-2: This figure shows the relationship of the verbs of a program class to the context menu. Figure A-3: Adding additional verbs to a program class by creating new subkeys Appendix B: Customization settings Figure B-1: Associating sounds with events using the Sounds and Audio Devices dialog box. Figure B-2 Each subkey in Console is the title of a customized console window. This key is typically only visible after launching a command prompt from the Run dialog box. Figure B-3: After configuring the settings in this dialog, consider exporting to a .reg file so you can use the same settings on other computers. Figure B-4: TechSmith SnagIt stores its settings in HKCU\Software\TechSmith\SnagIt\ Figure B-5: Customizing the key SearchURL is the ultimate search shortcut
Internet. Figure B-6: Strong security combined with code signing protects your business viruses. Appendix C: Computer-specific settings Figure C-1: Normally you cannot see the contents of the SAM key, but this figure shows that you can if you give the Administrators group permission to read. 421 option. 422 Chapter 1: Learning the Basics Table 1-1: Known SIDs Table 1-2: Hexadecimal Digits Table 1-3: Root Keys Table 1-4: Value Types Table 1-5: Hive Filename Extensions Table 1-6 : Hive Files Chapter 2 : Using Registry Editor Table 2-1: Keyboard Shortcuts Table 2-2: Binary and String Symbols Table 2-3: Data Formats of REG Files Chapter 3: Backing Up the Registry Table 3-1: Merging REG Files Table 3-2: Securing the Registry with Table 3-3: Recovery Console Environment Chapter 4: Hacking the Registry Table 4-1: Special Folders Table 4-2: Special Object Classes Table 4-3: Namespace Subkeys Table 4-4 : Start Menu Settings Table 4-5 : Internet Explorer Menu Extensions Table 4-6: Values in Search URLs Table 4-7: History Lists Table 4-8: Values in Winlogon Chapter 5: Mapping Tweak UI Table 5-1: Values in General Table 5-2: Values in Focus Table 5-3: Values in Mouse Table le 5-4: Values in Hover Table 5-5: Values in Wheel Table 5-6: Values in X-Mouse Table 5-7: Values in Explorer Table 5-8: Value s in Shortcut Table 5-9: Values in colors Table 5-10: Values in thumbnails Table 5-11: Subkeys for command keys Table 5-12: Values in general dialog boxes Table 5-13: Folders for the place bar Table 5-14: Values in the taskbar Table 5-15: Values in grouping Table 5-16: Values in the XP start menu Table 5-19: Values in My Computer
Table 5-20: Values in special folders Table 5-21: Values in autoplay drive types Table 5-22: Values in autoplay handlers Table 5-23: Values in Control Panel Table 5-24: Values in templates Table 5-25: Values in Internet Explorer Table 5-26: Values in Search Table 5-27: Values in Command Prompt Table 5-27: Values in Auto Logon Chapter 6: Using Registry-Based Policies Table 6-1: Policies versus Settings Table 6 -2 : Group Policy vs. System Chapter 7: Managing Registry Security Table 7-1: Default Permissions in Registry Chapter 8: Locating Registry Settings Table 8-1: Regmon Request Types and Chapter 9: Scripting Registry Changes Table 9-1: Comparison of script methods Table 9-2: Value formats in REG files Table 9-3: Special characters in REG files Table 9-4: Formatting of keys and values Chapter 10: Deploy of user profiles Table 10-1: Location of user profiles Table 10-2: User profile folders Table 10-3: Roaming and redirection folders Table 10-4: History lists to remove Chapter 11: Mapping Windows Installer Table 11-1: Secure Windows Installer Settings Chapter 12: Deploying with Answer Files Table 12-1: Setup Manager Pages Chapter 13: Cloning Disks with Sysprep Table 13-1: Sysprep Registry Settings Table 15-1: Components in Installed Components Table 15-2: Configuring the Automatic Login Appendix A: File Associations Table A-1: Bits in EditFlags Table A-2: Special Classes in HKCR\CLSID Appendix B: Settings per User Table B-1: Bits in UserPreferencesMask Table B-2: Values for DefaultColor Table B- 3: Internet Explorer Menu Extensions Table B-4: Values in SearchURLs Table B-5: History Lists in Search Companion Table B-6: Start Menu Settings Table B-7: Special Folders Appendix C: Co Computer-Specific Settings Table C-1: Values for DefaultColor Table C-2: Values in AutoplayHandlers Table C-3: Special Folders Appendix D: Group Policies Table 19-1: Policies in Conf.adm
