Question Can I allow apps to run in mmc via CMD?

Toggle sidebar Toggle sidebar
DieKartoffel

DieKartoffel

Honorable
Mar 31, 2017
13
0
10,510
Hello everybody,

I'm not even sure if what I'm going to ask is possible, but I'm hoping it is and that one of you has experience with it.

Basically, I have many remote computers with the same image on them, and they all use mmc to manage the separate users. For each user, I have "Run only specified Windows applications" enabled, but I need an efficent way of adding new programs to the lists. I was hoping to use CMD to do this because I need something that I can run with PsExec to do it remotely.

I did manage to use this command to do it on a test computer:
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun" /v "Test.exe" /t REG_SZ /d "Test.exe" /f

(RestrictRun is where I have it saved.) However, I ran into some problems. For one, I can't distinguish which ID belongs to which user without first manually adding a program to the list and seeing which one changed. Also, I believe the IDs change after every restart, so even once I figure out which IDs belong to which user, I can't use them on remote computers. Is there any way that I can maybe enter the user somewhere to get the ID and somehow plug it into the command from there?

Is anybody able to help with this? Is it even possible, or is there an alternative that I can try? If anybody could provide help, I'd really appreciate it. Thank you!
 
Last edited:
Sort by date Sort by votes
Eximo

Eximo

Titan
Ambassador
May 27, 2010
25,786
4,133
139,340
Group policy is certainly one of the correct ways. Not sure why you would do this on each system/person rather then have it defined for your whole domain. Then domain controllers will make every system behave. Or are you talking about making specific profiles for each user?

What I would do is go around defining roles and creating AD groups, and the assigning group policy permissions to role groups, rather than individuals. That way if you do have to make special exceptions, it would be on a much smaller scale.

You might also check to see if your anti-virus or anti-malware tool has exe level white lists and/or blacklists, though I am not sure about individual users.


Using the above method, I can see writing a script to fetch the right information based on registry searches using MMC from a single point, but that seems a bit backwards to me. You would then somehow need a list of every person/machine and what software they should have. Which I suppose you would need to create role groups as well.

And then your super special people can just have local admin rights for running whatever.
 
Upvote 0 Downvote
DieKartoffel

DieKartoffel

Honorable
Mar 31, 2017
13
0
10,510
Eximo said:
Group policy is certainly one of the correct ways. Not sure why you would do this on each system/person rather then have it defined for your whole domain. Then domain controllers will make every system behave. Or are you talking about making specific profiles for each user?

What I would do is go around defining roles and creating AD groups, and the assigning group policy permissions to role groups, rather than individuals. That way if you do have to make special exceptions, it would be on a much smaller scale.

You might also check to see if your anti-virus or anti-malware tool has exe level white lists and/or blacklists, though I am not sure about individual users.


Using the above method, I can see writing a script to fetch the right information based on registry searches using MMC from a single point, but that seems a bit backwards to me. You would then somehow need a list of every person/machine and what software they should have. Which I suppose you would need to create role groups as well.

And then your super special people can just have local admin rights for running whatever.
Click to expand...
I'm afraid that I have to use CMD for it in this case. I did manage to make a script that queries the registry, adds the correct keys to an index, and then adds my string to the keys, and it does show up in MMC, but I can't seem to get it to apply the changes. Do you have any ideas? Normally when you add a program to the "Run only specified Windows applications," setting, you have to click an apply button for it to take effect, however, since I added the string directly to the registry, I can't click it. The application will show up in the allowed list, but it will be removed as soon as I exit MMC. Is there some way for me to apply it via CMD?
 
Upvote 0 Downvote
Eximo

Eximo

Titan
Ambassador
May 27, 2010
25,786
4,133
139,340
If you write it so that it uses the GUI, you might be able to script the action to press the right key combo to hit Apply. Alt-A or something. That might mean switching to powershell.

But it must store someone hitting the apply button or it discards it as in your case. So there must be something else you need to track down in the registry or as an additional command line option.

Assuming I am thinking correctly. You are running your script which edits the registry, then checking in MMC and seeing the result, but it gets deleted when you close MMC?
 
