Back to 11/96 Analysis: Dialog Box
Up to Table of Contents
Ahead to 11/96 How To: Applications

11/96 How To: Optimizing Windows

Unrestricted Access -- System Policy Editor is Windows 95's security lock. Here's how to pick it.

By John Woram

Click Here to see a 23.5 KB bitmap image of artwork which goes with this article, entitled:
Restriction Roadmap

Click Here to see a 23.0 KB bitmap image of artwork which goes with this article, entitled:
Policy Police

A recent visitor to WINDOWS Magazine's CompuServe forum (GO:WINMAG) revealed he was the victim of an overzealous system administrator: himself. Eager to prevent his children from changing his PC's configuration, he used the System Policy Editor to set up a few restrictions. Before long, he realized he'd imposed too many restrictions. When he tried to deactivate a few of them, he couldn't!

It turns out he had disabled the Start menu's Run box and the Registry Editor itself. As a result, he couldn't get to the Policy Editor to reenable the Run box, nor could he run REGEDIT to fix things. The kids thought this was hysterical. He didn't.

Fortunately, there are ways around the problem, which by no small coincidence are described later in the column. But first, a bit of background on the System Policy Editor. You can find it on the Windows 95 CD-ROM, in the x:\Admin\Apptools\ Poledit folder, where x is the CD-ROM drive letter, and that's a good place to leave it. Rather than copying the System Policy Editor to your hard disk-where someone could access and use it for questionable purposes-keep a System Policy Editor shortcut on your virtual Desktop, and lock the Win95 CD in a drawer under your real desktop.

When System Policy Editor is running, the Policies tab on the Local User Properties sheet displays a list of available Network, Shell and System restrictions. To keep things simple, I'll describe a single-user configuration, in which no opening password is required, and all checked restrictions will be imposed on the computer regardless of who uses it. Then I'll use various illegal (or at least, immoral) means to lift these restrictions, just to show how easy it is to do so. With a bit more effort, restrictions can be imposed on selected users, and with slightly more effort, removed by anyone who doesn't like restrictions. (See Karen Kenworthy's Power Windows column in the July issue for more details on setting up multi-user configurations.)

As each box in one of the restriction groups is checked, the System Policy Editor makes an entry in a subkey under the following Registry key:


The subkeys under the Policies key may be one or more of the following: Explorer (and possibly Explorer\RestrictRun), Network, System or WinOldApp. If the appropriate subkey doesn't already exist, the System Policy Editor will create it, and then write the desired restriction(s) into its Contents pane. Here are a few examples:

NoFind0x00000001 (1)
NoRun0x00000001 (1)
RestrictRun0x00000001 (1)

In the first three examples, the Data column shows a 4-byte double-word (or, dword), in which a single bit is set to 1, thus imposing the restriction whose identity can be guessed by the entry in the Name column. NoRun means just what it says but not always: You can still run any program that already has a shortcut icon on the Desktop, or you can open Explorer and find whatever application you want to run. So, although NoRun may encourage the casual user to go play elsewhere, it won't prevent anyone else from running whatever they want.

That sets the stage for RestrictRun. This entry is written if the Policy Editor's "Only run allowed Windows applications" restriction is checked. When this restriction is activated, a Show button appears at the bottom of the Local User Properties sheet. Click on that button, then enter the name of every application that you wish to run. Applications not on this list won't work. Having done that, the list will be written into the Registry's Explorer\RestrictRun subkey's Contents pane, as shown by the two numbered entries above.

Unless access to the Registry Editor itself has been restricted, any knowledgeable user can simply use Registry Editor to lift whatever restrictions get in his or her way. To compensate, System Policy Editor includes a Disable Registry editing tools check box, which adds a Disable Registry Tools entry to the Registry, thus turning off this tool and preventing anyone from messing with your configuration.

Except for one major catch.

Picking Win95's lock

In last month's column, I wrote an INF file to "install" a nonexistent device and simultaneously remove a list of recently used documents from the Registry. You can use the same general technique to remove restrictions. For example, here's a little INF file that will clean out restrictions in a snap:

HKCU,Software\Microsoft\ Windows\CurrentVersion\Policies\System.
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun.