Table 19-2: Policies in Inetcorp.adm Table 19-3: Policies in Inetres.adm Table 19-4: Policies in Inetset.adm Table 19-5: Policies in System.adm Table 19-6: Policies in Wmplayer.adm Chapter 2: Using the Registry Editor Listing 2-1: Sample Printer Output Listing 2-2: Sample Version 5 REG Listing 2-3: Sample Version 4 REG Chapter 4: Hacking the Registry Listing 4-1: Redirect.inf Listing 4-2: Tweakui.inf Listing 4-3: Cmdhere.inf Listing 4-4: Fromhere.inf Listing 4-5: Resort.inf Listing 4-6: Magnify.htm Listing 4-7: Search.inf Chapter 6: Using the registry -based policy Listing 6-1: example.adm Listing 6-2: example.adm Listing 6-3: example.adm Listing 6-4: example.adm Listing 6-5: example.adm Listing 6-6: example. adm Listing 6-7: example.adm Listing 6-8: example.adm Listing 6-9: example.adm Listing 6-10: example.adm Listing 6-11: example.adm Listing 6-12: example.adm Listing Listing 6-13: example.adm Listing 6-14: example.adm Listing 6-15: example.adm Listing 6-16: example.adm Listing 6-17: Tweakui.adm Chapter 9: Scripting Registry Modifications Listing 9-1 : Example.inf Listing 9-2: Setup information file. Listing 9-3: Example.inf Listing 9-4: Strings.inf Listing 9-5: Example.reg Listing 9-6: Login.bat Listing 9-7: Example.js Chapter 11: Map Windows Installer Listing 11-1 : Inventory.vbs Listing 11-2: Software.vbs Listing 12-1: Unattend.txt Listing 12-2: Unattend.txt Chapter 13: Cloning Disks with Sysprep Listing 13-1: Sysprep.inf Chapter 14: Microsoft Office XP -User settings
Listing 14-1: OPW10adm.ini Chapter 15: Work around IT problems Listing 15-1: Outlook.inf Listing 15-2: Unattend.txt Listing 15-3: Sysoc.inf Listing 15-4: Tattoos.inf Listing 15- 5: Install.inf Appendix B: Customizations Listing B-1: Magnify.htm Chapter 1: Learn the basics Brief history of registry data in binary values Chapter 2: Using the registry editor Regedit got better Shareware search tools Stupid clipboard tricks Choosing between REG- and Hive Command Line Alternative Chapter 3: Registry Backup Managing Settings to Avoid Problems Msizap.exe Saves the Day on Backup with Symantec Ghost Administrator's Pak Chapter 4: Hacking the Registry File Associations in the Registry Customize Folders with Desktop . Chapter 5: Mapping Tweak UI Finding Tweak UI Settings Chapter 6: Using Registry-Based Policy Tattoos in the Registry Windows XP Group Policy Enhancements Simulating Folder Redirections Chapter 8: Finding Registry Settings All-in-One Solutions Chapter 9: Scripting Registry Changes Why Write scripts when INF files Chapter 10: Deploying User Profiles Benefits of User Profiles Improvements to User Profiles Best Practices for Roaming Users Alternatives to Default User Profiles Updating Source Lists Chapter 12: Deploying with Answer Files Customizing Default Settings Jerry's Answer File Editor Chapter 13: Cloning Disks with Sysprep Third-Party Disk Imaging Suites Chapter 14: Microsoft Office XP User Settings Precedence When to Use What Appendix A: File Associations
Special program classes
FAQs
How do I fix start problems in Windows XP? ›
- Verify the Computer Finishes Initial Power-Up (POST)
- Unplug All External Devices.
- Check for Specific Error Messages.
- Run a Computer Diagnostic.
- Boot the Computer into Safe Mode.
- Boot Last Known Good Configuration.
- Check for Recent Changes.
- Use Startup Repair to Restore Critical Windows Files.
Generally, yes, you may use software without a license.
How to install win XP from CD? ›Start your computer. Insert the Windows XP CD in your computer's CD-ROM or DVD-ROM drive. On the Welcome to Microsoft Windows XP page, click Install Windows XP. On the Welcome to Windows Setup page, click Upgrade (Recommended) in the Installation Type box (if it is not already selected), and then click Next.
Can you download Windows XP for free? ›Want a free copy of Windows XP? It's possible using a virtual machine. Windows XP is old, and Microsoft no longer provides official support for the venerable operating system. But despite the lack of support, Windows XP is still running on millions of computers worldwide.
How do I format my hard drive Windows XP without CD? ›- Step 1: Launch the Disk Management tool. At first, just click on the Start button from the taskbar and select the “Run” prompt. ...