Upvote 1 Downvote
DieKartoffel

DieKartoffel

Honorable
Mar 31, 2017
13
0
10,510
Eximo said:
If you write it so that it uses the GUI, you might be able to script the action to press the right key combo to hit Apply. Alt-A or something. That might mean switching to powershell.

But it must store someone hitting the apply button or it discards it as in your case. So there must be something else you need to track down in the registry or as an additional command line option.

Assuming I am thinking correctly. You are running your script which edits the registry, then checking in MMC and seeing the result, but it gets deleted when you close MMC?
Click to expand...
That's right. I actually queried the registry to search for the random ID in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun ," but I figured that was too much of a pain, so I ended up querying the RestrictRun key directly since that's unique to this application. There's actually two locations in the registry that it stores the allowed programs in, but they do disappear once MMC is closed.
So yeah, I'm not really sure what to do. It's as you said; I can open MMC and see the registry keys, I can then add the program to the list, and I can see the change in MMC, but without being able to hit apply, the changes are discarded once I close MMC. I'm not sure what the apply button actually modifies, but I've tested it manually, and it will only save my changes if I apply them.
 
Last edited:
Upvote 0 Downvote
DieKartoffel

DieKartoffel

Honorable
Mar 31, 2017
13
0
10,510
Eximo said:
Maybe run process monitor when you do it and see what it actually does.
Click to expand...
I've never actually used that before, but I just saved a log file of what happens when I click the "Apply" button. Is there any chance you could tell me what I'm looking for? Sorry if that sounds dumb, and I appreciate all of the help you're giving me! I tried adding a Test.exe file, and that's when I clicked apply.
Code: 
"Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"2:13:02.4865801 PM","mmc.exe","8360","Thread Exit","","SUCCESS","Thread ID: 4900, User Time: 0.0000000, Kernel Time: 0.0000000"
"2:13:02.4865809 PM","mmc.exe","8360","Thread Exit","","SUCCESS","Thread ID: 5232, User Time: 0.0000000, Kernel Time: 0.0000000"
"2:13:02.4865859 PM","mmc.exe","8360","Thread Exit","","SUCCESS","Thread ID: 6920, User Time: 0.0000000, Kernel Time: 0.0156250"
"2:13:05.1913879 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.1914215 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS","Desired Access: Write"
"2:13:05.1914663 PM","mmc.exe","8360","RegDeleteValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\**del.RestrictRun","NAME NOT FOUND",""
"2:13:05.1915414 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS",""
"2:13:05.1915667 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.1915944 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS","Desired Access: Write"
"2:13:05.1916191 PM","mmc.exe","8360","RegDeleteValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS",""
"2:13:05.1918037 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS",""
"2:13:05.1918396 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.1918752 PM","mmc.exe","8360","RegCreateKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS","Desired Access: Maximum Allowed, Granted Access: All Access, Disposition: REG_OPENED_EXISTING_KEY"
"2:13:05.1919289 PM","mmc.exe","8360","RegSetValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"2:13:05.1920086 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS",""
"2:13:05.1920416 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.1920755 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS","Desired Access: Delete"
"2:13:05.1921135 PM","mmc.exe","8360","RegDeleteKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS",""
"2:13:05.1921764 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS",""
"2:13:05.1921995 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.1922208 PM","mmc.exe","8360","RegCreateKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS","Desired Access: Write, Disposition: REG_CREATED_NEW_KEY"
"2:13:05.1922949 PM","mmc.exe","8360","RegSetValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun\firefox.exe","SUCCESS","Type: REG_SZ, Length: 24, Data: firefox.exe"
"2:13:05.1923550 PM","mmc.exe","8360","RegSetValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun\Test.exe","SUCCESS","Type: REG_SZ, Length: 18, Data: Test.exe"
"2:13:05.1924192 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS",""
"2:13:05.1926686 PM","mmc.exe","8360","CreateFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\User\comment.cmtx","SUCCESS","Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: 0, OpenResult: Overwritten"
