Category Archives: Registry Hacking

Working with and navigating the windows registry.

How to block Ultrasurf at the workstation level in Windows

Some time ago, I discovered students were using a program called Ultrasurf to get around our internet filter.  The app is portable and so can run off a USB key or from a cloud drive. (As of writing this, the latest file name is u1403.exe. You can recognize it is running by a yellow gold lock icon on the screen and usually in the lower right corner)

Apparently it was designed for citizens of China to get around “The great firewall of China.”  The app sets itself up as a proxy.  Ultrasurf then changes Internet Explorer to use this new proxy to surf. Behind the scenes the app works by connecting to an IP overseas from a wide-range of choices. From what I saw, it connects using https and the port can be varied by users. Blocking it is a daunting task.

Blocking the app itself via group policy is tough as well. The checksum is a moving target.   Ultrasurf often has a new version out plus old versions can be found everywhere.

You might think that blocking proxy access in IE via GPO would help. It really doesn’t. All the GPO does it block being able to put in the settings via Internet Options.  Policies still allow changing the actual proxy value in the registry.

What I discovered is that to block Ultrasurf, you need to prevent the users from being able to edit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings.

This is where IE stores it’s proxy information. As long as the user has write access, Ultrasurf can work.

Introducing UltraFin!

I have created a script that works at the user level. I deploy it via a policy that will run as the user for anyone who is a member of our student user group.  I called it UltraFin as a play on UltraSurf. A surfers day is ruined if they see a Fin in the water 🙂

What the script does is use a tool called regini.exe to set the part of the registry I mentioned above as read-only. This essentially locks them out from making any changes to their proxy settings. To undo the permissions settings, an admin would have to mount their profile hive (ntuser.dat) and correct the permissions.

Once this is done, launching Ultrasurf says it is connected but will go nowhere. Ultrasurf normally launches IE once it connects but this won’t happen anymore.

I keep both my script and regini.exe in the netlogon folder of our DC’s.

You get regini.exe as part of the  Windows Server 2003 Resource Kit Tools.

Here is my script and please note, you will need to rename it from ultrafin.txt to ultrafin.vbs

In the GPO I create, here is where I place it:

User Configuration->Policies->Windows Settings->Scripts->Logon

Name:%LOGONSERVER%\NetLogon\UltraFin.vbs

I use the logonserver variable to reduce network traffic and to prevent a workstation from hanging up on logon if X server is down.

One important note, I still keep a policy in place for this group that prevents them from changing their proxy settings in IE.  The main reason for this is so my users in question can’t manually set a different browser to use the Ultrasurf proxy address. Ultrasurf thrives on IE but there is the potential to workaround it.

To ensure this, I also have imported policy templates for the other popular browsers such as Chrome and Firefox. I enable settings to force these browsers to use IE proxy settings.

I hope this helps someone as I haven’t found many good ways so far on how to block Ultrasurf.

Advanced registry editing – working with offline user profiles

(This post requires local administrator privileges and the NTUSER.dat must not be in use.)

Knowing how to work with registry files can save you a lot of time and hassle.  I’m not talking about .reg files though these will come into play later. What I want to show you is how to edit the NTUSER.DAT file found in every user profile.

The proper term for this is a Hive file. NTUSER.DAT is not the only kind of these you can work with but that will be covered in another post. In the case of a user profile, NTUSER.DAT contains everything you would find if you opened regedit as that user and navigated to HKEY_CURRENT_USER.

How it is done

Run Regedit.exe and click on HKEY_LOCAL_MACHINE (or HKEY_USERS). Once you have done this, click the File menu and Load Hive will now be available. Click on this you will browse to find the profile you want to work with. (Under XP, profiles will be in “C:\Documents and Settings and Windows 7 will be under C:\Users). When you click to enter the user profile, you may not see NTUSER.DAT listed. This will depend on what your view settings are. We can fix that but it’s not necessary.  Simply typing ntuser.dat in the window and pressing Open will load the file. At this point, you will be prompted for the name of how you want this file displayed in the registry. I usually just call it test to make it stand out.

I have also used this to force Default User settings at the workstation level for an image. (all new profiles are based on Default User unless a profile is stored in Netlogon which is another post).

