On Wed, Jun 28, 2017 at 9:50 AM, Joseph L. Casale <[email protected] > wrote:
> Without digging into docs, I imagine your use of /force was the problem as > you state the policy was successfully applied at boot. Read up on /force > and /sync and the ramifications, good info… > No, /force does it. I was wrong, earlier. Have now applied it to 3 test servers using "gpupdate /force", and all seems well. > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Michael Leone > *Sent:* Wednesday, June 28, 2017 7:40 AM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Using GPP to fight Petya > > > > On Wed, Jun 28, 2017 at 9:23 AM, Kennedy, Jim < > [email protected]> wrote: > > I will ground my son who wrote that. It should be ‘replace’. That will > create it or replace it. > > > > > > OK, I will change that option ... > > > > Now, why you are not seeing it in gpresult I dunno. You ran the gpresult > as a local admin? > > > > > > I did. I rebooted (luckily it's a test server), and the file showed up. > Even though I had done a "gpupdate /force /target:computer", specifically > to avoid rebooting ... > > > > There are other test VMs in that same OU, I will check those ... > > > > BTW, lot of other sites recommend creating a file "perfc" (no extension), > and this page recommends "perfc.dat". Perhaps I should create both, just to > be sure ... > > > > > > > > > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Michael Leone > *Sent:* Wednesday, June 28, 2017 9:13 AM > *To:* [email protected] > *Subject:* [NTSysADM] Using GPP to fight Petya > > > > So I'm confused. Looking at this page: > > > > https://www.binarydefense.com/petya-ransomware-without-fluff/ > > > > Shows using GPP to create a file "c:\windows\perfc.dat". Apparently, if > this file exists, the malware stops (yes, I know that there will be a > variant Real Soon Now that avoids this). > > > > So I made this change: > > > > Computer\Preferences\Windows Settings\Files > > > > And followed the web page ("update", copy windowsupdate.log to > c:\windows\perfc.dat", make it read-only. Did all this on a testing GPO I > keep around for this purpose. > > > > Doing Group Policy Modeling Wizard, I see this being applied as a setting > to my test VM. Yet when I go an look in c:\windows, I don't see the > file.Nor do I see that setting in "gpresult /r /v". > > > > What have I done wrong? > > > > > > > > >
