ByPass Group Policy

Some years ago, Mark Russinovich wrote an article describing how to bypass group policy, the article was accompanied by a tool named GPDisable but is disappeared after Microsoft's acquisition of Sysinternals.

Eric Rachner created a useful tool called GPCul8r, once loaded, it works by detouring calls to the ZwQueryValueKey function to see if the program is querying one of the keys related to a group policy setting we want to bypass.

To install it:

1. Copy GPCul8r.dll and detoured.dll to a permanent location.

2. Use withdll.exe to launch regedit.exe with GPCul8r.dll & detoured.dll mapped into its process space as follows:c:\> withdll /p: /d: regedit.exe

3. Edit HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs, adding both GPCul8r.dll and detoured.dll to the list of DLL's.

A similar program has been published into CodeProject.
Share on Google Plus

About Vittorio Pavesi

    Blogger Comment
    Facebook Comment

1 commenti:

nicky said...

hi! i have been trying to by pass but nothing seems to work out on the .dll mappings and on the Edit HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs/ can you explain it so that a person without it knowlegde can understand please!!!!!?????