Circumventing Group Policy as a Limited User

Remember when I blogged how "10 registry settings will NOT Harden your WIndows XP box"? If you recall, one of the points I made was that it was very easy to get around things like "RestrictRun" and Software Restriction Policies (SRP) if you can execute any arbitrary code. I went further to say that because no effort goes into checking the validity or path of the executable, it was easy to bypass.

Mark Russinovich has an EXCELLENT post that takes this further. In his technique he uses DLL injection techniques described by Jeff Richter in Programming Applications for Microsoft Windows (Microsoft Press) to load a DLL into all the processes on the system to which the user running it has access. In this way, its possible to bypass the security checks that take place with SRP without even caring about the path. He basically hooks the registry and returns a failure when trying to access the said keys. Brilliant technique. And Mark even wrote a simple application called Gpdisable that shows this in action.

Everyone should take some time to read his entry and see his step by step account of how this works, including screenshots showing how Mark uses his own Regmon and Process Explorer tools to diagnose this.

Great job Mark.