none
can't create the key for DisallowRun

    Question

  • Hello.

    I am trying to use the DisallowRun method for restricting web browsers on certain computers. I can create the disallow run *value* in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, and I can create a subkey (New Key #1) in the same key to create the values for the various browsers to restrict, but I am unable to name that subkey *DisallowRun* as the documentation that I've seen says it needs to be named. When I try to do it in the registry editor, I get an error saying the key cannot be renamed (although I can rename it to other names), and when I try to do it in Notepad, I get an error saying "Cannot import \\sharepath\file.reg: Error accessing the registry".

    If I change the key name, however, the import is successful (for example [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun2]
     "1"="iexplore.exe").

    Any ideas why I am prevented from creating the specific key name that Microsoft says the key needs to be? Is there some other policy setting that allows/disables the ability to make this key in the first place?

    Wednesday, February 25, 2015 3:00 PM

Answers

  • > must be affecting the ability to create this specific sub key on the
    > workstation. Anyone know what settings would affect this specific key?
     
    Policies don't control specific keys - the culprit MUST be a piece of
    software. Grab a copy of sysinternals' process monitor and check which
    process interferes with your key :)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Marked as answer by lavinrc Thursday, February 26, 2015 1:49 PM
    Thursday, February 26, 2015 9:10 AM
  • Ok, that was it. Process Monitor showed me that McAfee was firing at the same time as the ACCESS DENIED entry for the attempted registry change. Disabling McAfee allowed the change to go through and then IE would not open.

    Thanks for the advice Martin!!

    Thursday, February 26, 2015 1:51 PM

All replies

  • > that subkey *DisallowRun* as the documentation that I've seen says it
    > needs to be named. When I try to do it in the registry editor, I get an
    > error saying the key cannot be renamed (although I can rename it to
     
    I verified (on 2012R2), and I had no problem to do so. I can create
    DisallowRun, can create values, can rename and delete, all without issues.
     
    Do you have special security software on your computers?
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, February 25, 2015 4:08 PM
  • Nope. Just GPO's and McAfee Enterprise on a Windows 7 Enterprise workstation.

    Wednesday, February 25, 2015 8:33 PM
  • A follow up - I logged into one of the servers (2008R2) and was able to create the correct sub key, so it leads me back to some other policy must be affecting the ability to create this specific sub key on the workstation. Anyone know what settings would affect this specific key?
    Wednesday, February 25, 2015 9:49 PM
  • > must be affecting the ability to create this specific sub key on the
    > workstation. Anyone know what settings would affect this specific key?
     
    Policies don't control specific keys - the culprit MUST be a piece of
    software. Grab a copy of sysinternals' process monitor and check which
    process interferes with your key :)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Marked as answer by lavinrc Thursday, February 26, 2015 1:49 PM
    Thursday, February 26, 2015 9:10 AM
  • Ok, that was it. Process Monitor showed me that McAfee was firing at the same time as the ACCESS DENIED entry for the attempted registry change. Disabling McAfee allowed the change to go through and then IE would not open.

    Thanks for the advice Martin!!

    Thursday, February 26, 2015 1:51 PM
  • Ok, that was it. Process Monitor showed me that McAfee was firing at the same time as the ACCESS DENIED entry for the attempted registry change. Disabling McAfee allowed the change to go through and then IE would not open.

    Hi lavinrc,

    Also thanks for sharing your solution in the forum. This will help others who face the same scenario resolve the issue quickly. Your time and efforts are highly appreciated.

    Best regards,

    Justin Gu


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, March 02, 2015 6:25 AM
    Moderator