none
Software Restriction Policy not allowing Program Files directory on 64-bit machines

    Question

  • I've created a new software restriction policy, my default security level is set to "Disallowed", I have the standard built-in allowed locations:

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

    and I added another exemption for the C:\Program Files (x86) directory:

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%

    However, on my 64-bit machines, there are still programs being blocked in C:\Program Files:

    C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe

    C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe

    These same programs are not being blocked on my 32-bit machines, but the same policy is being applied to both and the programs are installed in the same locations on both.

    I checked the registry on one of the 64-bit machines, and the default registry key exemption specified above:

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

    does exist on the 64-bit machine and it is set to C:\Program Files, exactly like the 32-bit machines. So why are programs still being blocked here?


    Shaun

    Friday, February 13, 2015 3:28 PM

All replies

  • Hi Shaun,

    >>on my 64-bit machines, there are still programs being blocked in C:\Program Files:

    Before going further, are all the applications under the path not able to run or just some ones? Besides, when we run the applications mentioned above, did it tip that it's blocked by group policy? Here, we can run command gpresult/h gpreport.html with administrative privileges to collect group policy result report to check if this is caused by some other GPOs.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, February 16, 2015 8:27 AM
    Moderator
  • I don't know if it's all the applications, I ended up adding an exception for "C:\Program Files" and that seems to have resolved the issue. Yes, there is an Application Error 865 every time a program is blocked, which is how I first learned that programs in that directory were being blocked. 

    Shaun


    • Edited by Shaunm001 Monday, February 16, 2015 6:22 PM
    • Marked as answer by Frank Shen5Moderator Wednesday, February 18, 2015 5:44 AM
    • Unmarked as answer by Shaunm001 Thursday, February 19, 2015 3:32 PM
    Monday, February 16, 2015 6:21 PM
  • Still having issues with white-listed programs not running. This program is continually being blocked:

    C:\Users\<username>\AppData\Local\Google\Update\GoogleUpdate.exe.

    When I run the Group Policy Wizard to see the paths that are white-listed on the machine, it reports the following locations with a security level of "unrestricted":

    C:\Users\%USERNAME%\AppData\Local\Google\Update\GoogleUpdate.exe

    %LOCALAPPDATA%\Google\Update\GoogleUpdate.exe

    Why is this program being blocked?


    Shaun

    Thursday, February 19, 2015 3:38 PM