For every question, there's an answer -- and you'll find it here!


Printer-friendly copy
Top The PC Q&A Forum The Computer Forum topic #519717
View in linear mode

Subject: "How to Delete a Software Restriction Policy (SRP)?" Previous topic | Next topic
therubeSat May-01-10 01:40 PM
Member since Jan 22nd 2003
16534 posts
Click to send private message to this authorClick to view this author's profileClick to add this author to your buddy list
"How to Delete a Software Restriction Policy (SRP)?"


  

          

How to Delete a Software Restriction Policy (SRP)?


So I've been aware of SRP for some time now. Never really investigated it. Always thought, big deal, who needs it.

So yesterday ... I decide.

So I did it.

Opened Group Policy Object Editor (gpedit.msc).
Drilled down to Computer Configuration | Windows Settings | Security Settings.
As there was no policy existing, Windows said so, saying that I needed to create a new one.
Action | Create New Policies.
Done. That was easy!

Having never messed with it before, I take a look at the interface, thinking, hmmm, pretty basic. Not a lot of options, not very extensible (for me), & doesn't look like it will fit in with the way I do things.

SRP is a good thing. Everyone extols its' virtues. Just don't feel it is good for me.

So I go looking a bit further into its settings (of which there are only a few primary ones). Everyone says, oh, set this this way & that that way & you'll be protected to the most-est.

Then I get to a MS article on it. And it says for DLL Checking ...

Quote:

A program, such as Internet Explorer consists of an executable file, iexplore.exe, and many supporting dynamic link libraries (DLL). By default, software restriction policy rules are not enforced against DLLs. This is the recommended option for most customers for three reasons.

* Disallowing the main executable file prevents the program from running, so there is no need to disallow all of the constituent dynamic link libraries.
* DLL checking results in performance degradation. If a user runs 10 programs during a logon session, the software restriction policy is evaluated 10 times. If DLL checking is turned on, the software restriction policy is evaluated for each DLL load within each program. If each program uses 20 DLLs, this results in 10 executable program checks plus 200 DLL checks, so the software restriction policy is evaluated 210 times.
* If the default security level is set to Disallowed, then not only does the main executable file have to be identified to allow it to run, but all of its constituent DLLs also must be identified, which can be burdensome.

DLL checking is provided as an option for environments that want the highest assurance possible when running programs. While viruses primarily target executables for infection, some target DLLs. To ensure that a program has not been infected by a virus, you can use a set of hash rules that identify the executable and all of its required DLLs.


Everyone extols the virtues of setting full EXE & DLL restrictions, but no one mentions the downside of doing that (the DLL checks too). Now what it might mean in the real world (the DLL checks), I don't know, but it seems silly to me to do that.

And the more I read about it, the more I think, won't mesh well with me, don't need it, don't want it.



And now I do not want it.


Now how do I remove it?
Oh you think, right-click, delete, or something like that? Heh.
Safe Mode? Heh.
Someone mentioned needing to do it from a "server" OS, like Windows 2000 Server? Huh!

From what I can tell, there is no (straight forward, easy) way to remove a Policy (in XP) once it has been set up. (Don't forget how easy it was to set up in the first place. Action | Create New Policies. Done!)

(Is it any wonder things like Limited User accounts & SRP are not used.)


Any idea how to remove this (virus) I added to my machine?


XP Pro SP3.
(SRP is not available on XP Home or the lower end Vista/7 versions.)


