Jump to content

exclude_uwv_reg=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Office\ does not delete KeyValues from "HKLM:\SOFTWARE\Microsoft\Office\"


TobiasK

Recommended Posts

Hi Community,

 

i tried to use the custom Rules "exclude_uwv_reg" and "exclude_uwv_file" in one of the many "snapvol.cfg" folders. To delete some Values from User Writable Volume at logoff

 

The Registy Vaules within the snapvol.cfg:

image.png.9ce40e29c04e9bdac78038a12eb8d7f3.png

 

In the Documentation it is written, that after User Logoff, the content of that folder is deleted.

 

For "exclude_uwv_fileg" it works fine. But for uwv_reg i don't manage to get "machine based" Registry Values to be deleted from User Writable Volumes.

Do you know anything to help out on this matter or know how to delete them on Logoff?

 

Link to comment
Share on other sites

  • Replies 5
  • Created
  • Last Reply

Top Posters In This Topic

I once wrote a powershell scriptlet with user credentials that has local admin on the vdi machines. Used Sapien powershell studio to convert it to a executable and then let it run at logoff. Only way I know of to delete HKLM entries. Hope this helps. I can create a executable for you if you like. Sapien powershell is non reverse enginerable. 

Edited by Hans Straat

Senior technical specialst at Leiden University Medical Center (lumc)

Link to comment
Share on other sites

Hi Hans,

thanks for your reply. Seems like a valid solution to me. I just cannot use User Credentials.

I used the Idea and put an powershell Script into my UIA_PLUS_PROFILE Folder and the AV Agent run the skript before detach of writable volume.

The Reg Files got deleted nicely, but after relog the Values from normal Appstacks stayed deleted as well somehow. Did not had success yet.

On 9/23/2024 at 10:04 AM, Hans Straat said:

I once wrote a powershell scriptlet with user credentials that has local admin on the vdi machines. Used Sapien powershell studio to convert it to a executable and then let it run at logoff. Only way I know of to delete HKLM entries. Hope this helps. I can create a executable for you if you like. Sapien powershell is non reverse enginerable. 

 

Link to comment
Share on other sites

When you remove the HKLM with scripting it should also be removed from the writable disk. If i remove HKLM with scripting at logoff then it's also removed from the writable. You might test it with your test account, not removing it with the script but with elevated rights by hand and then logoff. Logon again and see if the HKLM is back or not?

Senior technical specialst at Leiden University Medical Center (lumc)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...