5 Replies Latest reply on Mar 26, 2020 9:08 AM by DEMdev

    Using DEM to manage HKLM keys at logon

    davebaker87 Novice

      I know UEM can only HKCU hive but I had hoped that the following would work:

       

      1. Created a PS script that changes and deletes a couple of HKLM\Software\Classes keys and converted it to .EXE using PS2EXE.

      2. Put the .exe in a fileshare and set Privilege Elevation (path based) to elevate the .exe

      3. I also used privilege elevation to elevate C:\windows\regedit.exe

      4. Created a shortcut in the Startup folder pointing to the .exe so it runs at logon.

       

      Of course it failed, and the error was 'Registry area cannot be written to' or something along those lines.

      Presumably this is UAC on the desktop, or UEM is executing the script, but not even priv elevation doesn't let it write to HKLM.

       

      Has anybody got a way around this? I really need these HKLM keys to be added at startup otherwise we're changing a master image for 500+ people.

       

      Please help or put me out of my misery.

       

      Dave

        • 1. Re: Using DEM to manage HKLM keys at logon
          DEMdev Master
          VMware Employees

          Hi Dave,

           

          PS2EXE should no longer be necessary (that was the workaround before we added argument-based privilege elevation), but the approach you describe should definitely work.

           

          Does it work correctly if you manually launch the command you configured to be elevated? In the logging at logoff, is your configured executable mentioned in the Privilege elevation statistics logging?

          • 2. Re: Using DEM to manage HKLM keys at logon
            davebaker87 Novice

            Hi DEMDev,

             

            If I click the .exe in it's share (from the desktop) it runs, but cmd window errors with below:

            "Error: Requested registry access is now allowed"

             

            The UEM Logs are applying the priv settings, so coupled with the above, it looks to me like UAC or some other GPO is preventing write access to HKLM. However, if I run regedit as administator, I can amend keys, so surely this is the same level of access that Priv Elevation uses? Unless the problem now points at something like the UEM service account (or whatever account/context the Privlege Elevation tool uses to elevate things) doesn't have local-admin rights on the local machine?

             

            2020-03-26 10:05:48.217 [INFO ] Collected path-based privilege elevation settings to apply for elevated applications ('Excel DDE Fix.xml')

            2020-03-26 10:05:48.233 [INFO ] Applied privilege elevation settings

             

            I'm wondering if I need to us something like Appvols to run the script instead (how, I'm not sure...any idaes?)

             

            I know this is faux pas, but Liquidware Profile Unity can do this kind of thing without any problem, it just runs scripts as SYSTEM context and you can configure the life out of everything! Would really help if VMware took a leaf from their book...

             

            Thanks for getting back!

            • 3. Re: Using DEM to manage HKLM keys at logon
              DEMdev Master
              VMware Employees

              Hi Dave,

               

              The fact that elevation kicks in if you launch your .exe from File Explorer is a good sign. Now let's try to figure out why it does not work from the console.

               

              Does something like the following get logged at logoff?

              2020-03-13 19:15:15.795 [INFO ] Privilege elevation statistics:

              2020-03-13 19:15:15.795 [INFO ]    Elevated C:\Windows\System32\reg.exe 1 time (argument-based).

               

              How exactly are you launching the command from your shortcut or in your manual tests? \\server\share\folder\folder\your-command.exe?

              1 person found this helpful
              • 4. Re: Using DEM to manage HKLM keys at logon
                davebaker87 Novice

                So, it transpires that the user account I was testing with had a UEM issue 'Failed to load flexengine.dll' at logon. Not sure on root cause, but after creating a new test account - everything worked as expected.

                 

                Script runs, priv elevation works and voila!

                 

                Thanks a lot for your time and help and pointing out the log entries to be aware of. Good to know that it IS possible to change computer settings!

                 

                Stay safe

                • 5. Re: Using DEM to manage HKLM keys at logon
                  DEMdev Master
                  VMware Employees

                  Hi Dave,

                   

                  Happy to hear that it works; thank you for reporting back!