"2:13:05.1928676 PM","mmc.exe","8360","WriteFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\User\comment.cmtx","SUCCESS","Offset: 0, Length: 3, Priority: Normal"
"2:13:05.1930494 PM","mmc.exe","8360","WriteFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\User\comment.cmtx","SUCCESS","Offset: 3, Length: 548, Priority: Normal"
"2:13:05.1930876 PM","mmc.exe","8360","WriteFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\User\comment.cmtx","SUCCESS","Offset: 551, Length: 0"
"2:13:05.1931143 PM","mmc.exe","8360","CloseFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\User\comment.cmtx","SUCCESS",""
"2:13:05.1933447 PM","mmc.exe","8360","CreateFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\User\Registry.pol","SUCCESS","Desired Access: Generic Read/Write, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: Overwritten"
"2:13:05.1935846 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","SUCCESS","Query: Cached, SubKeys: 1, Values: 0"
"2:13:05.1936408 PM","mmc.exe","8360","RegEnumValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","NO MORE ENTRIES","Index: 0, Length: 220"
"2:13:05.1936892 PM","mmc.exe","8360","RegEnumKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","SUCCESS","Index: 0, Name: Software"
"2:13:05.1937496 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.1937811 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software","SUCCESS","Desired Access: Read"
"2:13:05.1938145 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software","SUCCESS","Query: Cached, SubKeys: 1, Values: 0"
"2:13:05.1938429 PM","mmc.exe","8360","RegEnumValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software","NO MORE ENTRIES","Index: 0, Length: 220"
"2:13:05.1938670 PM","mmc.exe","8360","RegEnumKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software","SUCCESS","Index: 0, Name: Microsoft"
"2:13:05.1938916 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.1939188 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft","SUCCESS","Desired Access: Read"
"2:13:05.1939565 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft","SUCCESS","Query: Cached, SubKeys: 1, Values: 0"
"2:13:05.1939878 PM","mmc.exe","8360","RegEnumValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft","NO MORE ENTRIES","Index: 0, Length: 220"
"2:13:05.1940199 PM","mmc.exe","8360","RegEnumKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft","SUCCESS","Index: 0, Name: Windows"
"2:13:05.1940537 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.1940871 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows","SUCCESS","Desired Access: Read"
"2:13:05.1941211 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows","SUCCESS","Query: Cached, SubKeys: 1, Values: 0"
"2:13:05.1941411 PM","mmc.exe","8360","RegEnumValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows","NO MORE ENTRIES","Index: 0, Length: 220"
"2:13:05.1941659 PM","mmc.exe","8360","RegEnumKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows","SUCCESS","Index: 0, Name: CurrentVersion"
"2:13:05.1941850 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.1942052 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion","SUCCESS","Desired Access: Read"
"2:13:05.1942281 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion","SUCCESS","Query: Cached, SubKeys: 1, Values: 0"
"2:13:05.1942470 PM","mmc.exe","8360","RegEnumValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion","NO MORE ENTRIES","Index: 0, Length: 220"
"2:13:05.1942653 PM","mmc.exe","8360","RegEnumKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion","SUCCESS","Index: 0, Name: Policies"
"2:13:05.1942841 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.1943029 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies","SUCCESS","Desired Access: Read"
"2:13:05.1943249 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies","SUCCESS","Query: Cached, SubKeys: 1, Values: 0"
"2:13:05.1943437 PM","mmc.exe","8360","RegEnumValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies","NO MORE ENTRIES","Index: 0, Length: 220"
"2:13:05.1943620 PM","mmc.exe","8360","RegEnumKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies","SUCCESS","Index: 0, Name: Explorer"
"2:13:05.1943811 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.1943997 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS","Desired Access: Read"
"2:13:05.1944235 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS","Query: Cached, SubKeys: 1, Values: 2"
"2:13:05.1944519 PM","mmc.exe","8360","RegEnumValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS","Index: 0, Name: NoRun, Type: REG_DWORD, Length: 4, Data: 1"
"2:13:05.1944823 PM","mmc.exe","8360","RegEnumValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS","Index: 1, Name: RestrictRun, Type: REG_DWORD, Length: 4, Data: 1"
