The program launch restriction policy does not work in some cases. Is it possible to fix this?

J

ju5tas2014-12-12 18:10:12

System administration

ju5tas, 2014-12-12 18:10:12

On a computer with Windows 7 Pro 64-bit, I set the following security policy settings:

Software Restriction Policies
Apply Software Restriction Policy: to all program files except libraries (such as DLLs)
Apply Software Restriction Policy to: All users
When applying Software Restriction Policies: Ignore certificate rules
Software Restriction Policies/Security Levels Security
level by Default: Disabled
Software Restriction Policies/Additional
Rules Path Rules
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Security Level: Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Security Level: Unrestricted
C:\Program Files (x86)
Security Level: Unrestricted

The value of %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% is C:\Program Files
Rebooted the computer, the policy was applied and, at first glance, works fine.
But I noticed:

Avast antivirus won't start on boot
if you open chrome, download the archive and try to open it from chrome downloads, the message will appear: "This program has been blocked by group policy. For more information, contact your system administrator."

The log says: "Access to C:\Program Files\7-Zip\7zFM.exe has been restricted by the administrator using the default program restriction policy level."
The launch of the antivirus is registered in: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Can I make the antivirus run and the archiver from chrome too? The same excel files open perfectly from chrome, but archives do not.
UPD: Separately, both the antivirus and the archiver are launched.
If the antivirus is set to autoload through a shortcut in the Autoload folder, then it also starts, but not through the registry in Wow6432Node. Although it starts on a 32-bit machine with the same policies, the autoload of the antivirus is not registered there in HKEY_LOCAL_MACHINE\SOFTWARE\ Wow6432Node\Microsoft\Windows\CurrentVersion\Run and in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

J

ju5tas, 2014-12-13
@ju5tas

Found a solution.
If the parent application (in our case, Chrome) is 32-bit, then all applications launched from it are checked as if they were 32-bit.
To solve, add
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)% to the allowed paths
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir%
You can read more here .

A

Alexander Kovpashko, 2014-12-13
@sainttechnik

According to the antivirus: run manually along the path specified in the autorun, see the log. Think what's wrong or post the output of the log here.
According to the browser: is the archive not self-extracting by any chance? Does C:\Program Files\7-Zip\7zFM.exe manually run?