You only need one of these lines in the [Recover] section which, depending on the state of emergency, does the following:

Write the desired line into the [Recover] section and save the file as RECOVER.INF. Next, open the file's Context menu and select the Install option. Almost instantly, the specified restriction is gone.

But, of course, the administrator is one step ahead of you. Knowing your evil ways, the admin has restricted you from running Explorer, which makes Windows 95 itself fairly useless, and also prevents you from "installing" an INF file to lift the restrictions. You're stuck, but not for long. Just create the following little text file:



Make sure the two long text strings enclosed in brackets are each written on a single line, and then save the file as RECOVER.REG. Now, restart your PC in MS-DOS mode (reboot if necessary), log onto the C:\Windows directory and type the following line at the command prompt:


This command imports your RECOVER.REG file into the Registry, where it clears the RestrictRun and DisableRegistryTools restrictions. You can now open Windows 95 and run the Policy Editor or the Registry Editor to clear any other restrictions that are still in place.

I know of at least one more anti-restriction scheme (or technique, depending on your motives). If you've recently purchased a computer with Win95 preinstalled, the real-mode Registry Editor may support the /D switch, which was not part of the original version. Type REGEDIT /? at the command prompt and see if this switch is listed. If it is, then the following command line will delete the entire Policies key structure, thus removing all restrictions:

REGEDIT /D HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

For a more surgical strike, add \System to the end of the line. This will delete just the subkey that contains the DisableRegistryTools restriction. Also, if the Registry Editor itself has not been restricted by the DisableRegistryTools restriction, you can open Windows 95 in Safe mode and run the Registry Editor to clear some or all restrictions.

For a multiuser system with a policy file in place, lift restrictions by editing the USER.DAT file. If access to USER.DAT isn't possible, exit to MS-DOS mode (reboot if necessary). Now, since the path to the user's own USER.DAT file is lengthy (C:\Windows\Profiles\<username>), temporarily clear its attributes and copy it into the C:\ directory, so the command described here will not exceed the 128-character limit. Then type the following line at the command prompt:

REGEDIT /R:C: \USER.DAT /E C:\FIXIT.REGHKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies

Type this as one continuous line. This command tells REGEDIT that (/R) portions of the USER.DAT file in the C:\ directory are to be exported (/E ) into a new file named FIXIT.REG. The specific key to be exported is HKEY_ USERS\...\Policies.

Having done that, you can now open FIXIT.REG in any ASCII text editor to see just what the evil administrator has done to you.

For the restriction(s) you wish to lift, change the expression following the equal sign from dword:00000001 to dword: 00000000. Now, type the following line at the command prompt to import the edited FIXIT.REG back into the USER.DAT file, thus clearing the restriction(s).


Your personal USER. DAT file is now squeaky clean and ready to be copied back into your C:\Windows\Profiles\ username folder, where it will overwrite the restricted version. Because the REGEDIT command above reset all the attributes, you'll need to clear them again before copying the file into your username folder and then resetting the attributes. Now, temporarily rename your CONFIG. POL file as CONFIG.OLD to prevent the restrictions from being reimposed, open Windows 95 and log on with your user name and password. Ignore the "Unable to update configuration" message and you'll be back in business.

To prevent history from repeating itself, change CONFIG.OLD back to its original CONFIG.POL name. Since the file still contains the old restrictions, run System Policy Editor to remove them.

Old hat for hackers

This column offers little to members of the socially challenged hacker/cracker crowd, who presumably know all these tricks and then some. But it's useful for those who occasionally set up too many restrictions and can't find their way back. Fortunately, Win95 usually provides a way out of most restriction problems.

To prevent unauthorized users from lifting some restrictions, remove REGEDIT.EXE from the C:\Windows folder or rename it so that it remains available to you, but isn't easily found by anyone else. You can also burn this issue.

Senior Contributing Editor John Woram is the author of the new The Windows 95 Registry: A Survival Guide (Mis: Press, 1996). Contact John in the "Optimizing Windows" topic of the WINDOWS Magazine areas on America Online and CompuServe. John Woram's e-mail ID is:

Back to 11/96 Analysis: Dialog Box
Up to Table of Contents
Ahead to 11/96 How To: Applications