"2:13:05.1945088 PM","mmc.exe","8360","RegEnumValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NO MORE ENTRIES","Index: 2, Length: 220"
"2:13:05.1945278 PM","mmc.exe","8360","RegEnumKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS","Index: 0, Name: RestrictRun"
"2:13:05.1945471 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.1945683 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS","Desired Access: Read"
"2:13:05.1945904 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS","Query: Cached, SubKeys: 0, Values: 2"
"2:13:05.1946099 PM","mmc.exe","8360","RegEnumValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS","Index: 0, Name: firefox.exe, Type: REG_SZ, Length: 24, Data: firefox.exe"
"2:13:05.1946299 PM","mmc.exe","8360","RegEnumValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS","Index: 1, Name: Test.exe, Type: REG_SZ, Length: 18, Data: Test.exe"
"2:13:05.1946485 PM","mmc.exe","8360","RegEnumValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","NO MORE ENTRIES","Index: 2, Length: 220"
"2:13:05.1946799 PM","mmc.exe","8360","RegEnumKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","NO MORE ENTRIES","Index: 0, Length: 288"
"2:13:05.1947052 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS",""
"2:13:05.1947235 PM","mmc.exe","8360","RegEnumKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NO MORE ENTRIES","Index: 1, Length: 288"
"2:13:05.1947436 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS",""
"2:13:05.1947605 PM","mmc.exe","8360","RegEnumKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies","NO MORE ENTRIES","Index: 1, Length: 288"
"2:13:05.1947795 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies","SUCCESS",""
"2:13:05.1947966 PM","mmc.exe","8360","RegEnumKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion","NO MORE ENTRIES","Index: 1, Length: 288"
"2:13:05.1948151 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion","SUCCESS",""
"2:13:05.1948312 PM","mmc.exe","8360","RegEnumKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows","NO MORE ENTRIES","Index: 1, Length: 288"
"2:13:05.1948494 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows","SUCCESS",""
"2:13:05.1948653 PM","mmc.exe","8360","RegEnumKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft","NO MORE ENTRIES","Index: 1, Length: 288"
"2:13:05.1948834 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft","SUCCESS",""
"2:13:05.1948994 PM","mmc.exe","8360","RegEnumKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software","NO MORE ENTRIES","Index: 1, Length: 288"
"2:13:05.1949175 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software","SUCCESS",""
"2:13:05.1949335 PM","mmc.exe","8360","RegEnumKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","NO MORE ENTRIES","Index: 1, Length: 288"
"2:13:05.1949598 PM","mmc.exe","8360","WriteFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\User\Registry.pol","SUCCESS","Offset: 0, Length: 744, Priority: Normal"
"2:13:05.1950874 PM","mmc.exe","8360","CloseFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\User\Registry.pol","SUCCESS",""
"2:13:05.1952137 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","SUCCESS","Query: Cached, SubKeys: 1, Values: 0"
"2:13:05.1953896 PM","mmc.exe","8360","CreateFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.1954736 PM","mmc.exe","8360","QueryEAFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS",""
"2:13:05.1960513 PM","mmc.exe","8360","LockFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","Exclusive: False, Offset: 0, Length: 4,294,967,295, Fail Immediately: False"
"2:13:05.1960794 PM","mmc.exe","8360","QueryStandardInformationFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","AllocationSize: 160, EndOfFile: 156, NumberOfLinks: 1, DeletePending: False, Directory: False"
"2:13:05.1961217 PM","mmc.exe","8360","ReadFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","Offset: 0, Length: 156, Priority: Normal"
"2:13:05.1961862 PM","mmc.exe","8360","UnlockFileSingle","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","Offset: 0, Length: 4,294,967,295"
"2:13:05.1962100 PM","mmc.exe","8360","CloseFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS",""
"2:13:05.1964058 PM","mmc.exe","8360","CreateFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.1964825 PM","mmc.exe","8360","QueryEAFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS",""
"2:13:05.1971612 PM","mmc.exe","8360","LockFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","Exclusive: False, Offset: 0, Length: 4,294,967,295, Fail Immediately: False"
"2:13:05.1971890 PM","mmc.exe","8360","QueryStandardInformationFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","AllocationSize: 160, EndOfFile: 156, NumberOfLinks: 1, DeletePending: False, Directory: False"
