Policies for the Windows startup management

The article describes the System Policies, which allow to manage the application startup in Windows 98/ME/2000/XP.

This article describes four system policies managing the startup lists, which contents are processed by Windows during the initial system boot. The talk will be about four lists, which values, containing the documents or applications names, are stored in the following keys:

1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
2. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
3. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
4. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Here are few notes of these lists. The lists, which are located in HKEY_LOCAL_MACHINE hive, as it follows from the name, are common for all the system, and the HKEY_CURRENT_USER lists are worked through only for the current user registered in the system. The lists stored in HKEY_LOCAL_MACHINE hive are processed before the lists, stored in HKEY_CURRENT_USER hive. As it follows from the very name of key, the launch of document or application, registered in the key "RunOnce" occurs one time, notwithstanding whether the launch has been successful or not. The value stored in key "RunOnce", is deleted before the launch of application, which name it contains.

To avoid the reiteration I introduce the features common for all the policies. All the policies are applicable for Windows versions 98, ME, 2000 and XP. Their states are stored in numeric values of DWORD type. The values can be of binary type for Windows 98, ME. All the policies are of Boolean type. For the DWORD-values the value "1" stands for the active state, the value "0" blocks the policy, turning it to the disabled state. Two values "01 00 00 00" and "00 00 00 00" will represent the corresponding states of policy for the values of binary type. "By default" the policies are not enabled in the system. The missing of corresponding value in the system registry is equivalent to the disabled state of the policy. All the values must be stored in "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" key.

The values standing for the state of the policy can be in both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hive. The value, located in HKEY_LOCAL_MACHINE hive, has an effect on the whole system, in comparison with value in HKEY_CURRENT_USER affecting the current user. If the same policy appears in both hives of the system registry, the policy, which value is in HKEY_LOCAL_MACHINE hive, has the priority over the policy with the value in HKEY_CURRENT_USER.

Disable the LOCAL MACHINE Run list

The state of this policy is stored in the "DisableLocalMachineRun" value. When the policy is in active state, the system ignores the content of "Run" list, locating in LOCAL MACHINE.

Disable the LOCAL MACHINE Run Once list

The value "DisableLocalMachineRunOnce" is responsible for the state of this policy. If the policy is in active state, the system ignores the "RunOnce" content in LOCAL MACHINE.

Disable the CURRENT USER Run list

"DisableCurrentUserRun" value represents the state of this not documented policy. This policy is directed to prohibit the system from processing the content of "Run" list, locating in the HKEY_CURRENT_USER hive of the system registry.

Disable the CURRENT USER Run Once list

Microsoft does not document this system policy either. Its state is stored in the "DisableCurrentUserRunOnce" value. When the policy is enabled, the system ignores the content of "RunOnce", storing in HKEY_CURRENT_USER.

The implementation in Activity and Authentication Analyzer

In order to see the state of above-mentioned policies or to manipulate them in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel, then Windows StartUp and find in the right list items corresponding to these policies named:

• Disable the CURRENT USER Run list
• Disable the CURRENT USER Run Once list
• Disable the LOCAL MACHINE Run list
• Disable the LOCAL MACHINE Run Once list

Disable Save Password in Dial-Up Connections

The article describes the System Policy, which controls the password caching in Dial-Up Connections in Windows NT4/2000/XP.

"By default", in Dial-Up connections the entered password is saved after successful connection, if the option "Save password", located on Dial-Up dialog box, is selected. After the password has been saved, it is not to be entered again, it is suggested automatically to corresponding edit box. The users used to have feeble memory or simply do not want to force it. For such category of users the password caching in Dial-Up connections is a definite convenience. The password caching may be the serious gap in the system security or the network security on the whole. And, under the security considerations, the administrator may wish to disable caching of the Dial-Up passwords.

The numeric DWORD-value "DisableSavePassword", which must be stored in the "SYSTEM\CurrentControlSet\Services\RasMan\Parameters" system registry key, in the HKEY_LOCAL_MACHINE hive, stands for the system policy, which while being in active state, disables the save password in Dial-Up connections. The "1" value enables the policy, "0" or missing of the value set the policy to not active state. When it is set to active state, the option "Save password" will; be hidden, and cached passwords will be lost.

And the last note: the policy is applicable in Windows NT 4, 2000, XP.

In order to see the state of above-mention policy "Disable Save Password in Dial-Up Connections" or to manipulate it in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel, then Passwords and find it in the right list item corresponding to this policies named:

• Disable Save Password in Dial-Up Networking

System Policies for the Windows network passwords caching management

The article is dedicated to the System Policies, which controls the network passwords caching in Windows 95/98/ME.

