Executing virtualized cmd.exe in environment with GPO's applied. RRS feed

  • Question

  • Hello, I need to run some applications in the bubble using bat files to launch the application. I have restricted the use of shell commands and the registry editor by GPO for the user and when I try to run the virtualized cmd, the message "The administrator has disabled symbol system." is showed.
    I have introduced a change in the OSD file for the virtual environment:
    <REGKEY HIVE="HKCU" KEY="Software\Policies\Microsoft\Windows\system">
    <REGVALUE REGTYPE="REG_DWORD" NAME="DisableRegistryTools"> 0 </ REGVALUE>
    </ REGKEY>
    </ REGISTRY>

    but it does't work. It continue without run CMD. Is there any way to run cmd.exe from the virtual environment? I need to run it without modifying the GPO, and only for those applications that need it.

    Monday, April 20, 2009 12:55 PM


All replies

  • hello,

    I found the net link. So it's possible to run a CMD from a stream.

    This is the link I found:

    I am not sure but i think that you need to do some modification because you are in a lockdown envirement.

    Monday, April 20, 2009 1:34 PM
  • Hello,

    Most likely its an issue with the fact that CMDs are locked down...

    How Group Policies are applied you can read here:

    Now, I am not quite sure in which order GPOs, reg-values in the OSD or scripting is executed, but perhaps you could find a way to apply "override" for the group-policy? (meaning that it will be applied after the GPO is read by the bubble...)

    Monday, April 20, 2009 1:39 PM
  • Hello,
    I tested with a pre launch stream protected environment and does not work either, I think that policies take precedence over the virtual environment. I have also applied for whitelisted executables and a virtualized application will not start if not on the list.
    Any idea? I'm beginning to think that implemented App-V security does not escape policies, even in virtual environment.

    Monday, April 20, 2009 5:54 PM
  • You are correct, app-v does not bypass Group Policy. The above article no longer applies in 4.5, the local RSOP will be picked up by the applications.
    Tuesday, April 21, 2009 2:50 PM
  • Thanks, do you know any article where explain it???
    Tuesday, April 21, 2009 8:04 PM
  • Here's new article explaining the GPO behaviour in 4.5:


    btw, it would have been nice to have this sort of things documented somewhere. It's over half a year after RTM and this is the first time I heard there's this kind of change.

    • Proposed as answer by znack Friday, April 24, 2009 8:21 AM
    • Marked as answer by Aaron.ParkerModerator Saturday, November 17, 2012 3:38 PM
    Friday, April 24, 2009 6:08 AM
  • Hi,

    I think the way to force MSFT to publish such informations is (for us) to simply publish wrong informations here - At least this worked (accidentially) for the GPO stuff ;-)

    Friday, April 24, 2009 8:15 AM