ForensiT Homepage
Forum Home Forum Home > ForensiT Support > Desktop Management
  New Posts New Posts RSS Feed - defprof & file assoc's in HKCU/Software/Classes
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

defprof & file assoc's in HKCU/Software/Classes

 Post Reply Post Reply
Author
Message
snmdla View Drop Down
Newbie
Newbie
Avatar

Joined: 11 Sep 2017
Location: Germany
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote snmdla Quote  Post ReplyReply Direct Link To This Post Topic: defprof & file assoc's in HKCU/Software/Classes
    Posted: 11 Sep 2017 at 8:40am
I was surprised that defprof appears to delete file associations in HKCU/Software/Classes, i.e. custom user file associations like those that come from going through an "open with" dialogue.

This appears to be by design, as we can read in http://forensit.blogspot.de/2010/09/changing-default-profile-on-windows-7.html:

"... Additionally, DefProf loads the registry for the specified profile and cleans it up so that any user specific settings (that we know about) are removed."

This brings me to ask why: isn't the default profile meant to be customized for users with company defaults by a model user before the execution of defprofile?

If this design is unchangable, it would be interesting to know where else defprof deletes user specific settings in addition to HKCU/Software/Classes

Kind regards, Tom

Back to Top
snmdla View Drop Down
Newbie
Newbie
Avatar

Joined: 11 Sep 2017
Location: Germany
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote snmdla Quote  Post ReplyReply Direct Link To This Post Posted: 13 Sep 2017 at 10:07am
Another example that comes to my mind is the choice of the default browser.

If set in the model profile, this setting is lost in the process of running defprof.

Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 14 Sep 2017 at 7:40am
File associations on Windows 10 are encrypted to an individual user account; this is to prevent malware hijacking types of files.

This applies to the default browser, which, after all, is just the application that opens html (etc.) files.

Because file associations are encrypted per user, any new user signing-in (and getting a new default profile based on another user's profile) will just get their file associations reset. This is because the new user account cannot decrypt the file associations saved for the original user in the registry.
Back to Top
snmdla View Drop Down
Newbie
Newbie
Avatar

Joined: 11 Sep 2017
Location: Germany
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote snmdla Quote  Post ReplyReply Direct Link To This Post Posted: 27 Sep 2017 at 5:20am
Thanks, that makes the decision clear.

Are there other similar places in the registry where defprof does similar deletions in HKCU?

Thanks, Thomas
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.03
Copyright ©2001-2019 Web Wiz Ltd.

This page was generated in 0.031 seconds.