Frontpage
Forums
Tutorials
Members
Calendar
Subscription
Donate
Links
Contact 
Help
To integrate registry hacks you face a problem: how to integrate per user (HKCU) registry hacks and global (HKLM) registry hacks. The popular way to integrate registry hacks is through cmdlines.txt or GuiRunOnce.
This way works fine, but it has a number of weeknesses. For one, anyone at the computer while the registry hacks run could restart the computer, causing the registry hacks to not process. For another, the registry hacks might not be sync'ed with the repaired registry. So if someone repair there registry, the registry hacks might be gone. It also doesn't look professional in my opinion, to run all the registry hacks through a batch file. What i am after is a truely integrated way to integrate per user and global registry tweaks.
Awhile back i started on a win2k cd, and i decided to try a new method of deploying registry hacks. The method worked, but i gave up on it for reasons ill mention later. I thought i would share my method if anyone is interested.
To deploy my per user registry hacks, i decided to use hivedef.inf. To deploy the global registry hacks, i decided to use a security template. The reason i was interested in security templates, is because you can use secpol.msc to make one. So i could use secpol.msc to make several different templates. I could use secpol.msc to make a template for win2k, a template for xp, and a template for server 2003. It sounded good to me.
To read about my win2k hivedef.inf go to here
First, look at this article. It describes how to make secpol.msc see new changes.
Below is my Sceregvl.inf for win2k (might work for other os):
Quote
; © Microsoft Corporation 1997-2000
;
; Security Configuration Template for Security Configuration Editor
;
; Template Name: SCERegVl.INF
; Template Version: 05.00.DR.0000
;
; Revision History
; 0000 - Original
[version]signature="$CHICAGO$"
DriverVer=06/19/2003,5.00.2195.6717
[Register Registry Values]
;
; First field: Full Path to Registry Value
; Second field: value type
; ; REG_SZ ( 1 )
; ; REG_EXPAND_SZ ( 2 ) \\ with environment variables to expand
; ; REG_BINARY ( 3 )
; ; REG_DWORD ( 4 )
; ; REG_MULTI_SZ ( 7 )
; third field: Display Name (localizable string),
; fourth field: Display type 0 - boolean, 1 - number, 2 - string, 3 - choices
;start new
MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot,4,%AutoRestart%,0
MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_DETAILS,1,%DevDetails%,3,0|%Dev0%,1|%Dev1%
MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_NONPRESENT_DEVICES,1,%DevNonPresent%,3,0|%Dev0%,1|%Dev1%
MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DoReport,4,%ErrorReport%,0
MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ShowUI,4,%ShowError%,0
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoSharedDocuments,4,%Shareddocs%,0
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Tour\RunCount,4,%Tour%,0
MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventAutoRun,4,%Preautorun%,0
MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventRun,4,%Prerun%,0
MACHINE\SOFTWARE\Microsoft\Outlook Express\Hide Messenger,4,%HideMessenger%,3,0|%Mess0%
MACHINE\SOFTWARE\Microsoft\Outlook Express\BlockExeAttachment,4,%BlockExe%,0
MACHINE\SOFTWARE\Policies\Microsoft\WindowsMediaPlayer\DisableAutoUpdate,4,%WMPUpdates%,0
MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections,4,%RDP%,0
MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp,4,%RA%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoChooseProgramsPage,4,%NoChoose%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NoSMConfigurePrograms,4,%NoStart%,0
;end new
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects,4,%AuditBaseObjects%,0
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail,4,%CrashOnAuditFail%,0
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing,3,%FullPrivilegeAuditing%,0
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel,4,%LmCompatibilityLevel%,3,0|%LMCLevel0%,1|%LMCLevel1%,2|%LMCLevel2%,3|%LMCLevel3%,4|%LMCLevel4%,5|%LMCLevel5%
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous,4,%RestrictAnonymous%,3,0|%RA0%,1|%RA1%,2|%RA2%
MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl,4,%SubmitControl%,0
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers,4,%AddPrintDrivers%,0
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown,4,%ClearPageFileAtShutdown%, 0
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode,4,%ProtectionMode%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature,4,%EnableSMBSignServer%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature,4,%RequireSMBSignServer%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff,4,%EnableForcedLogoff%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect,4,%AutoDisconnect%,1,%Unit-Minutes%