The problem of passwords caching, on the other hand, their storage on the local drive, and concerning this the security threat, appeared in Windows for Workgroups 3.11 and still exists in 32-bit Windows. The files with "*.PWL" extensions, which were used to store the enciphered local copies of passwords used for access to the network and net resources in Windows for Workgroups 3.11, passed to the 32-bit Windows versions: 95/98/ME.

The Microsoft realisation of DES algorithm, which enciphers the password, was compromised several times. Discussion of this is out of frames of this article, dedicated to the Windows administering there were published a lot of articles and utilities breaking the weak cryptographic defense.

These files are created in the folder, where the Windows was installed. This folder will be the booting one. Soon of all, this directory will be "C:\Windows" for Windows 9.X/ME. If this folder was renamed, it is possible to determine its location simultaneously with all environmental variables through typing "set" in DOS command prompt. The environmental variable "windir" reveals the sought path. The passwords are cached to the files named USERNAME.PWL, where "USERNAME" is user named given while logging on or accessing the resource.

Besides, the list of files for cached passwords copies is kept in the in "System.ini" initialisation file, which is also stored in Windows boot directory. The section "[Password Lists]" is created in this file, where are stored the strings like "USERNAME =C:\WINDOWS\USERNAME.PWL", "User name=full file name with cached password". When user registers in the system, Windows check this list containing the references to the files with passwords. First eight letters of user name are taken to form the file name. If the file with such a name exits, it is overwritten.

Microsoft solved partially the problem of weak cryptographic algorithm released the Service Pack 1 for Windows 95 and updated version of Windows 95 OSR1 (OEM Service Release 1). The key length was enhanced from 32 bit to 128.

The Windows 9.X and ME operating system can be classified as D class of protection according to the "Orange Book". In them it is possible to stroke simply the Esc key or Cancel button in order to bypass the password dialog box, on condition that the system is not a part of domain and not demanded the obligatory verification procedure. The password in Windows 9.X/ME is necessary for the network resources access and not crucial for the boot of very operating system. On the other hand, they can be classified as systems allowing "the open and not restricted access". The protection of client machines working under Windows 9.X/ME control can not be even compared with the protection of servers. The breakers are ruled with the same "admissible hypothesis", to attack them, gaining later the access to the protected resources.

Microsoft offers the next system policies as one of the partial solution to this problem.

Disable Password Caching

This system policy disables the network passwords caching. When it is in active state, the passwords are not cached, but user is to enter the password each time while attempting to access the password-protected resource. "By default" the policy is disabled in the system.

Its state is represented with the pair of Boolean values, which is stored in "DisablePwdCaching" parameter, in the "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network" system registry key. Although, the type DWORD is recommended for this value in MSDN, this policy will work in Windows 95/98/ME with "DisablePwdCaching" value of binary type. DWORD-value takes "1" and "0", the binary - "01 00 00 00" and "00 00 00 00". The first of pair of values stands for the active state of the policy. The missing of value in the system registry sets the policy to disabled state.

This key is located in HKEY_LOCAL_MACHINE hive and the range of this policy covers not the Current User, but all the system (Local Machine). When it is enabled, the "Change Windows Password" password is blocked in the "Passwords" applet in "Control Panel", showing that the passwords can not be changed. The second dialog box for the confirmation of new password is also disappeared.

If the persistent connections with the password-protected resources are created, then after enabling the policy, the Quick Logon feature for the Microsoft network client can not be used effectively, when there is no automatic verification that all network connections are ready, but network connections are restored while they are required.

"Disable Password Caching" does not erase the file list in "System.ini". The files with "*.PWL" are also remained and, and they must be deleted manually, if needed.

The active state of this policy has an effect for the caching of passwords, which are entered in the forms of browser Internet Explorer, when the AutoComplete is enabled. The cached passwords are "lost" after the system reboot, notwithstanding the states of check boxes "Prompt me to save passwords" and "User names and passwords on forms" which control the password caching in browser. These boxes are on the "Content" page in "Personal information" in browser "Internet Options (Properties)".

Disable Domain Password Caching

While in active state this system policy disables the caching of the passwords for the access to domain or domain network resources.

The numeric "NoDomainPwdCaching" value, located in "Network\Logon" key, in HKEY_LOCAL_MACHINE system registry hive, stands for its representation. The range of the policy covers all the system. The "1" value brings it to enabled state, "0" or absence - to disabled. "By default" the policy is not present in the system.

The implementation in Activity and Authentication Analyzer

In order to see the state of above-mention policy "Disable Password Caching" or to manipulate it in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel, then Passwords and find it in the right list item corresponding to this policies named:

• Disable Password Caching