Using Software Restriction Policies to Protect Against Unauthorized Software
http://technet.microsoft.com/en-us/library/bb457006.aspx

--------------------------------------
BANK OF AMERICA.COM ONLINE BANKING SUCKS IN THE HUGEST WAY IMAGINABLE

Newegg.com's new image gallery layout sucks in the hugest way imaginable too !
And now they're using JavaScript to "turn" pages to boot ! SUCKS

  

Alert Printer-friendly copy | | Top

Replies to this topic
Subject Author Message Date ID
RE: How to Delete a Software Restriction Policy (SRP)?
May 01st 2010
1
RE: How to Delete a Software Restriction Policy (SRP)?
May 01st 2010
2
RE: How to Delete a Software Restriction Policy (SRP)?
May 01st 2010
4
      RE: How to Delete a Software Restriction Policy (SRP)?
May 01st 2010
5
      RE: How to Delete a Software Restriction Policy (SRP)?
May 01st 2010
6
      RE: How to Delete a Software Restriction Policy (SRP)?
May 02nd 2010
8
           RE: How to Delete a Software Restriction Policy (SRP)?
May 04th 2010
9
                RE: How to Delete a Software Restriction Policy (SRP)?
May 04th 2010
10
                     RE: How to Delete a Software Restriction Policy (SRP)?
May 04th 2010
11
                          RE: How to Delete a Software Restriction Policy (SRP)?
May 04th 2010
12
                               RE: How to Delete a Software Restriction Policy (SRP)?
May 04th 2010
13
RE: How to Delete a Software Restriction Policy (SRP)?
May 01st 2010
3
RE: How to Delete a Software Restriction Policy (SRP)?
May 01st 2010
7

uffbrosSat May-01-10 02:10 PM
Charter member
4290 posts
Click to send email to this author Click to send private message to this authorClick to view this author's profileClick to add this author to your buddy listClick to send message via AOL IM
#1. "RE: How to Delete a Software Restriction Policy (SRP)?"
In response to therube (Reply # 0)


          

Rube...Surely you use Acronis or Macrium..Right? How bout system restore?


Dell Studio 540, Windows 7 Ultimate, Intel Core 2 Quad Processor Q8200 (2.33GHz, 1333MHz FSB), w/

4MBcache, 4GB DDR2 SDRAM 800MHZ- 4X1GB DIM M, ATI Radeon HD 3650 256MB supporting HDMI

  

Alert Printer-friendly copy | | Top

    
therubeSat May-01-10 02:16 PM
Member since Jan 22nd 2003
16534 posts
Click to send private message to this authorClick to view this author's profileClick to add this author to your buddy list
#2. "RE: How to Delete a Software Restriction Policy (SRP)?"
In response to uffbros (Reply # 1)


  

          

No & no.

Oy.
Now you mean I have to investigate System Restore to see what that does! (I've actually never used it. Have no faith in it.) In this case, don't think it would work or that answer would be commonly found on the net.

And given that Software Restriction Policy (SRP) & System Restore Point (SRP) ... SRP & SRP, fat chance in, well you know where.

I'll give it a shot ...

--------------------------------------
BANK OF AMERICA.COM ONLINE BANKING SUCKS IN THE HUGEST WAY IMAGINABLE

Newegg.com's new image gallery layout sucks in the hugest way imaginable too !
And now they're using JavaScript to "turn" pages to boot ! SUCKS

  

Alert Printer-friendly copy | | Top

    
therubeSat May-01-10 03:47 PM
Member since Jan 22nd 2003
16534 posts
Click to send private message to this authorClick to view this author's profileClick to add this author to your buddy list
#4. "RE: How to Delete a Software Restriction Policy (SRP)?"
In response to uffbros (Reply # 1)
Sat May-01-10 03:50 PM by therube

  

          

The results speak for themselves.




Impressed.
System Restore worked (back to April 29) & it did reverse the SRP .

Thanks.
Double thanks, as it actually gave me a reason (for the first time in how many years now) to actually use System Restore.

(Would have been nice had System Restore been able to give some indication as to what happened between the 29th & today, but maybe ignorance is bliss .)

--------------------------------------
BANK OF AMERICA.COM ONLINE BANKING SUCKS IN THE HUGEST WAY IMAGINABLE

Newegg.com's new image gallery layout sucks in the hugest way imaginable too !
And now they're using JavaScript to "turn" pages to boot ! SUCKS

Attachment #1, (png file)

  

Alert Printer-friendly copy | | Top

        
therubeSat May-01-10 03:49 PM
Member since Jan 22nd 2003
16534 posts
Click to send private message to this authorClick to view this author's profileClick to add this author to your buddy list
#5. "RE: How to Delete a Software Restriction Policy (SRP)?"
In response to therube (Reply # 4)


  

          

Quote:
don't think it would work or that answer would be commonly found on the net

Perhaps more of the net needs to come to PCQandA !