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature,4,%EnableSMBSignRDR%,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature,4,%RequireSMBSignRDR%,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword,4,%EnablePlainTextPassword%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange,4,%DisablePWChange%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel,4,%SignSecureChannel%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel,4,%SealSecureChannel%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal,4,%SignOrSeal%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey,4,%StrongKey%,0
MACHINE\Software\Microsoft\Driver Signing\Policy,3,%DriverSigning%,3,0|%DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2%
MACHINE\Software\Microsoft\Non-Driver Signing\Policy,3,%NDriverSigning%,3,0|%DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2%
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD,4,%DisableCAD%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName,4,%DontDisplayLastUserName%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption,1,%LegalNoticeCaption%,2
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText,1,%LegalNoticeText%,2
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon,4,%ShutdownWithoutLogon%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel,4,%RCAdmin%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand,4,%RCSet%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms,1,%AllocateCDRoms%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD,1,%AllocateDASD%,3,0|%AllocateDASD0%,1|%AllocateDASD1%,2|%AllocateDASD2%
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies,1,%AllocateFloppies%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount,1,%CachedLogonsCount%,1,%Unit-Logons%
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning,4,%PasswordExpiryWarning%,1,%Unit-Days%
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption,1,%ScRemove%,3,0|%ScRemove0%,1|%ScRemove1%,2|%ScRemove2%
; delete these values from current system - Rdr in case NT4 w SCE
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CmdConsSecurityLevel
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\AddPrintDrivers
MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnablePlainTextPassword
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnablePlainTextPassword
MACHINE\Software\Microsoft\Windows\CurrentVersion\NetCache\EncryptEntireCache
[Strings]
;start new
AUtoRestart = "New - Automatically restart when a bugcheck happens"
DevDetails = "New - Show device manager details"
DevNonPresent = "New - Show device manager non present devices"
Dev0 = "True"
Dev1 = "False"
ErrorReport = "New - Use error reporting"
ShowError = "New - Use error notification"
Shareddocs = "New - Do not show Shared Documents folder in My Computer"
Tour = "New - Show Tour after setup"
Preautorun = "New - Messenger - Do not automatically start Messenger"
Prerun = "New - Messenger - Do not allow Messenger to run"
HideMessenger = "New - Messenger - Remove Windows Messenger from Outlook Express"
Mess0 = "2"
BlockExe = "New - OE - Block Executable Attachments in Outlook Express"
WMPUpdates = "New - WMP - Disable Auto Upgrade with Windows Media Player"
RDP = "New - Disable remote desktop"
RA = "New - Enable remote assistance"
NoChoose = "New - Hide Set Program Access and Defaults in Add/Remove Programs"
NoStart = "New - Hide Set Program Access and Defaults in Start menu"
;end new
SubmitControl = Allow server operators to schedule tasks (domain controllers only)
ShutdownWithoutLogon = Allow system to be shut down without having to log on
AllocateDASD = Allowed to eject removable NTFS media
AllocateDASD0 = Administrators
AllocateDASD1 = Administrators and Power Users
AllocateDASD2 = Administrators and Interactive Users
AuditBaseObjects = Audit the access of global system objects
FullPrivilegeAuditing = Audit use of Backup and Restore privilege
EnableForcedLogoff = Automatically log off users when logon time expires (local)
AutoDisconnect = Amount of idle time required before disconnecting session
ClearPageFileAtShutdown = Clear virtual memory pagefile when system shuts down
RequireSMBSignRdr = Digitally sign client communication (always)
EnableSMBSignRdr = Digitally sign client communication (when possible)
RequireSMBSignServer = Digitally sign server communication (always)
EnableSMBSignServer = Digitally sign server communication (when possible)
DisableCAD = Disable CTRL+ALT+DEL requirement for logon
RestrictAnonymous = Additional restrictions for anonymous connections
RA0 = None. Rely on default permissions
RA1 = Do not allow enumeration of SAM accounts and shares
RA2 = No access without explicit anonymous permissions
DontDisplayLastUserName = Do not display last user name in logon screen
LmCompatibilityLevel = LAN Manager Authentication Level
LMCLevel0 = Send LM & NTLM responses
LMCLevel1 = Send LM & NTLM - use NTLMv2 session security if negotiated
LMCLevel2 = Send NTLM response only
LMCLevel3 = Send NTLMv2 response only
LMCLevel4 = Send NTLMv2 response only\refuse LM
LMCLevel5 = Send NTLMv2 response only\refuse LM & NTLM
LegalNoticeText = Message text for users attempting to log on
LegalNoticeCaption = Message title for users attempting to log on
CachedLogonsCount = Number of previous logons to cache (in case domain controller is not available)
