I can't shed much light on the specifics, but on my 64 bit Win7 machines, this 
worked as expected.  With a default of restricted, users (admins included) were 
not able to run anything that had not been whitelisted.

Matthew Topper

-----Original Message-----
From: [email protected] [mailto:[email protected]] On 
Behalf Of Klaus Hartnegg
Sent: Wednesday, March 4, 2015 11:31 AM
To: [email protected]
Subject: [NTSysADM] Software Restriction Policy in Win7-64 broken?

Software Restriction Policy (SRP) in Win7-64 behaves different than in
Win7-32 or WinXP-32 (I'm using SRP in whitelisting mode, default level is 
restricted).

SRP allows to choose whether it should affect everybody, or everybody except 
admins. In 32bit this does have the expected effect. But in 64bit administrator 
always are allowed to run executables everywhere, regardless of SRP settings. 
Is SRP broken in 64bit Windows?

Also there is an option whether SRP should affect all except DLLs, or really 
all software. In Win7-64 with DLLs specifically excluded from SRP, every user 
gets on the first login the error message that MSOE.DLL cannot be loaded. Why? 
SRP is told to not not restrict DLLs, and that DLL is in a directory that is 
specifically allowed.

I did find a solution to the second problem: remove these registry keys:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed 
Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed 
Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}

But the first issue makes me wonder whether SRP can be trusted any more, or 
maybe we must switch to AppLocker?

Klaus



Reply via email to