TobiasK Posted September 20 Share Posted September 20 Hi Community, i tried to use the custom Rules "exclude_uwv_reg" and "exclude_uwv_file" in one of the many "snapvol.cfg" folders. To delete some Values from User Writable Volume at logoff The Registy Vaules within the snapvol.cfg: In the Documentation it is written, that after User Logoff, the content of that folder is deleted. For "exclude_uwv_fileg" it works fine. But for uwv_reg i don't manage to get "machine based" Registry Values to be deleted from User Writable Volumes. Do you know anything to help out on this matter or know how to delete them on Logoff? Quote Link to comment Share on other sites More sharing options...
Hans Straat Posted September 23 Share Posted September 23 (edited) I once wrote a powershell scriptlet with user credentials that has local admin on the vdi machines. Used Sapien powershell studio to convert it to a executable and then let it run at logoff. Only way I know of to delete HKLM entries. Hope this helps. I can create a executable for you if you like. Sapien powershell is non reverse enginerable. Edited September 23 by Hans Straat Quote Senior technical specialst at Leiden University Medical Center (lumc) Link to comment Share on other sites More sharing options...
TobiasK Posted September 24 Author Share Posted September 24 Hi Hans, thanks for your reply. Seems like a valid solution to me. I just cannot use User Credentials. I used the Idea and put an powershell Script into my UIA_PLUS_PROFILE Folder and the AV Agent run the skript before detach of writable volume. The Reg Files got deleted nicely, but after relog the Values from normal Appstacks stayed deleted as well somehow. Did not had success yet. On 9/23/2024 at 10:04 AM, Hans Straat said: I once wrote a powershell scriptlet with user credentials that has local admin on the vdi machines. Used Sapien powershell studio to convert it to a executable and then let it run at logoff. Only way I know of to delete HKLM entries. Hope this helps. I can create a executable for you if you like. Sapien powershell is non reverse enginerable. Quote Link to comment Share on other sites More sharing options...
Hans Straat Posted September 24 Share Posted September 24 If you disable your writable and load the normal appstacks is the HKLM present or still missing? Quote Senior technical specialst at Leiden University Medical Center (lumc) Link to comment Share on other sites More sharing options...
TobiasK Posted Monday at 06:42 AM Author Share Posted Monday at 06:42 AM On 9/24/2024 at 3:40 PM, Hans Straat said: If you disable your writable and load the normal appstacks is the HKLM present or still missing? Than the Registry Value is not present any more. Quote Link to comment Share on other sites More sharing options...
Hans Straat Posted Monday at 08:24 AM Share Posted Monday at 08:24 AM When you remove the HKLM with scripting it should also be removed from the writable disk. If i remove HKLM with scripting at logoff then it's also removed from the writable. You might test it with your test account, not removing it with the script but with elevated rights by hand and then logoff. Logon again and see if the HKLM is back or not? Quote Senior technical specialst at Leiden University Medical Center (lumc) Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.