ForensiT Homepage
Forum Home Forum Home > ForensiT Support > Desktop Management
  New Posts New Posts RSS Feed - defprof HKCU edits
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

defprof HKCU edits

 Post Reply Post Reply
Author
Message Reverse Sort Order
snmdla View Drop Down
Newbie
Newbie
Avatar

Joined: 11 Sep 2017
Location: Germany
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote snmdla Quote  Post ReplyReply Direct Link To This Post Topic: defprof HKCU edits
    Posted: 22 Oct 2018 at 4:34am
To my knowledge the only sparse details on the internals of defprof are found here.

Regarding the registry, we read
Additionally, DefProf loads the registry for the specified profile and cleans it up so that any user specific settings (that we know about) are removed.
I was curious about this "known" places, and experimetally found that

defprof will delete the following keys

[HKEY_USERS\modeluser\Identities]
[HKEY_USERS\modeluser\Software\Microsoft\Active Setup]
[HKEY_USERS\modeluser\Software\Microsoft\IAM]
[HKEY_USERS\modeluser\Software\Microsoft\Windows Mail]
[HKEY_USERS\modeluser\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
[HKEY_USERS\modeluser\Software\Wow6432Node\Microsoft\Active Setup]

defprof will delete all entries under

[HKEY_USERS\modeluser\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"!Do not use this registry key"="Use the SHGetFolderPath or SHGetKnownFolderPath function instead"

defprof will create the following entry

[HKEY_USERS\modeluser\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"mctadmin"="C:\\Windows\\System32\\mctadmin.exe"

defprof switch on FirstLogon

[HKEY_USERS\modeluser\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"FirstLogon"=dword:00000001

So do not expect defprof to edit paths like

HKEY_USERS\modeluser\Software\Microsoft\Fusion
DownloadCacheLocation

or

HKEY_USERS\modeluser\Software\Microsoft\Windows\CurrentVersion\Themes
CurrentTheme

Does anybody know if the good old copy dialogue in Windows has done such edits?
Would the supported sysprep CopyProfile Unattend.xml method do such edits?

Kind regards, Tom

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.03
Copyright ©2001-2019 Web Wiz Ltd.

This page was generated in 0.047 seconds.