"2:13:05.1972278 PM","mmc.exe","8360","ReadFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","Offset: 0, Length: 156, Priority: Normal"
"2:13:05.1972758 PM","mmc.exe","8360","UnlockFileSingle","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","Offset: 0, Length: 4,294,967,295"
"2:13:05.1972983 PM","mmc.exe","8360","CloseFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS",""
"2:13:05.1974628 PM","mmc.exe","8360","CreateFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","Desired Access: Generic Read/Write, Disposition: OpenIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: 0, OpenResult: Opened"
"2:13:05.1975408 PM","mmc.exe","8360","QueryEAFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS",""
"2:13:05.1982069 PM","mmc.exe","8360","LockFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","Exclusive: True, Offset: 0, Length: 4,294,967,295, Fail Immediately: False"
"2:13:05.1982338 PM","mmc.exe","8360","QueryStandardInformationFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","AllocationSize: 160, EndOfFile: 156, NumberOfLinks: 1, DeletePending: False, Directory: False"
"2:13:05.1982709 PM","mmc.exe","8360","ReadFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","Offset: 0, Length: 156, Priority: Normal"
"2:13:05.1983295 PM","mmc.exe","8360","WriteFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","Offset: 148, Length: 9, Priority: Normal"
"2:13:05.1983943 PM","mmc.exe","8360","SetEndOfFileInformationFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","EndOfFile: 157"
"2:13:05.1984482 PM","mmc.exe","8360","UnlockFileSingle","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS","Offset: 0, Length: 4,294,967,295"
"2:13:05.1984687 PM","mmc.exe","8360","CloseFile","C:\Windows\System32\GroupPolicyUsers\S-1-5-21-3121347047-1358119635-3483094383-1003\gpt.ini","SUCCESS",""
"2:13:05.1986127 PM","mmc.exe","8360","QueryNameInformationFile","C:\Windows\System32\mmc.exe","SUCCESS","Name: \Windows\System32\mmc.exe"
"2:13:05.1986488 PM","mmc.exe","8360","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.1986756 PM","mmc.exe","8360","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics","NAME NOT FOUND","Desired Access: Read"
"2:13:05.1987083 PM","mmc.exe","8360","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.1987286 PM","mmc.exe","8360","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon","SUCCESS","Desired Access: Read"
"2:13:05.1987542 PM","mmc.exe","8360","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel","NAME NOT FOUND","Length: 16"
"2:13:05.1987811 PM","mmc.exe","8360","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","SUCCESS",""
"2:13:05.1988005 PM","mmc.exe","8360","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.1988194 PM","mmc.exe","8360","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\System","SUCCESS","Desired Access: Read"
"2:13:05.1988459 PM","mmc.exe","8360","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel","NAME NOT FOUND","Length: 16"
"2:13:05.1988666 PM","mmc.exe","8360","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\System","SUCCESS",""
"2:13:05.2055619 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.2056030 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS","Desired Access: Read"
"2:13:05.2056418 PM","mmc.exe","8360","RegQueryValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"2:13:05.2056749 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS",""
"2:13:05.2061161 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.2061647 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS","Desired Access: Read"
"2:13:05.2062313 PM","mmc.exe","8360","RegQueryValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"2:13:05.2062891 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS",""
"2:13:05.2065708 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.2066173 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS","Desired Access: Read"
"2:13:05.2066701 PM","mmc.exe","8360","RegQueryValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"2:13:05.2067172 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS",""
"2:13:05.2069526 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.2069881 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS","Desired Access: Read"
"2:13:05.2070211 PM","mmc.exe","8360","RegQueryValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"2:13:05.2070498 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS",""
"2:13:05.2073255 PM","mmc.exe","8360","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.2073639 PM","mmc.exe","8360","RegOpenKey","HKLM\SOFTWARE\Microsoft\Ole","SUCCESS","Desired Access: Read"
"2:13:05.2074037 PM","mmc.exe","8360","RegQueryValue","HKLM\SOFTWARE\Microsoft\Ole\EnableATLEnumClassLock","NAME NOT FOUND","Length: 16"
"2:13:05.2074389 PM","mmc.exe","8360","RegCloseKey","HKLM\SOFTWARE\Microsoft\Ole","SUCCESS",""
