ForensiT Homepage
Forum Home Forum Home > ForensiT Support > Desktop Management
  Active Topics Active Topics
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

defprof & file assoc's in HKCU/Software/Classes

 Post Reply Post Reply
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
snmdla View Drop Down
Newbie
Newbie
Avatar

Joined: 11 Sep 2017
Location: Germany
Online Status: Offline
Posts: 3
  Quote snmdla Quote  Post ReplyReply Direct Link To This Post Topic: defprof & file assoc's in HKCU/Software/Classes
    Posted: 11 Sep 2017 at 8:40am
I was surprised that defprof appears to delete file associations in HKCU/Software/Classes, i.e. custom user file associations like those that come from going through an "open with" dialogue.

This appears to be by design, as we can read in http://forensit.blogspot.de/2010/09/changing-default-profile-on-windows-7.html:

"... Additionally, DefProf loads the registry for the specified profile and cleans it up so that any user specific settings (that we know about) are removed."

This brings me to ask why: isn't the default profile meant to be customized for users with company defaults by a model user before the execution of defprofile?

If this design is unchangable, it would be interesting to know where else defprof deletes user specific settings in addition to HKCU/Software/Classes

Kind regards, Tom

Back to Top
snmdla View Drop Down
Newbie
Newbie
Avatar

Joined: 11 Sep 2017
Location: Germany
Online Status: Offline
Posts: 3
  Quote snmdla Quote  Post ReplyReply Direct Link To This Post Posted: 13 Sep 2017 at 10:07am
Another example that comes to my mind is the choice of the default browser.

If set in the model profile, this setting is lost in the process of running defprof.

Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Online Status: Offline
Posts: 1244
  Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 14 Sep 2017 at 7:40am
File associations on Windows 10 are encrypted to an individual user account; this is to prevent malware hijacking types of files.

This applies to the default browser, which, after all, is just the application that opens html (etc.) files.

Because file associations are encrypted per user, any new user signing-in (and getting a new default profile based on another user's profile) will just get their file associations reset. This is because the new user account cannot decrypt the file associations saved for the original user in the registry.
Back to Top
snmdla View Drop Down
Newbie
Newbie
Avatar

Joined: 11 Sep 2017
Location: Germany
Online Status: Offline
Posts: 3
  Quote snmdla Quote  Post ReplyReply Direct Link To This Post Posted: 27 Sep 2017 at 5:20am
Thanks, that makes the decision clear.

Are there other similar places in the registry where defprof does similar deletions in HKCU?

Thanks, Thomas
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.039 seconds.