Some years ago, Mark Russinovich wrote an article describing how to bypass group policy, the article was accompanied by a tool named GPDisable but is disappeared after Microsoft's acquisition of Sysinternals.
Eric Rachner created a useful tool called GPCul8r, once loaded, it works by detouring calls to the ZwQueryValueKey function to see if the program is querying one of the keys related to a group policy setting we want to bypass.
To install it:
1. Copy GPCul8r.dll and detoured.dll to a permanent location.
2. Use withdll.exe to launch regedit.exe with GPCul8r.dll & detoured.dll mapped into its process space as follows:c:\> withdll /p: /d: regedit.exe
3. Edit HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs, adding both GPCul8r.dll and detoured.dll to the list of DLL's.
A similar program has been published into CodeProject.
1 commenti:
hi! i have been trying to by pass but nothing seems to work out on the .dll mappings and on the Edit HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs/ can you explain it so that a person without it knowlegde can understand please!!!!!?????
Post a Comment