"2:13:05.2074881 PM","mmc.exe","8360","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.2075190 PM","mmc.exe","8360","RegOpenKey","HKLM\SOFTWARE\Microsoft\Ole","SUCCESS","Desired Access: Read"
"2:13:05.2075511 PM","mmc.exe","8360","RegQueryValue","HKLM\SOFTWARE\Microsoft\Ole\EnableATLEnumClassLock","NAME NOT FOUND","Length: 16"
"2:13:05.2075828 PM","mmc.exe","8360","RegCloseKey","HKLM\SOFTWARE\Microsoft\Ole","SUCCESS",""
"2:13:05.2076322 PM","mmc.exe","8360","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.2076611 PM","mmc.exe","8360","RegOpenKey","HKLM\SOFTWARE\Microsoft\Ole","SUCCESS","Desired Access: Read"
"2:13:05.2076999 PM","mmc.exe","8360","RegQueryValue","HKLM\SOFTWARE\Microsoft\Ole\EnableATLEnumClassLock","NAME NOT FOUND","Length: 16"
"2:13:05.2077256 PM","mmc.exe","8360","RegCloseKey","HKLM\SOFTWARE\Microsoft\Ole","SUCCESS",""
"2:13:05.2081578 PM","mmc.exe","8360","RegQueryKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.2081940 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS","Desired Access: Read"
"2:13:05.2082311 PM","mmc.exe","8360","RegQueryValue","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"2:13:05.2082633 PM","mmc.exe","8360","RegCloseKey","HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{EB312372-4710-4E7F-9777-A5ED466567D4}User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","SUCCESS",""
"2:13:05.2097540 PM","mmc.exe","8360","RegQueryKey","HKCU","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.2098036 PM","mmc.exe","8360","RegOpenKey","HKCU\SOFTWARE\Classes\PROTOCOLS\Handler\C","REPARSE","Desired Access: Query Value"
"2:13:05.2098480 PM","mmc.exe","8360","RegOpenKey","HKCU\Software\Classes\PROTOCOLS\Handler\C","NAME NOT FOUND","Desired Access: Query Value"
"2:13:05.2098878 PM","mmc.exe","8360","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"2:13:05.2099196 PM","mmc.exe","8360","RegOpenKey","HKCR\PROTOCOLS\Handler\C","NAME NOT FOUND","Desired Access: Query Value"
"2:13:05.2102357 PM","mmc.exe","8360","CreateFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2103067 PM","mmc.exe","8360","QueryBasicInformationFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS","CreationTime: 9/1/2022 10:29:32 AM, LastAccessTime: 1/27/2023 2:12:56 PM, LastWriteTime: 9/1/2022 10:29:32 AM, ChangeTime: 1/25/2023 12:23:18 PM, FileAttributes: A"
"2:13:05.2103405 PM","mmc.exe","8360","CloseFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS",""
"2:13:05.2105647 PM","mmc.exe","8360","CreateFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS","Desired Access: Read Attributes, Read Control, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Disallow Exclusive, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2106300 PM","mmc.exe","8360","QuerySecurityFile","C:\Windows\System32\mmcndmgr.dll","BUFFER OVERFLOW","Information: Label"
"2:13:05.2106635 PM","mmc.exe","8360","QuerySecurityFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS","Information: Label"
"2:13:05.2107205 PM","mmc.exe","8360","CloseFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS",""
"2:13:05.2109902 PM","mmc.exe","8360","CreateFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2110483 PM","mmc.exe","8360","QueryBasicInformationFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS","CreationTime: 9/1/2022 10:29:32 AM, LastAccessTime: 1/27/2023 2:12:56 PM, LastWriteTime: 9/1/2022 10:29:32 AM, ChangeTime: 1/25/2023 12:23:18 PM, FileAttributes: A"
"2:13:05.2110787 PM","mmc.exe","8360","CloseFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS",""
"2:13:05.2113674 PM","mmc.exe","8360","CreateFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2114337 PM","mmc.exe","8360","QueryBasicInformationFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS","CreationTime: 9/1/2022 10:29:32 AM, LastAccessTime: 1/27/2023 2:12:56 PM, LastWriteTime: 9/1/2022 10:29:32 AM, ChangeTime: 1/25/2023 12:23:18 PM, FileAttributes: A"
"2:13:05.2114625 PM","mmc.exe","8360","CloseFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS",""
"2:13:05.2117333 PM","mmc.exe","8360","CreateFile","C:\Windows\System32\mmcndmgr.dll:Zone.Identifier","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
"2:13:05.2119352 PM","mmc.exe","8360","CreateFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2119730 PM","mmc.exe","8360","QueryBasicInformationFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS","CreationTime: 9/1/2022 10:29:32 AM, LastAccessTime: 1/27/2023 2:12:56 PM, LastWriteTime: 9/1/2022 10:29:32 AM, ChangeTime: 1/25/2023 12:23:18 PM, FileAttributes: A"
"2:13:05.2119925 PM","mmc.exe","8360","CloseFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS",""