--------------------------------------
BANK OF AMERICA.COM ONLINE BANKING SUCKS IN THE HUGEST WAY IMAGINABLE

Newegg.com's new image gallery layout sucks in the hugest way imaginable too !
And now they're using JavaScript to "turn" pages to boot ! SUCKS

  

Alert Printer-friendly copy | | Top

            
CompPeteSat May-01-10 04:13 PM
Member since Apr 17th 2004
3170 posts
Click to send email to this author Click to send private message to this authorClick to view this author's profileClick to add this author to your buddy list
#6. "RE: How to Delete a Software Restriction Policy (SRP)?"
In response to therube (Reply # 5)


  

          

I really like your rambling posts on random topics like this. Thanks for sharing your thoughts.

  

Alert Printer-friendly copy | | Top

        
GroganSun May-02-10 06:43 PM
Charter member
20650 posts
Click to send email to this author Click to send private message to this authorClick to view this author's profileClick to add this author to your buddy list
#8. "RE: How to Delete a Software Restriction Policy (SRP)?"
In response to therube (Reply # 4)


  

          

... but what problems has the System Restore caused that you don't know about yet? I would not use that to solve problems. I would only use it if someone's computer won't boot, I can't solve it by normal means and then I'll probably be doing a clean install afterward if anything at all doesn't feel right. It can make it easier to back up someone's files if the system will at least boot up.

System Restore is NOT a disk image. It does NOT restore your computer back to a previous state. It only reverses changes that it has tracked, sort of like incremental deltas. Changes that occur through legitimate means, like software installs get tracked. Changes that occur through illegitimate means like malware doing low level things, or old software installers, or anything done in Safe Mode will not be tracked. Sometimes legitimate changes don't get completely tracked and restored and it can leave your system in an inconsistent state with incorrect file versions. Many restore points also FAIL and say "no changes were made to your computer" yet they HAVE. I've seen it with my own eyes. I completely distrust it.

It also restores the registry, which in your case was what solved the problem. You could have found and deleted the policies using the registry editor, or you could have just restored a copy of the registry using the system restore data. (e.g. on UBCD4Win there's a utility that does that)

You got lucky this time... there weren't many changes to your system and your problem was just registry related.

Grogan

  

Alert Printer-friendly copy | | Top

            
therubeTue May-04-10 02:08 AM
Member since Jan 22nd 2003
16534 posts
Click to send private message to this authorClick to view this author's profileClick to add this author to your buddy list
#9. "RE: How to Delete a Software Restriction Policy (SRP)?"
In response to Grogan (Reply # 8)


  

          

> what problems has the System Restore caused that you don't know about yet?

Hopefully none.

I keep a very small, very clean C: (E: actually). Pretty much nothing there but the Windows install itself. I only have System Restore monitoring E:. All other drives are excluded. (Virtually) all programs are installed elsewhere.

> System Restore is NOT a disk image ...

Known. I know all of its' limitations ...

> You could have found and deleted the policies using the registry editor

Sure if I'd have known where to look & what to delete.

> your problem was just registry related

My problem is that MS provides easy access to a "feature", that anyone exploring windows might be tempted to enable - to see what it does, but then leaves no apparent way to reverse the procedure. It's not like there even is an enable/disable switch. Once you've added it, it is on to some degree whether you then want it or not.