- Step 2: Select the disk to format. ...
- Step 3: Complete the formatting operation.
Insert the Windows XP installation CD into the computer's CD drive, and then restart the computer. Perform a Repair installation of Windows XP. After the Repair installation process is complete, start Internet Explorer 6, and then make sure that it works. Install the latest service pack for Windows XP.
Why was Windows XP bad? ›The biggest problem with Windows XP was that it was Microsoft's first operating system to feature Product Activation, the licensing system that tied product keys to hardware fingerprints. Gone were the days of buying one copy of the software and installing it on multiple machines.
What was the biggest problem of Windows XP? ›Windows XP has been criticized for its vulnerabilities due to buffer overflows and its susceptibility to malware such as viruses, trojan horses, and worms.
Is Windows XP still OK? ›If you continue to use Windows XP now that support has ended, your computer will still work but it might become more vulnerable to security risks and viruses.
Is it legal to use Windows without license? ›Installing Windows without a license is not illegal. However, activating the operating system through other means without an officially purchased product key is illegal. If you plan to use Windows 10 at home but don't want to pay, it may be better to use the system without activation.
Is a Windows license free? ›
You can get Windows 10 Home (opens in new tab) or Windows 11 Home for $139 (opens in new tab). And you can get Windows 10 Pro (opens in new tab) or Windows 11 Pro for $199 (opens in new tab). You can get these either as downloads or on USB drives.
Will my XP reinstallation CD work with another computer? ›Activation (Copy Protection) Windows XP marks the first time Microsoft has ever copy-protected Windows, meaning you can't install Windows XP on more than one PC from the same CD.
Can I install Windows XP through USB? ›Step 6 - Boot from USB stick, install Windows XP
The system will recognize the USB drive and load the WinSetupFromUSB menu system. From the menu, select Windows XP/2003/2003 Setup: The Windows XP install has two phases: Text mode install (for disk preparation, copying installation files etc)
Format your computer's hard drive.
Select Format the partition using the NTFS file system and press ↵ Enter . Doing so will set up the hard drive for a Windows installation.
XP Home: $81-199 A full retail edition of Windows XP Home Edition typically costs $199, regardless of whether you buy from a mail-order reseller like Newegg or direct from Microsoft.
What is the price of Windows XP license? ›WINDOWS XP GENUINE LICENSE at Rs 12500 | Windows 10 in Bengaluru | ID: 22012817533.
Why is Windows XP not free? ›Windows XP included components like Media Center that Microsoft was required to pay a 3rd party for distribution. If they gave away XP for free they would still have to pay the other companies for the components they included.
How do you bypass you need to format the disk before you can use it? ›- Solution 1 – connect the disk to a different computer.
- Solution 2 – restart the computer and scan the device with antivirus.
- Solution 3 – change the drive letter.
- Solution 4 – disk repair utility.
- Solution 5 – reinstall the device driver.
- Method 1. Try Different USB Port or PC.
- Method 2: Scan the Drive with Antivirus Tool.
- Method 3. Using Scan and Repair.
- Method 4. Update/Reinstall Device Driver.
- Method 5. Change Drive Letter.
- Method 6. Using CHKDSK Command.
- Method 7: Recover Data and Format Disk.
- Click the Windows “Start” button, and then click “All Programs.”
- Click the “Accessories” option, and then mouse over the “System Tools” option to view the System Tools submenu.
- Click the “Scheduled Tasks” option. ...
- Click the “Chkdsk” option in the list of tasks.
What can I replace Windows XP with? ›
Although Microsoft doesn't offer a direct upgrade path, it's still possible to upgrade your PC running Windows XP or Windows Vista to Windows 10.
Can I go back to Windows XP? ›Long answer, No, you shouldn't. You could install Windows XP on your machine with the Original Installation Disks that came with your Computer (If it is that old), however, I would strongly recommend not doing so.
Why did Windows XP last so long? ›XP has stuck around so long because it was an extremely popular version of Windows -- certainly compared to its successor, Vista. And Windows 7 is similarly popular, which means it may also be with us for quite some time.
How many people still use XP? ›However, over eight years from the end of life date (September 2022), the majority of PCs in some countries (such as Armenia) still appeared to be running on Windows XP. As of September 2022, globally, just 0.39% of Windows PCs and 0.1% of all devices across all platforms continued to run Windows XP.
Why do people love Windows XP? ›Windows XP was released on October 25, 2001, and is considered one of the most loved versions of Windows due to its ease of use, fast performance, and stability.