"2:13:05.2121876 PM","mmc.exe","8360","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2122300 PM","mmc.exe","8360","QueryBasicInformationFile","C:\Windows\System32","SUCCESS","CreationTime: 12/7/2019 2:03:44 AM, LastAccessTime: 1/27/2023 2:13:05 PM, LastWriteTime: 1/27/2023 1:41:07 PM, ChangeTime: 1/27/2023 1:41:07 PM, FileAttributes: D"
"2:13:05.2122589 PM","mmc.exe","8360","CloseFile","C:\Windows\System32","SUCCESS",""
"2:13:05.2124913 PM","mmc.exe","8360","CreateFile","C:\Windows","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2125346 PM","mmc.exe","8360","QueryBasicInformationFile","C:\Windows","SUCCESS","CreationTime: 12/7/2019 2:03:44 AM, LastAccessTime: 1/27/2023 2:13:05 PM, LastWriteTime: 1/27/2023 1:51:31 PM, ChangeTime: 1/27/2023 1:51:31 PM, FileAttributes: D"
"2:13:05.2125649 PM","mmc.exe","8360","CloseFile","C:\Windows","SUCCESS",""
"2:13:05.2128394 PM","mmc.exe","8360","CreateFile","C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2128842 PM","mmc.exe","8360","QueryBasicInformationFile","C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools","SUCCESS","CreationTime: 5/8/2022 3:01:40 PM, LastAccessTime: 1/27/2023 2:12:07 PM, LastWriteTime: 9/1/2022 11:05:06 AM, ChangeTime: 1/27/2023 1:53:37 PM, FileAttributes: RD"
"2:13:05.2129141 PM","mmc.exe","8360","CloseFile","C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools","SUCCESS",""
"2:13:05.2130747 PM","mmc.exe","8360","CreateFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2131409 PM","mmc.exe","8360","CloseFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS",""
"2:13:05.2132889 PM","mmc.exe","8360","CreateFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2133453 PM","mmc.exe","8360","CloseFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS",""
"2:13:05.2134904 PM","mmc.exe","8360","CreateFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2135878 PM","mmc.exe","8360","DeviceIoControl","C:\Windows\System32\mmcndmgr.dll","INVALID PARAMETER","Control: IOCTL_MOUNTDEV_QUERY_DEVICE_NAME"
"2:13:05.2136318 PM","mmc.exe","8360","CloseFile","C:\Windows\System32\mmcndmgr.dll","SUCCESS",""
"2:13:05.2138001 PM","mmc.exe","8360","CreateFile","C:\Windows\System32\mmcndmgr.dll","NAME INVALID","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a"
"2:13:05.2139212 PM","mmc.exe","8360","CreateFile","C:\Windows\System32","IS DIRECTORY","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a"
"2:13:05.2140315 PM","mmc.exe","8360","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2140782 PM","mmc.exe","8360","FileSystemControl","C:\Windows\System32","NOT REPARSE POINT","Control: FSCTL_GET_REPARSE_POINT"
"2:13:05.2141117 PM","mmc.exe","8360","CloseFile","C:\Windows\System32","SUCCESS",""
"2:13:05.2142384 PM","mmc.exe","8360","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2142780 PM","mmc.exe","8360","CloseFile","C:\Windows\System32","SUCCESS",""
"2:13:05.2143927 PM","mmc.exe","8360","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2144383 PM","mmc.exe","8360","DeviceIoControl","C:\Windows\System32","INVALID PARAMETER","Control: IOCTL_MOUNTDEV_QUERY_DEVICE_NAME"
"2:13:05.2144580 PM","mmc.exe","8360","CloseFile","C:\Windows\System32","SUCCESS",""
"2:13:05.2145453 PM","mmc.exe","8360","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2145725 PM","mmc.exe","8360","FileSystemControl","C:\Windows\System32","NOT REPARSE POINT","Control: FSCTL_GET_REPARSE_POINT"
"2:13:05.2145948 PM","mmc.exe","8360","CloseFile","C:\Windows\System32","SUCCESS",""
"2:13:05.2146889 PM","mmc.exe","8360","CreateFile","C:\Windows","IS DIRECTORY","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a"
"2:13:05.2147614 PM","mmc.exe","8360","CreateFile","C:\Windows","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2147890 PM","mmc.exe","8360","FileSystemControl","C:\Windows","NOT REPARSE POINT","Control: FSCTL_GET_REPARSE_POINT"
"2:13:05.2148099 PM","mmc.exe","8360","CloseFile","C:\Windows","SUCCESS",""
"2:13:05.2148915 PM","mmc.exe","8360","CreateFile","C:\Windows","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2149165 PM","mmc.exe","8360","CloseFile","C:\Windows","SUCCESS",""
"2:13:05.2149951 PM","mmc.exe","8360","CreateFile","C:\Windows","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2150354 PM","mmc.exe","8360","DeviceIoControl","C:\Windows","INVALID PARAMETER","Control: IOCTL_MOUNTDEV_QUERY_DEVICE_NAME"
"2:13:05.2150540 PM","mmc.exe","8360","CloseFile","C:\Windows","SUCCESS",""
"2:13:05.2151370 PM","mmc.exe","8360","CreateFile","C:\Windows","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"2:13:05.2151631 PM","mmc.exe","8360","FileSystemControl","C:\Windows","NOT REPARSE POINT","Control: FSCTL_GET_REPARSE_POINT"
"2:13:05.2151833 PM","mmc.exe","8360","CloseFile","C:\Windows","SUCCESS",""
"2:13:12.2948031 PM","mmc.exe","8360","Thread Exit","","SUCCESS","Thread ID: 6404, User Time: 0.0000000, Kernel Time: 0.0000000"
 