--------------------------------------
BANK OF AMERICA.COM ONLINE BANKING SUCKS IN THE HUGEST WAY IMAGINABLE

Newegg.com's new image gallery layout sucks in the hugest way imaginable too !
And now they're using JavaScript to "turn" pages to boot ! SUCKS

  

Alert Printer-friendly copy | | Top

                
GroganTue May-04-10 03:38 AM
Charter member
20650 posts
Click to send email to this author Click to send private message to this authorClick to view this author's profileClick to add this author to your buddy list
#10. "RE: How to Delete a Software Restriction Policy (SRP)?"
In response to therube (Reply # 9)


  

          

Heheh... System Restore is something that irritates me, because when it causes screwiness, it's an all but impossible situation to troubleshoot. It's something I usually find out about later. "Oh, we tried a restore a few weeks ago... does that matter?" Abandon all hope of sanity. So when I see someone like you (yes, you, a shining star of a savvy computer user) hitting that panic button, I just can't help but prattle on about brimstone and fire. It's tough love, bro

Those kinds of policies will be in subkeys under the following:

For user policies:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows

For machine (system or whatever they call it these days) policies:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows

If you can't get in some of the subkeys, you may have to grant yourself (or the administrators group) permissions or even take ownership if it's really snide. Usually though, Administrators have access to those keys.

This is not the usual place you'd look for those lame-o policies that disable registry editing and various shell dialogs and stuff (e.g. hkcu and hklm \software\microsoft\windows\currentversion\policies)

(Note: On 64 bit systems (Vista and 7) you generally also should look for things under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node which duplicates HKLM\Software for 32 bit programs.)

But your point is spot on. Microsoft gives you an interface for setting complex policies that could cause you no end of misery, without a clear path to undoing it. This surprises you about our high and mighty overlords? There probably is a way (neither obvious nor intuitive) to do it through the GUI, something like setting new policies that explicitly allow the same things you restricted.

I haven't played with that, precisely because of crap like that. I hate it. Those kinds of dialogs give me the creeps. Remember "policy editor"? It was like that.

I've got a Windows 7 virtual machine (In VirtualBox) that's expendable (I wasn't even planning on activating it... just use it and throw it away) so let me see if I can break it like you did. If I find a legitimate way to remove those policies (other than with the registry editor where it has no choice but to work) I'll let you know.

Grogan

  

Alert Printer-friendly copy | | Top

                    
GroganTue May-04-10 06:03 AM
Charter member
20650 posts
Click to send email to this author Click to send private message to this authorClick to view this author's profileClick to add this author to your buddy list
#11. "RE: How to Delete a Software Restriction Policy (SRP)?"
In response to Grogan (Reply # 10)
Tue May-04-10 08:58 AM by Grogan

  

          

In my gpedit.msc, if I click on Software Restriction policies, from the Action menu I have "Delete Software Restriction Policies" (and similarly in the right click menu on Software Restriction Policies). Maybe yours doesn't in Windows XP. You'd have to be on the Software Restriction Policies "folder" itself to see it though in the group policy editor.

I created a policy, changed Enforcement to "All Software Files" (to include dlls). For my quick test I left the default policy Unrestricted.

I went to Additional Rules and created a path rule to disallow wordpad. Both instances (program files and program files (x86) and sure enough, I couldn't open wordpad and got the "disabled by group policy" error dialog. Waah (That's a stupid, stupid program that looks like word 2007 now by the way)

That added the policies to:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0

I don't want the policies anymore, so I used "Delete Software Restriction Policies" and now it shows the coveted "No Software Restriction Policies Defined" screen.

While you could simply delete:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer

There's also a policy file

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

That's where all Software Restriction Policies data is. When you create a policy, it creates that Safer key and populates it with the defaults and creates a file (if it doesn't already exist from other machine policies if they have been set)

Of course it's not as simple as this when it's a group policy applied from a domain controller server but that's not what we have done. (We of course can only create local security policies)

----------------------------

So you panicked. You ran System Restore for this

Grogan

  

Alert Printer-friendly copy | | Top

                        
GroganTue May-04-10 08:02 AM
Charter member
20650 posts
Click to send email to this author Click to send private message to this authorClick to view this author's profileClick to add this author to your buddy list
#12. "RE: How to Delete a Software Restriction Policy (SRP)?"
In response to Grogan (Reply # 11)


  

          

I'm in the process of blasting on a quick Windows XP Professional VM (I have a Home Edition one, but not Pro) so I can play with this. It's kind of bugging me now and I need to understand how to deal with it, in case someone screws this up and I have to fix it.

Grogan

  

Alert Printer-friendly copy | | Top

                            
GroganTue May-04-10 08:50 AM
Charter member
20650 posts
Click to send email to this author Click to send private message to this authorClick to view this author's profileClick to add this author to your buddy list
#13. "RE: How to Delete a Software Restriction Policy (SRP)?"
In response to Grogan (Reply # 12)
Tue May-04-10 09:01 AM by Grogan

  

          

So no, there's definitely no "Delete software restriction policies" in the group policy editor in Windows XP like there is in Windows 7.

What you would have to do is just go back and change things to the way they were when you first created the default policy. Set the Security Level default back to "unrestricted" and those defaults do nothing.

Or delete:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer

and there is one more thing

While that will defang anything you have done with software restriction policies (on a local computer), your Software Restriction Policies will still show up in gpedit until you delete:

C:\WINDOWS\system32\GroupPolicy\Machine\Registry.pol

Be warned that that file is for all the group policies that may have been created, not just software restriction policies. So deleting that would take you back to Windows defaults.

P.S. I mean to summarize: Deleting the Safer registry subkey and the Registry.pol file resets that stuff and it will say "No Software Restriction Policies Defined". If you add new policies, it gets created again.

Grogan

  

Alert Printer-friendly copy | | Top

therubeSat May-01-10 02:51 PM
Member since Jan 22nd 2003
16534 posts
Click to send private message to this authorClick to view this author's profileClick to add this author to your buddy list
#3. "RE: How to Delete a Software Restriction Policy (SRP)?"
In response to therube (Reply # 0)
Sat May-01-10 02:53 PM by therube

  

          

Oh, & I had download this:

Group Policy Management Console with Service Pack 1

The Microsoft Group Policy Management Console (GPMC) with Service Pack 1 (SP1) unifies management of Group Policy across the enterprise. The GPMC consists of a MMC snap-in and a set of programmable interfaces for managing Group Policy.

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en


Tried to install it sandboxed, but wouldn't. (Said I needed .NET, which I'm pretty sure ? that I have. <Maybe one day there would be an easy way to determine if XXX is installed & which versions.>) From what I've read, don't think it will accomplish anything anyhow?

(Yep. I've got .NET 2 through 3.5.)

--------------------------------------
BANK OF AMERICA.COM ONLINE BANKING SUCKS IN THE HUGEST WAY IMAGINABLE

Newegg.com's new image gallery layout sucks in the hugest way imaginable too !
And now they're using JavaScript to "turn" pages to boot ! SUCKS

  

Alert Printer-friendly copy | | Top

    
RazorSat May-01-10 06:49 PM
Member since Aug 03rd 2009
257 posts
Click to send email to this author Click to send private message to this authorClick to view this author's profileClick to add this author to your buddy listClick to send message via AOL IM
#7. "RE: How to Delete a Software Restriction Policy (SRP)?"
In response to therube (Reply # 3)


  

          

Yes, a system restore allowed us to use iTunes on our family computer when we weren't able to because we deleted a bunch of stuff (and somehow deleted a driver or something, XP is waaaaay too touchy about drivers). On my latest build, about 2 or 3 months ago, I set a restore point as soon as all my drivers were installed and all my hardware was working, that way if I ever completely screw my OS I can go back to the beginning, it's practically a clean install!

==================
Win7 x64 Ultimate

  

Alert Printer-friendly copy | | Top

Top The PC Q&A Forum The Computer Forum topic #519717 Previous topic | Next topic
Powered by DCForum+ Version 1.27
Copyright 1997-2003 DCScripts.com
Home
Links
About PCQandA
Link To Us
Support PCQandA
Privacy Policy
In Memoriam
Acceptable Use Policy

Have a question or problem regarding this forum? Check here for the answer.