ForensiT Homepage
Forum Home Forum Home > ForensiT Support > Desktop Management
  Active Topics Active Topics
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

defprof HKCU edits

 Post Reply Post Reply
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
snmdla View Drop Down
Newbie
Newbie
Avatar

Joined: 11 Sep 2017
Location: Germany
Online Status: Offline
Posts: 5
  Quote snmdla Quote  Post ReplyReply Direct Link To This Post Topic: defprof HKCU edits
    Posted: 22 Oct 2018 at 4:34am
To my knowledge the only sparse details on the internals of defprof are found here.

Regarding the registry, we read
Additionally, DefProf loads the registry for the specified profile and cleans it up so that any user specific settings (that we know about) are removed.
I was curious about this "known" places, and experimetally found that

defprof will delete the following keys

[HKEY_USERS\modeluser\Identities]
[HKEY_USERS\modeluser\Software\Microsoft\Active Setup]
[HKEY_USERS\modeluser\Software\Microsoft\IAM]
[HKEY_USERS\modeluser\Software\Microsoft\Windows Mail]
[HKEY_USERS\modeluser\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
[HKEY_USERS\modeluser\Software\Wow6432Node\Microsoft\Active Setup]

defprof will delete all entries under

[HKEY_USERS\modeluser\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"!Do not use this registry key"="Use the SHGetFolderPath or SHGetKnownFolderPath function instead"

defprof will create the following entry

[HKEY_USERS\modeluser\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"mctadmin"="C:\\Windows\\System32\\mctadmin.exe"

defprof switch on FirstLogon

[HKEY_USERS\modeluser\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"FirstLogon"=dword:00000001

So do not expect defprof to edit paths like

HKEY_USERS\modeluser\Software\Microsoft\Fusion
DownloadCacheLocation

or

HKEY_USERS\modeluser\Software\Microsoft\Windows\CurrentVersion\Themes
CurrentTheme

Does anybody know if the good old copy dialogue in Windows has done such edits?
Would the supported sysprep CopyProfile Unattend.xml method do such edits?

Kind regards, Tom

Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.016 seconds.