Upvote 0 Downvote
Eximo

Eximo

Titan
Ambassador
May 27, 2010
25,786
4,133
139,340
Process monitor is a feature of Windows (you can download it if you have to) It simply shows every process task in extreme detail. Basically the IT professional version of Task Manager.

You probably want to spread out your actions so they are easier to filter out, though.

I would have to sit and look at this a while to find it I think. Filter out the benign steps from the actual impactful ones.

Another thing you can do is do it manually, then do it automatically using your script. Compare the log files with something like ExamDiff.
 
Upvote 0 Downvote
DieKartoffel

DieKartoffel

Honorable
Mar 31, 2017
13
0
10,510
Eximo said:
Process monitor is a feature of Windows (you can download it if you have to) It simply shows every process task in extreme detail. Basically the IT professional version of Task Manager.

You probably want to spread out your actions so they are easier to filter out, though.

I would have to sit and look at this a while to find it I think. Filter out the benign steps from the actual impactful ones.

Another thing you can do is do it manually, then do it automatically using your script. Compare the log files with something like ExamDiff.
Click to expand...
I tried for quite a while to do it manually. I'm not exactly sure what to filter out though. I thought filtering by RegSetValue might help, but it didn't. To me, it looks like it's deleting the RestrictRun key, recreating it, and then adding all of the old allowed apps back plus the new one. I'm not sure what the point of that is though.
If I can't figure it out, how would I go about creating a PowerShell script for it? Would that work any better? I'm not sure if I can use that, but I could always try.
 
Last edited:
Upvote 0 Downvote
DieKartoffel

DieKartoffel

Honorable
Mar 31, 2017
13
0
10,510
If it's not too much trouble, could you give me an idea of what I should be filtering? Because as far as I can tell, it all looks important, but I'm sure that's not the case.

@Eximo Actually, I know it has to do with the Registry.pol file now. After I click apply, it's modifying that, but I still don't know what to do with that. Is there a way that I can force an update on it? gpupdate /force doesn't seem to work. It's probably different on other computers, but on mine, it's located in "C:\Windows\System32\GroupPolicyUsers\X-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX\User"

One last edit: I found a solution that works for me.
 
Last edited:
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom