Group Policy Central

During Kevin Sullivan Group Policy session at TechEd 2010 in the USA this year he mentioned an example of a being able to configure group policy to allow users to select whatever screensaver they want except the one called “(None)” (see image below). While this method does not prevent the users from select the (None) from the screensaver options list it will set it back to a screensaver of your choice when the user selects (None) option.

The logic to implement this policy is to test if the SCRNSAVE.EXE registry key exists and if it doesn’t then create the key with the screensaver that you want to enable.

Note: You can also use this tutorial as a guide for applying  other group policy preferences settings based on weather a registry key exists or not. A good example you might want to do this for is to test to see if a specific application registry key exists before you apply an application specific registry setting. This helps you keep a cleaner configured SOE by not un-necessarily applying configuration settings.

How to use Group Policy to allow the users to chose any screensaver except (None)

Step 1. Edit a Group Policy Object (GPO) that is targeted to the users accounts you wan to apply this policy

Step 2. Navigate to User Configuration > Preferences > Windows Settings > Registry then from the menu click on Action > New > Registry Item

Step 3. Select “Update” from the Action then type “Control Panel\Desktop” in the Key Path: text field then type “SCRNSAVE.EXE”  in the Value Name text field and “C:\Windows\System32\scrnsave.scr” in the Value data: text field.

Step 4. Click on the Common tab and then tick “Item-level targeting” and then click the “Targeting…” button.

Now we will target the screen saver to apply only when the “HKCU\Control Panel\Desktop\SCRNSAVE.EXE” registry key does NOT exist as this means the screen saver has been configured to “(None)”.

Step 5. Click on “New Item” then the “Registry Match” option.

Step 6. Select the “Value exists” Match type” then type “Control Panel\Desktop” in the key path field and then type “SCRNSAVE.EXE” in the value name field

Step 7. Click back on the targeting setting in the top pane and press “F8” which changes the option to “does not exist” then click OK and OK.

This policy will now apply the blank screen saver on the next group policy refresh to all targeted users whenever they select the “(None)”.

Below is a table that shows the screensaver set to “(None)” (before column) and then the after a policy refresh the screensaver is configured as “Blank” (After column). Then the users has selected the “Photos” (Custom column) screensaver and the policy is refreshed again however this time there is no change as the screensaver is configured with a value so it is not set back to “Blank”.

Before	After	Custom

A Google Engineer recently irresponsibly disclosed to the public after only warning Microsoft 5 days earlier of a vulnerabilities that allows a malicious third-party to take advantage of a security issue with the Help and Support Center in Windows XP/2003 after. As a result this has left many users (and organisations) open to attack using this exploit. Thankfully Microsoft have quickly responded and they have published an security advisory (http://www.microsoft.com/technet/security/advisory/2219475.mspx) about this issue with workaround instructions while they are working on a security fix.

Update: This security vulnerability is now being actively used by hackers.

For your benefit I have written instructions below showing you how you can mitigate this security issue using Group Policy Preferences. As this workaround involves in deleting a registry key (and sub-keys) I have also put in instructions on how to backup and restore this key after you have deployed a the fix for this issue in your organisation.

How to backup the affected registry

In these steps you will create a registry keys backup file for later use to restore the functionality of the Help and Support Center after you are deploy the related hotfix. Normally you can backup the registry using the Registry Wizard in Group Policy Preferences however this is a Windows XP specific key and you cannot remotely import a HKEY_CLASSES_ROOT remotely via Group Policy Management Console therefore we need to Export (a.k.a backup) the registry key via the traditional Regedit method.

Step 1. Go to a Windows XP computer that you want to use for a template to backup the registry.

Step 2. Run Regedit and navigate to the HKEY_CLASSES_ROOT\HCP key then click on File and then Export

Step 4. Save the registry as key a file (example HCP_Backup.reg)

Note: Keep this file safe as you will need it to restore the HCP key once you have deployed the hotfix.

How to delete the HCP registry key

These instruction will show you how to delete the HKEY_CLASSES_ROOT\HCP key that is the suggested workaround to this security issue.

Step 1. Create a new Group Policy Object that is targeted to the computer object you want to apply this workaround.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry and then from the menu click on Action > New > Registry Item

Step 3. Select Delete from the Action pop-down menu and then HKEY_CLASSES_ROOT from the HIVE: menu and type HCP in the Key Path:

Step 4 (Optional): Then click on the Common Tab and tick Apply once and do not reapply.

Note: Doing this will allow you to restore the functionality for selected users if required by simply running the previously

The HCP functionality will now be broken when you click on any HCP:// link. While this is not an often used feature of Windows XP I have seen it some organisations that use a link to the just straight to the “Offer Remote Assistance” feature.

How to restore the HCP registry key

Once Microsoft releases an security hotfix for this issues then you may want to restore the registry key we deleted above. Unfortunately (as I mentioned before) we are not able to easily import the registry key using the “Registry Wizard” option of Group Policy Preferences as you can only import HKLM_CLASSES_ROOT keys locally on a PC. Therefore we will need to use a logon script (OH NO!!!) to import the original HCP keys.

Step 1. Edit the same GPO that you previously deleted the HCP key.

Step 2. Navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) and double click on Startup in the right hand pane.

Step 3. Click on Show files…

Step 4. Paste a copy of the HCP_Backup.reg file we created in the backup steps then close the folder.

Step 5. Back on the Startup Properties windows click on the Add… button.

Step 6. Type regedit.exe in the Script Name: field and /s HCP_Backup.reg in the Script Parameters: field then click OK

This will now import the backup registry key the next time the computer reboots.

Step 7 (CLEAN UP). Finally go navigate to Computer Configuration > Preferences > Windows Settings > Registry in the Group Policy Management Editor and either disable or delete the HCP Delete key preference item previously created.

Hope it helps…