:I've followed the instructions at "http://www.mechbgon.com/srp/" to set up a SRP in Windows 7 Professional SP1, and I'm confused.
First, I'm not a **complete** newbie. I am currently using an earlier version of these instructions successfully in Windows XP (before that in Win2K for years, I think). But things seem different in Win7:
You can probably skip over this first paragraph, which is here just for completeness. At least it shows that the new SRP is doing something:
1) After following the instructions, restarting (is this necessary for the change to take effect?), and logging onto the same Adminstrator account in which I did the setup, I immediately got a couple of messages (an Application Error that TpKnrres.exe wouldn't start start correctly, and a RunDLL error that BtMmHook.dll -- some ThinkPad software -- was blocked by SRP). OK, fine (except that I'm an Administrator). I went back into the Group Policy editor and changed Enforcement to allow DLLs. A new restart and login revealed no immediate errors. So far so good.
2) Still in the Administrator account, I copied notepad.exe from C:Windows\System32 to the desktop First puzzle -- When I tried to run this copy from the Administrator account by double-clicking, it did nothing at all. Even "Run as Administrator" did nothing after I acknowledged the UAC warning. Note that the original Notepad.exe still runs, and I haven't even tried running as a Standard User yet, nor have I gotten any "blocked by SRP" message!
3) Second Puzzle -- I went back into the GP editor and switched off the SRP by changing the Security Levels from "Disallowed" to "Unrestricted," restarted again, and tried both tests in (2) over with identical results. So was Win7 **already** preventing execution outside prescribed directories by **any** user?
4) Finally an uncertainty about removing the new SRP entirely: After the fact it occurred to me to see if there are any other SRPs set up, but I realized that don't know how. Can you have only one at a time? When I run GP editor again, go to Computer Configuration/Windows Settings/Security Settings/Software Restriction Policies, and right click, the options no longer include "Create New Policies" (I think it said before), but only "Delete Software Restriction Policies." Is it safe to click this? Do I delete only the one policy that I just installed?
Any guidance on what's going wrong and how to fix it would be greatly appreciated! -- jclarkw
First, I'm not a **complete** newbie. I am currently using an earlier version of these instructions successfully in Windows XP (before that in Win2K for years, I think). But things seem different in Win7:
You can probably skip over this first paragraph, which is here just for completeness. At least it shows that the new SRP is doing something:
1) After following the instructions, restarting (is this necessary for the change to take effect?), and logging onto the same Adminstrator account in which I did the setup, I immediately got a couple of messages (an Application Error that TpKnrres.exe wouldn't start start correctly, and a RunDLL error that BtMmHook.dll -- some ThinkPad software -- was blocked by SRP). OK, fine (except that I'm an Administrator). I went back into the Group Policy editor and changed Enforcement to allow DLLs. A new restart and login revealed no immediate errors. So far so good.
2) Still in the Administrator account, I copied notepad.exe from C:Windows\System32 to the desktop First puzzle -- When I tried to run this copy from the Administrator account by double-clicking, it did nothing at all. Even "Run as Administrator" did nothing after I acknowledged the UAC warning. Note that the original Notepad.exe still runs, and I haven't even tried running as a Standard User yet, nor have I gotten any "blocked by SRP" message!
3) Second Puzzle -- I went back into the GP editor and switched off the SRP by changing the Security Levels from "Disallowed" to "Unrestricted," restarted again, and tried both tests in (2) over with identical results. So was Win7 **already** preventing execution outside prescribed directories by **any** user?
4) Finally an uncertainty about removing the new SRP entirely: After the fact it occurred to me to see if there are any other SRPs set up, but I realized that don't know how. Can you have only one at a time? When I run GP editor again, go to Computer Configuration/Windows Settings/Security Settings/Software Restriction Policies, and right click, the options no longer include "Create New Policies" (I think it said before), but only "Delete Software Restriction Policies." Is it safe to click this? Do I delete only the one policy that I just installed?
Any guidance on what's going wrong and how to fix it would be greatly appreciated! -- jclarkw