What is higher than Windows XP? ›Over time, Microsoft released additional operating systems, such as Vista and Windows 7. While Windows 7 and XP share common user-interface features, they differ in key areas. Windows 7's taskbar, for instance, enables you to pin favorites apps there for easy access.
How old is Windows XP now? ›Windows XP launched on October 25, 2001, during a golden age at Microsoft when the company was achieving its highest revenues yet, dominated the PC market, and had taken a strong lead over Netscape in the browser wars (after the latter led the race through the 1990s).
What was the lifespan of Windows XP? ›What is end of support? After 12 years, support for Windows XP will end on April 8, 2014. There will be no more security updates or Microsoft provided technical support for the Windows XP operating system.
Why does the government still use Windows XP? ›But some agencies need Windows XP to run mission-critical applications that are incompatible with newer operating systems. Others, fearing they might miss the cutoff date for security support, want products that will function on existing systems.
Can you still use Windows XP in 2023? ›Will my XP computer still work? Yes, your computer should continue to work normally after the end of XP support. However, because XP won't receive regular security updates from Microsoft, your computer will be at a much higher risk for viruses and malware. If at all possible, we recommend upgrading to a newer computer.
Can Windows XP connect to WIFI? ›
Click the wireless network icon. Select the wireless network you want to use (e.g., My Bell Network). Click Connect.
How much RAM does Windows XP use? ›XP requires a minimum of 128MB of RAM, but realistically you should have at least 512MB. Windows 7 32 bit requires a minimum of 1GB of RAM.
Are cheap Windows legal? ›Also of note, the only time a discount Windows license is actually illegal is when it was purchased using stolen payment information or generated using crack software, both extremely rare cases. It's up to you whether you care about violating the Terms of Service.
How many times can a Windows license be used? ›You can use it as many times as you want to. However there is an important point: Do you have a retail license or an OEM license? If it's a retail license you can move it from computer to computer as many times as you want to, as long as you don't have it installed on two computers at once.
What happens if you use unlicensed Windows? ›The disadvantages of not activating Windows 10 include having limited access to some basic features and not being able to customize your display. Users of unactivated Windows 10 aren't eligible for crucial security updates, bug fixes, or patches. You also won't get to personalize your lock screen.
How long do Windows license last? ›What do I need to do? Answer: Windows 10 retail and OEM licenses (those that come preloaded on name brand machines) don't ever expire.
Is Windows 10 or 11 better? ›Windows 11 is snappier than Windows 10, but the differences are small in real-world use. The various optimizations in Windows 11 help it to run faster on weaker laptops, but you're not giving up a ton of performance with Windows 10.
Is Windows 11 still free? ›Can I upgrade for free? Upgrades to Windows 11 from Windows 10 will be free. Due to the size of the download, however, ISP fees may apply for downloads that occur over metered connections.
Will reinstalling Windows XP delete everything? ›Reinstalling Windows XP can repair the OS, but if work-related files are stored to the system partition, all of the data will be erased during the installation process. To reload Windows XP without losing files, you can perform an in-place upgrade, also known as a repair installation.
Can you reinstall Windows without CD or USB? ›- Go to "Start" > "Settings" > "Update & Security" > "Recovery".
- Under "Reset this PC option", tap "Get Started".
- Choose "Remove everything" and then choose to "Remove files and clean the drive".
- Finally, click "Reset" to begin reinstalling Windows 10.
Can I copy Windows XP from one computer to another? ›
You can make the transfer over a network connection, a direct cable connection, or via floppy disks, Zip disks, CD-Rs, or some other kind of disk. The Windows XP CD-ROM includes a version of the wizard that you can run directly from the CD on another Windows computer, even one that's not running Windows XP.
Can I load an operating system on a USB? ›Loading and running Windows 10 or Windows 11 from a USB drive is a handy option when you're using a computer saddled with an older operating system. If you're using a PC outfitted with an older version of Windows but want a more up-to-date operating system, you can run Windows 10 or 11 directly from a USB drive.
How do I unlock a USB port on Windows XP? ›- Click "Start" and select "Run."
- Type "devmgmt. ...
- Expand the computer name and expand the "Universal Serial Bus controllers."
- Right-click the USB host controller that has an "X" beside the icon and select "Enable."
You can use installation media (a USB flash drive or DVD) to install a new copy of Windows, perform a clean installation, or reinstall Windows. To create installation media, go to the software download website, where you'll find step-by-step instructions.
How do I factory reset Windows XP without CD or password? ›- Turn on the computer.
- Press and hold the F8 key.