If the case of Default User, I will call the loaded hive Default so I can export registry files (.reg) and know I can easily have the settings match to apply it to a future system later (once I have mounted that system’s default user ntuser.dat under the Default name)

I will review what  I have used this for. I look forward to seeing what ideas others may have.

  • Applying fixes to a user account

 I have been in situations where I needed to apply a known fix to a user account and they weren’t available to login. Yes a password change would have been a simpler way but there are times when it only further frustrates the person. In one particualar case, Wordperfect wasn’t working.  I could have rebuilt the user profile since there was a delay until they were available. This would have meant chasing down missing settings though.

I instead used my offline registry approach. I loaded NTUSER.DAT by running regedit under my tech account. At that point I browsed to the known location, in their settings (ie HKLM\Test\Software\Wordperfect\File Locations) and removed the offending settings to force Wordperfect to re-create them.  The source of the problem in this case was that the creator of the workstation image tested all the apps as local admin.  In the case of Wordperfect, it kept the admin profile as the path for files. The admin profile was copied over the default (XP) and every personwho logged in got the admin based settings. Anyone who tried to use wordperfect got errors since they didn’t have access to the admin profile.

  • Adding custom settings

 I’d like to  expand on what I said above about applying custom settings. In sticking with the Wordperfect example, I have also exported known good settings from a profile to use to fix broken profile.  The trick here is to open your .reg file in notepad and prepare it for import. (If you can run it as the person no changes are needed as the .reg will already be setup as HKEY_CURRENT_USER.) If you need to mount a profile, you will need to search the .reg file and replace HKEY_CURRENT_USER with HKEY_LOCAL_MACHINE\Temp. Do a replace all an Save. This is assuming you mount the profile in question as Temp. It can be anything else.  You can then either double click the .reg or import via the File menu in regedit.

  • Correcting permissions

A little know fact of the registry is that you can set different security levels. User have full control of their own settings. It is not likely they will do changes.  It is still good to know if someone sets part of their registry to Read-Only that we can load their profile and correct the problem. This is an important point to know for a future post 🙂

Remove network printer queue by batch script

For some reason, group policy preferences isn’t removing some old printer queues from user machines for me. (I converted over to using simple queue names compared to the previous method where the queue name contained the printer model. It makes them shorter for staff and really eases management. Now when  a printer is replaced, I change the driver. That’s it. No queue name to change. No policy to update.)

I searched around and didn’t find much on how to force remove a queue so I made my own.

This method is for removing queues stored in the user profile. You can find the ones you have listed in HKEY_CURRENT_USER\Printers\Connections

Click on the queue key in this location and export to quickly be able to copy the long name
ie HKEY_CURRENT_USER\Printers\Connections\,,SERVERNAME,Basement_Copier

Please note that the  HKEY_CURRENT_USER converts to HKCU in the script

The script will look for the queue name and remove from the registry. To make it disappear in Devices and Printers, the spooler needs to restart. I test the output of the reg delete to make sure we don’t restart the spooler for nothing.

@Echo off

reg delete HKCU\Printers\Connections\,,SERVERNAME,QUEUENAME /f > Nul

REM if entry NOT found in regedit, skip over spooler restart
IF ERRORLEVEL 1 GOTO EOF

REM restart spooler to remove device from Devices and Printers
net stop spooler && net start spooler

:EOF

Sync Center is my Khann!!! Fixing gray x’s

I have a love/hate relationship with Sync Center.

I have found a need to use it with laptop clients where Folder redirection is in place. MS Word for some reason really wants to talk to My Docs and if it can’t get there (when the laptop is taken home), it throws up a normal.dot error.
The work around I found was to use Sync Center to fool Word into seeing My Docs.
Now having tried to move away from Sync Center (and turning it off via policy), some clients have gotten stuck where there home drive now has gray X’s on it.
The quick fix for that is the following:
A value needs to be created in the registry at the location below:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache


Create a new DWord value called FormatDatabase and set it to 1

 
Reboot the system and all will be well.
 
For anyone who may want to view Sync Center files (and you should use the sync center app), you can co to C:\Windows\CSC.
 
Note: you will have to take ownership and this can take a long, long time.