AddPrintDrivers = Prevent users from installing printer drivers
DisablePWChange = Prevent system maintenance of computer account password
PasswordExpiryWarning = Prompt user to change password before expiration
RCAdmin = Recovery Console: Allow automatic administrative logon
RCSet = Recovery Console: Allow floppy copy and access to all drives and all folders
AllocateCDRoms = Restrict CD-ROM access to locally logged-on user only
AllocateFloppies = Restrict floppy access to locally logged-on user only
ProtectionMode = Strengthen default permissions of global system objects (e.g. Symbolic Links)
SignOrSeal = Secure channel: Digitally encrypt or sign secure channel data (always)
SealSecureChannel = Secure channel: Digitally encrypt secure channel data (when possible)
SignSecureChannel = Secure channel: Digitally sign secure channel data (when possible)
StrongKey = Secure channel: Require strong (Windows 2000 or later) session key
CrashOnAuditFail = Shut down system immediately if unable to log security audits
EnablePlainTextPassword = Send unencrypted password to connect to third-party SMB servers
ScRemove = Smart card removal behavior
ScRemove0 = No Action
ScRemove1 = Lock Workstation
ScRemove2 = Force Logoff
DriverSigning = Unsigned driver installation behavior
NDriverSigning = Unsigned non-driver installation behavior
DriverSigning0 = Silently succeed
DriverSigning1 = Warn but allow installation
DriverSigning2 = Do not allow installation
Unit-Logons = logons
Unit-Days = days
Unit-Minutes = minutes
;
; Security Configuration Template for Security Configuration Editor
;
; Template Name: SCERegVl.INF
; Template Version: 05.00.DR.0000
;
; Revision History
; 0000 - Original
[version]signature="$CHICAGO$"
DriverVer=06/19/2003,5.00.2195.6717
[Register Registry Values]
;
; First field: Full Path to Registry Value
; Second field: value type
; ; REG_SZ ( 1 )
; ; REG_EXPAND_SZ ( 2 ) \\ with environment variables to expand
; ; REG_BINARY ( 3 )
; ; REG_DWORD ( 4 )
; ; REG_MULTI_SZ ( 7 )
; third field: Display Name (localizable string),
; fourth field: Display type 0 - boolean, 1 - number, 2 - string, 3 - choices
;start new
MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot,4,%AutoRestart%,0
MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_DETAILS,1,%DevDetails%,3,0|%Dev0%,1|%Dev1%
MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_NONPRESENT_DEVICES,1,%DevNonPresent%,3,0|%Dev0%,1|%Dev1%
MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DoReport,4,%ErrorReport%,0
MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ShowUI,4,%ShowError%,0
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoSharedDocuments,4,%Shareddocs%,0
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Tour\RunCount,4,%Tour%,0
MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventAutoRun,4,%Preautorun%,0
MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventRun,4,%Prerun%,0
MACHINE\SOFTWARE\Microsoft\Outlook Express\Hide Messenger,4,%HideMessenger%,3,0|%Mess0%
MACHINE\SOFTWARE\Microsoft\Outlook Express\BlockExeAttachment,4,%BlockExe%,0
MACHINE\SOFTWARE\Policies\Microsoft\WindowsMediaPlayer\DisableAutoUpdate,4,%WMPUpdates%,0
MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections,4,%RDP%,0
MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp,4,%RA%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoChooseProgramsPage,4,%NoChoose%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NoSMConfigurePrograms,4,%NoStart%,0
;end new
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects,4,%AuditBaseObjects%,0
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail,4,%CrashOnAuditFail%,0
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing,3,%FullPrivilegeAuditing%,0
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel,4,%LmCompatibilityLevel%,3,0|%LMCLevel0%,1|%LMCLevel1%,2|%LMCLevel2%,3|%LMCLevel3%,4|%LMCLevel4%,5|%LMCLevel5%
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous,4,%RestrictAnonymous%,3,0|%RA0%,1|%RA1%,2|%RA2%
MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl,4,%SubmitControl%,0
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers,4,%AddPrintDrivers%,0
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown,4,%ClearPageFileAtShutdown%, 0
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode,4,%ProtectionMode%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature,4,%EnableSMBSignServer%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature,4,%RequireSMBSignServer%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff,4,%EnableForcedLogoff%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect,4,%AutoDisconnect%,1,%Unit-Minutes%
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature,4,%EnableSMBSignRDR%,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature,4,%RequireSMBSignRDR%,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword,4,%EnablePlainTextPassword%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange,4,%DisablePWChange%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel,4,%SignSecureChannel%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel,4,%SealSecureChannel%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal,4,%SignOrSeal%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey,4,%StrongKey%,0
MACHINE\Software\Microsoft\Driver Signing\Policy,3,%DriverSigning%,3,0|%DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2%
MACHINE\Software\Microsoft\Non-Driver Signing\Policy,3,%NDriverSigning%,3,0|%DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2%
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD,4,%DisableCAD%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName,4,%DontDisplayLastUserName%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption,1,%LegalNoticeCaption%,2
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText,1,%LegalNoticeText%,2
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon,4,%ShutdownWithoutLogon%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel,4,%RCAdmin%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand,4,%RCSet%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms,1,%AllocateCDRoms%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD,1,%AllocateDASD%,3,0|%AllocateDASD0%,1|%AllocateDASD1%,2|%AllocateDASD2%
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies,1,%AllocateFloppies%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount,1,%CachedLogonsCount%,1,%Unit-Logons%
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning,4,%PasswordExpiryWarning%,1,%Unit-Days%
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption,1,%ScRemove%,3,0|%ScRemove0%,1|%ScRemove1%,2|%ScRemove2%
; delete these values from current system - Rdr in case NT4 w SCE
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CmdConsSecurityLevel
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\AddPrintDrivers
MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnablePlainTextPassword
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnablePlainTextPassword
MACHINE\Software\Microsoft\Windows\CurrentVersion\NetCache\EncryptEntireCache
[Strings]
;start new
AUtoRestart = "New - Automatically restart when a bugcheck happens"
DevDetails = "New - Show device manager details"
DevNonPresent = "New - Show device manager non present devices"
Dev0 = "True"
Dev1 = "False"
ErrorReport = "New - Use error reporting"
ShowError = "New - Use error notification"
Shareddocs = "New - Do not show Shared Documents folder in My Computer"
Tour = "New - Show Tour after setup"
Preautorun = "New - Messenger - Do not automatically start Messenger"
Prerun = "New - Messenger - Do not allow Messenger to run"
HideMessenger = "New - Messenger - Remove Windows Messenger from Outlook Express"
Mess0 = "2"
BlockExe = "New - OE - Block Executable Attachments in Outlook Express"
WMPUpdates = "New - WMP - Disable Auto Upgrade with Windows Media Player"
RDP = "New - Disable remote desktop"
RA = "New - Enable remote assistance"
NoChoose = "New - Hide Set Program Access and Defaults in Add/Remove Programs"
NoStart = "New - Hide Set Program Access and Defaults in Start menu"
;end new
SubmitControl = Allow server operators to schedule tasks (domain controllers only)
ShutdownWithoutLogon = Allow system to be shut down without having to log on
AllocateDASD = Allowed to eject removable NTFS media
AllocateDASD0 = Administrators
AllocateDASD1 = Administrators and Power Users
AllocateDASD2 = Administrators and Interactive Users
AuditBaseObjects = Audit the access of global system objects
FullPrivilegeAuditing = Audit use of Backup and Restore privilege
EnableForcedLogoff = Automatically log off users when logon time expires (local)
AutoDisconnect = Amount of idle time required before disconnecting session
ClearPageFileAtShutdown = Clear virtual memory pagefile when system shuts down
RequireSMBSignRdr = Digitally sign client communication (always)
EnableSMBSignRdr = Digitally sign client communication (when possible)
RequireSMBSignServer = Digitally sign server communication (always)
EnableSMBSignServer = Digitally sign server communication (when possible)
DisableCAD = Disable CTRL+ALT+DEL requirement for logon
RestrictAnonymous = Additional restrictions for anonymous connections
RA0 = None. Rely on default permissions
RA1 = Do not allow enumeration of SAM accounts and shares
RA2 = No access without explicit anonymous permissions
DontDisplayLastUserName = Do not display last user name in logon screen
LmCompatibilityLevel = LAN Manager Authentication Level
LMCLevel0 = Send LM & NTLM responses
LMCLevel1 = Send LM & NTLM - use NTLMv2 session security if negotiated
LMCLevel2 = Send NTLM response only
LMCLevel3 = Send NTLMv2 response only
LMCLevel4 = Send NTLMv2 response only\refuse LM
LMCLevel5 = Send NTLMv2 response only\refuse LM & NTLM
LegalNoticeText = Message text for users attempting to log on
LegalNoticeCaption = Message title for users attempting to log on
CachedLogonsCount = Number of previous logons to cache (in case domain controller is not available)
AddPrintDrivers = Prevent users from installing printer drivers
DisablePWChange = Prevent system maintenance of computer account password
PasswordExpiryWarning = Prompt user to change password before expiration
RCAdmin = Recovery Console: Allow automatic administrative logon
RCSet = Recovery Console: Allow floppy copy and access to all drives and all folders
AllocateCDRoms = Restrict CD-ROM access to locally logged-on user only
AllocateFloppies = Restrict floppy access to locally logged-on user only
ProtectionMode = Strengthen default permissions of global system objects (e.g. Symbolic Links)
SignOrSeal = Secure channel: Digitally encrypt or sign secure channel data (always)
SealSecureChannel = Secure channel: Digitally encrypt secure channel data (when possible)
SignSecureChannel = Secure channel: Digitally sign secure channel data (when possible)
StrongKey = Secure channel: Require strong (Windows 2000 or later) session key
CrashOnAuditFail = Shut down system immediately if unable to log security audits
EnablePlainTextPassword = Send unencrypted password to connect to third-party SMB servers
ScRemove = Smart card removal behavior
ScRemove0 = No Action
ScRemove1 = Lock Workstation
ScRemove2 = Force Logoff
DriverSigning = Unsigned driver installation behavior
NDriverSigning = Unsigned non-driver installation behavior
DriverSigning0 = Silently succeed
DriverSigning1 = Warn but allow installation
DriverSigning2 = Do not allow installation
Unit-Logons = logons
Unit-Days = days
Unit-Minutes = minutes
Just put that file into your inf folder. Or delete SCERegVl.IN_ from your local source, and copy SCERegVl.INF to it. Now when you install win2k, secpol.msc will show my new settings.
Once you use secpol.msc with my SCERegVl.INF to make a new security template, the next step is to integrate this template with your local source. Through trial and error, i found a way to slipstream it.
Here's the security templates win2k and higher use:
Defltwk.inf: Windows 2000 Professional
Defltsv.inf: Windows 2000 Server/Advanced Server non-domain controller
Defltdc.inf: Windows 2000 Server/Advanced Server domain controller
Dwup.inf (for Windows 2000 Professional upgrades)
Dsup.inf (for Windows 2000 Server upgrades)
So if your gonna install win2k pro, edit defltwk.inf and add to it your custom changes. Then delete defltwk.in_ and put yours in the local source.
For example, after using secpol.msc i saved a template. I copied what was in the template and pasted the values under [Registry Values]. I added these:
Quote
MACHINE\Software\Microsoft\Driver Signing\Policy=3,0
MACHINE\SOFTWARE\Microsoft\Outlook Express\BlockExeAttachment=4,1
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,1
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,1
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Tour\RunCount=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NoSMConfigurePrograms=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoChooseProgramsPage=4,1
MACHINE\SOFTWARE\Policies\Microsoft\WindowsMediaPlayer\DisableAutoUpdate=4,1
MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_DETAILS=1,"0"
MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_NONPRESENT_DEVICES=1,"0"
MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot=4,1
MACHINE\SOFTWARE\Microsoft\Outlook Express\BlockExeAttachment=4,1
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,1
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,1
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Tour\RunCount=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NoSMConfigurePrograms=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoChooseProgramsPage=4,1
MACHINE\SOFTWARE\Policies\Microsoft\WindowsMediaPlayer\DisableAutoUpdate=4,1
MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_DETAILS=1,"0"
MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_NONPRESENT_DEVICES=1,"0"
MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot=4,1
Now when i install win2k, it'll use these custom values. The only limitation to security templates is they only use HKLM and not HKCU values, which is why i modified hivedef.inf.
So you're probably thinking why i gave up on using security templates. I gave up because of these problems:
1 - Security templates are cumulative. That means a value in another security template might overwrite a value in my security template. One example i found was DisableCAD. No matter what i put in my security template, disablecad was always enabled, not disabled. I really didn't feel like looking through security templates to find where disablecad was being enabled.
2 - Every time a service pack is released, you'll have to manually edit the deflwk.inf file. This takes up time.
3 - Since most of the work is done by hand, there's a good chance of error.
So for these reasons i gave up on this method, but somene might find it useful. I'm sorry if my directions are less than clear, but security templates are very hard to use.
A security template is good for other things too. You can use a security template ti disable services, and you can use it to set permissions on registry keys. I saw someone make a batch file that disabled services, a security template would be easier.
-gosh
Back to top