- At the Advanced Boot Options screen, choose Safe Mode with Command Prompt.
- Press Enter.
- Log in as Administrator.
- When Command Prompt appears, type this command: rstrui.exe.
- Press Enter.
Another way to install Windows on a new SSD without a USB is to use a Windows ISO file. By using ISO, you do not need a bootable USB drive or Media Creation Tool to install Windows 11 on a computer running Windows 10. You can mount the ISO file in File Explorer and run the upgrade setup.
How do I create a recovery USB for Windows XP? ›- These instructions won't work on Windows XP! ...
- Step 1: Plug in your USB drive. ...
- Step 1: Copy the ISO image to the USB. ...
- Step 1: Go to BCD Deployment. ...
- Step 2: Select your partition from the drop-down menu. ...
- Step 3: Install BCD to USB. ...
- Step 4: Allow EasyBCD to load USB bootloader.
To install Microsoft Windows XP Professional Edition, complete the following steps: Turn on the computer and insert the Windows XP Professional Setup CD into the CD or DVD drive. When you are prompted with the message Press any key to boot from cd, press any key. Setup copies the files from the setup CD.
How do I boot directly from a CD? ›(Most computers with an optical drive already have it as the first boot item, but you should check first.) Insert the bootable DVD or CD containing the bootable image file into the optical drive. Restart your computer. You can do that from within Windows or a hard reset using the power button.
How to install Windows XP from scratch? ›- Create a backup, boot from the Windows XP CD, press Enter, accept the terms, opt to install a fresh copy, and delete the current partition.
- Create a new partition, select size and file system; after formatting, setup will copy the install files to the new partition, and XP will start installing.
How do I install operating system on new computer from CD? ›
To install Windows using a CD, you'll need to insert the setup CD into the CD drive, boot up your computer, then press a key to start the setup process when prompted. From there, continue following the on-screen prompts to finish installation.
What to do after installing Windows XP? ›- Make sure I have Windows SP2 installed before configuring my internet connection. ...
- Install drivers for network card/motherboard. ...
- Setup internet connection. ...
- Uninstall useless programs that come with Windows XP. ...
- Install Antivirus. ...
- Install Everyday Software. ...
- Configure your Browser.
ini is a Microsoft initialization file found on the Microsoft Windows NT, Microsoft Windows 2000, and Microsoft Windows XP operating systems. This file is always on the root directory of the primary hard drive.
How can I boot my computer without CD or USB? ›There are a few programs out there that can help you do this by creating a “virtual drive” from which you can mount an “ISO image”. An ISO image is an archive file that contains the same information found on an optical disc, such as a Windows installation CD. One free program you could use is Virtual CloneDrive.
Can I boot from a USB CD drive? ›While the computer isn't powered on yet, press and hold the [Esc] key of the keyboard, and then press the [Power button] (Do not release [Esc] key until the BIOS configuration display.). Select USB flash drive/CD-ROM that you want to use, then press Enter key to boot the system from USB flash drive/CD-ROM.
What is USB CD boot option? ›The Boot Menu is the Windows' menu that lets you select the device you want to boot from: HDD, USB, CD-ROM etc. If the Boot Menu isn't available, you can force your computer to boot from an external and removable media (such as a USB flash drive, CD or DVD) by configuring your BIOS/UEFI settings.
Can Windows XP still be activated? ›Support for Windows XP already ended, and most likely activation and other updates are no longer available, and we advise you consider using supported version of Windows instead. Take a look at Windows XP support has ended (microsoft.com). Was this reply helpful?
Can Windows XP still be used? ›Will my XP computer still work? Yes, your computer should continue to work normally after the end of XP support. However, because XP won't receive regular security updates from Microsoft, your computer will be at a much higher risk for viruses and malware. If at all possible, we recommend upgrading to a newer computer.
What is in BIOS? ›BIOS (basic input/output system) is the program a computer's microprocessor uses to start the computer system after it is powered on. It also manages data flow between the computer's operating system (OS) and attached devices, such as the hard disk, video adapter, keyboard, mouse and printer.
What are the two types of OS installation? ›- Guided Install: Install an operating system and device drivers in an unattended mode.
- Manual Install: Install an operating system and device drivers manually.
How to enter BIOS? ›
- ASRock: F2 or DEL.
- ASUS: F2 for all PCs, F2 or DEL for Motherboards.
- Acer: F2 or DEL.
- Dell: F2 or F12.
- ECS: DEL.
- Gigabyte / Aorus: F2 or DEL.
- HP: F10.
- Lenovo (Consumer Laptops): F2 or Fn + F2.