Override Group Policy When Debugging Applications

Posted on by
Reply

Every now and then when I’m debugging an application in a production environment, I need to override various configurations such as proxies and browser security settings etc. so I can figure out what the heck is going on!

These settings are generally locked down via Group Policy. So this blog aims to document a few registry tweaks that will enable us to override Group Policy when debugging applications. Remember that these changes will only persist temporarily until Group Policy refreshes at the next interval, but they should provide us with a window of opportunity to debug our application!

Viewing the Registry of the Current User

Before we discuss any registry tweaks, it’s important (in the case of current user registry) to make sure you are viewing the correct registry data!

Typically, most organisations will disable regedit by default for standard users (“Registry editing has been disabled by your administrator”). And to run regedit you will no doubt have to run regedit under the context of another elevated user account.

What this means is that when you view the HKCU hive in the registry, it will be the current user registry of the elevated user account running regedit and not the logged in user account!

To circumvent this, we we need to find the security identifier (SID) of the current logged in user. To do this we search through the subkeys in the following location to find the correct profile:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Read the ProfileImagePath value under each subkey, and when we see the username of the logged in user, the SID for the user account is the name of the registry subkey itself and will typically start with ‘S-1-5-21’:

Now that we know the SID for the logged in user, we have 2 options. The first option is to enable regedit for standard users. This way you can then launch regedit as the logged in user (as opposed to running it as an elevated account), and the HKCU registry you see under HKCU will be for the current user.

Set this registry value, then close regedit and re-launch regedit as the logged in user.

HKEY_USERS\{SID}\Software\Microsoft\Windows\CurrentVersion\Policies\System 
DisableRegistryTools
REG_DWORD 0

Option 2 is just to continue navigating HKEY_USERS to make changes to the current user registry from an elevated account.

Override Group Policy When Debugging Applications

You should consider that the following tweaks might ultimately be in different hives for your organisation (HKLM/HKCU) depending upon whether they have been set as a Computer configuration or a User configuration via Group Policy. I also stumbled upon this resource which can be quite useful to find registry locations too.

Below we will list registry settings that can be used when we want to override Group Policy when debugging applications:

Restricted Apps (delete string values as required)

Sometimes when you launch an application (such as powershell.exe), nothing appears to happen. No error. But it doesn’t launch! Chances are the executable is listed here:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Enable the Command Prompt

Ever seen the message ‘The command prompt has been disabled by your administrator’ message? You can enable the command prompt by changing DisableCMD to 0:

HKCU\Software\Policies\Microsoft\Windows\System
DisableCMD
REG_DWORD 0

Restricted Control Panel applets (delete string values as required)

Similar to the above, sometimes you want to launch a control panel applet such as AppWiz.cpl, so we can view installed programs etc. If it doesn’t launch, chances are it is listed in here:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl

Enable TLS 1.0, 1.1 and 1.2 in browser

Sometimes we may be debugging an application that uses TLS 1.0. Of course, this should really be disabled nowadays. To temporarily debug it we can enable TLS 1.0 like so:

SSL/TLS Version Decimal Hexidecimal
SSL 2.0 8 0x8
SSL 3.0 32 0x20
TLS 1.0 128 0x80
TLS 1.1 512 0x200
TLS 1.2 2048 0x800

The below will enable TLS 1.0, TLS 2.0 and TLS 3.0.

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
SecureProtocols REG_DWORD
2688

Enable ‘Automatic Configuration’ settings under ‘LAN Settings’ in Internet Explorer

You may wish to manually override the current proxy automatic configuration (PAC) file in local area network (LAN) settings. If it is greyed out/disabled, this setting will enable it:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
Autoconfig REG_DWORD
0

Configure PAC File

We can also override the proxy PAC file directly in the registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
AutoConfigURL REG_SZ 
"https://yourproxy.pac"

And if we want to specify a proxy server directly, we can delete the value above and add:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer REG_SZ "alkaneproxy.local:8080"
ProxyEnable REG_DWORD 1
ProxyOverride REG_SZ <leave blank>