How to configure Software Restriction Policy in Windows 2008 Group Policy to allow Windows 7 to load MSOE.DLL?

All replies

• 

  

  0

  Sign in to vote

  Hi,

  Please create a rule for the path "C:\Windows\winsxs" directly. It should look like:

  C:\Windows\winsxs Path Unrestricted

  Thanks.

  ---

  This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  Tuesday, December 7, 2010 7:48 AM
• 

  

  0

  Sign in to vote

  Hi Mervyn,

  I have tried the rule with path  "C:\Windows\winsxs" as advised but it didn't resolve the issue.

  Any other advise please.

  Thanks,

  ---

  Liaqat

  Tuesday, December 7, 2010 5:47 PM
• 

  

  0

  Sign in to vote

  Hi,

  In order to find out the failure point, let’s use Process Monitor to trace the process:

  Process Monitor
  http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx   

  Download it into a allowed folder and run it. Click File menu, check Capture Events, try to reproduce this error, when the error occurs, uncheck Capture Events again. Exported events to Logfile.PML and upload the file to Windows Live SkyDrive (http://www.skydrive.live.com/). If you would like other community member to analyze the report, you can paste the link here, if not, you can send the link to tfwst@microsoft.com (with this thread title or link in the email. Please don’t share documents with this address).

  Thanks.

  ---

  This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • Proposed as answer by D F Thursday, July 12, 2012 2:46 PM
  • Unproposed as answer by D F Thursday, July 12, 2012 2:46 PM

  Wednesday, December 8, 2010 5:43 AM
• 

  

  0

  Sign in to vote

  1. Is SRP configured to process "All software files", including DLLs?

  1. Check Application event log to see what path/file is blocked exactly.

  ---

  MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor

  • Marked as answer by Liaqat Bashir Thursday, December 9, 2010 4:36 PM

  Wednesday, December 8, 2010 8:12 AM
• 

  

  0

  Sign in to vote

  1. SRP is configured as:

  Apply software restriction policies to the following: "All software files except libraries (such as DLLs)"

  2. I have checked Application event log and found warning event id 865 with following three logs:

  i) Access to C:\Program Files\Windows Mail\WinMail.exe has been restricted by your Administrator by the default software restriction policy.

  ii) Access to \\domain.local\SysVol\domain.local\Policies\{3A32A456-4F48-4F1B-9E59-67B4E3933646}\User\Scripts\Logon\GPOupdate.bat has been restricted by your Administrator by the default software restriction policy level.

  iii) Access to \\domain.local\SysVol\domain.local\Policies\{3A32A456-4F48-4F1B-9E59-67B4E3933646}\User\Scripts\Logon\StaffLogon.bat has been restricted by your Administrator by the default software restriction policy level.

  Resolution:

  Created following two path rules under software restriction policy with "Unrestricted" security level:

  1. C:\Program Files\Windows Mail\WinMail.exe
  2. \\domain.local\SysVol\domain.local\Policies\{3A32A456-4F48-4F1B-9E59-67B4E3933646}\User\Scripts\Logon\

  Thanks for everyone especially WindowsNT.LV for the resolution of this issue.

  ---

  Liaqat

  • Marked as answer by Liaqat Bashir Thursday, December 9, 2010 4:36 PM

  Thursday, December 9, 2010 4:35 PM
• 

  

  2

  Sign in to vote

  Should note:

  • C:\Program Files\Windows Mail\WinMail.exe - in SRP works!
  • %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%Windows Mail\WinMail.exe - DOES NOT WORK!
    
    

  But should. Why not?! Because WinMail is a "dual-face" program: it launches WinMail 32bit from C:\Program Files (x86)\Windows Mail\WinMail.exe, and afterthat 64bit from C:\Program Files\Windows Mail\WinMail.exe is being launched. But!

  SRP is a subject to windows registry redirection feature, so on 64bit system 32bit program doesn't get

  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% pointing to "C:\Program Files", instead  it points (under 32bt program) to "C:\Program Files (x86)".

  So THE CORRECT way to get it work is to have BOTH Unrestricted SRP Path rules (of course, I mean 64bit system):

  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir%

  Duh!

  
  
  
  
  

  • Edited by D F Friday, August 17, 2012 9:34 PM
  • Proposed as answer by Robert Rostek Thursday, October 11, 2012 1:24 PM

  Thursday, July 12, 2012 2:50 PM
• 

  

  0

  Sign in to vote

  So THE CORRECT way to get it work is to have BOTH Unrestricted SRP Path rules (of course, I mean 64bit system):

  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
  %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir%

  Duh!

  thanks a million, that just saved my issues too. a way better solution than to workaround with hardcoded paths!

  
  

  • Edited by Robert Rostek Thursday, October 11, 2012 1:26 PM

  Thursday, October 11, 2012 1:25 PM