Modifying HKCU using REG commands in .BAT file

jeff
jeff Member Posts: 15
in Scripts

Hil All,

I was trying to do a simple REG push using this command:

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 3600 /f

This changes the screensaver timeout to 60 min. I was frustrated because eventhough it ran successfully, the registry entry was not updating. I had a moment of clarity where I realized that if I'm running a registry change as the system user then it's editing the system users registry. I changed the setting to RUN AS CURRENT USER and now it fails. I'm assuming this is a requirement for an escalated prompt to run the REG command. At this point, I have brain lock. Anyone with a simple solution to this issue?

Thanks,

Jeff

Comments

  • mbudke
    mbudke Member Posts: 133 ✭✭✭

    Hi @jeff ,

    you can save the registry entry as " batch/powershell script" and then run is at the user currently logged in.

    Matthias

  • jeff
    jeff Member Posts: 15
    https://community.atera.com/discussion/comment/2801#Comment_2801

    Sorry, looking at my explanation let me know I didn't explain really well. I did create a script in Atera as a batch file and had the command show above as the only line in the batch file. It failed. My troubleshooting found that when I try to run the batch file manually, it fails unless I have an elevated command prompt which makes sense. I guess my question should be, "Is there a function in atera that would allow me to make this HKCU change?" It doesn't have to be the script function, but that is what I'm most familiar with in Atera. I think in order to do this, it's going to require an elevated command prompt as the current user or a way under the system user to push data into the HKCU hive when in the SYSTEM account.

    Thanks,

    Jeff

  • COOLNETAU
    COOLNETAU Member Posts: 58 ✭✭

    user level HKCU changes are always a problem. even in other RMM solutions

    I need to do the same so will let you know what I find

  • jeff
    jeff Member Posts: 15
    https://community.atera.com/discussion/comment/2809#Comment_2809

    I'll let you know if I work anything out as well.

    Thanks,
    Jeff

  • tanderson
    tanderson Member Posts: 275 ✭✭✭✭

    I think your issue is the location. Try running this as a powershell script saved in atera.

    REG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 3600 /f

  • dragos.t
    dragos.t Internal, Support Moderator Posts: 51 admin

    Hello everyone,

    This is a more complicated subject.
    Since Atera runs under the SYSTEM account, it does not have access to the HKCU regedit key, since that section of the registry editor is tied to the currently logged-on user. You can also see this directly from Atera if we open the Regedit Editor within the Console. You can see that the key is not present.

    image.png

    The only option would be to create a script and run the script as a Current user, this is selected during the script creation process.

    image.png

    Running a script like this should allow you to make changes to the HKCU section within Regedit, however, you might also encounter permission issues, to fix this you would need to specify within the script under which account the script must run, in order to have elevated access.

    In this case, i think @tanderson is right. The path you are using might be the problem, from my tests, the path provided by tanderson worked without any issues.
    With the script provided, I got access denied.

  • jeff
    jeff Member Posts: 15

    @dragos.t & @tanderson ,

    I should be doing some work with that customer again this week and I'll poke at it again. That site may have UAC turned to Always notify and it may be a mitigating factor. We also block unsigned PowerShell scripts, so the best I could do is run "Powershell -command" from a batch file. I'm unsure what the difference is in the paths. The path I posted is a path I've used for years with a manual "workstation configuration" batch file. I have tested it and it moves the screensaver timeout immediately. Any idea what the difference between:

     "HKEY_CURRENT_USER\Control Panel\Desktop"

    -and-

    "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop"

    Does one have a higher precedence than the other or is one just a pointer to the other?

    I'll let you know how it works out.

    Thanks,
    Jeff

  • tanderson
    tanderson Member Posts: 275 ✭✭✭✭

    The difference between the two registry paths you mentioned lies in their purpose and precedence.

    1. "HKEY_CURRENT_USER\Control Panel\Desktop"

    • Purpose: This registry key holds user-specific settings for the desktop environment, including settings for things like the screensaver, wallpaper, and other desktop-related configurations.
    • Precedence: These settings are applied directly to the current user and can be changed by the user or by scripts that modify this registry key. However, they can be overridden by Group Policy settings if they exist.

    2. "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop"

    • Purpose: This key is typically where Group Policy settings are applied. When a Group Policy is enforced, it writes settings to this path. These settings take precedence over the user-specific settings found in the first path.
    • Precedence: If a value is set under this key, it generally overrides the equivalent setting under "HKEY_CURRENT_USER\Control Panel\Desktop". This is because the Group Policy is designed to enforce configurations that users shouldn't be able to change.

    Summary of Precedence:

    • Group Policy settings (HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop) have higher precedence.
    • User-specific settings (HKEY_CURRENT_USER\Control Panel\Desktop) are applied when no Group Policy is enforcing a different configuration.

    If you're finding that changes to the screensaver timeout in the "Control Panel\Desktop" key are not taking effect, it's likely because a Group Policy setting is overriding them in the "Policies\Microsoft\Windows\Control Panel\Desktop" key.

    In environments where UAC is set to "Always Notify" and unsigned PowerShell scripts are blocked, running PowerShell commands through a batch file might be a way to bypass these restrictions, but it would still be subject to Group Policy enforcement if those policies are in place.

  • jeff
    jeff Member Posts: 15

    @tanderson , you are awesome. I dug around and couldn't find a decent breakdown. I suspected that was the case because I got these paths from LGPO.EXE tool documentation and normally hit desks with a thumb drive when I'm touching them because all of my customers are smaller and it's easy to do when I'm onsite doing other things. If you look at my post:

    https://community.atera.com/discussion/529/using-lgpo-exe-with-atera-scripts

    you'll see I was trying to figure out a way to run LGPO, but when that became too convoluted, I decided to just push the registry setting. I suspect that because I've already used LGPO to push a policy to each computer that this lower precedence setting won't take effect, but this is good information for future implementations and I'll be there today, so I'll give it a shot.

    With this new caveat that I've already pushed a local group policy to these machines, anyone have an idea on how to make this change to individual computers via Atera? Honestly, it's only 3 workstations that I want to affect, but I'm trying to automate easy stuff like, "Hey, my screen saver locks too fast." I might go with @mbudke 's solution and try to write the file out using ECHO or such for the LGPO, but I'm wondering if I'll run into the same problem with permissions with the local user or writing to the wrong user's hive with the system user. I guess if it was easy, they wouldn't pay us geeks to do it. 😂

    Thanks!

  • jeff
    jeff Member Posts: 15

    Just an update for anyone trying similar operations. I don't see a way around doing an in person visit to modify the timeout I set using the LGPO.exe program, but I'm installing 5 new systems and am working on a modified build script that I use for new computers which still uses LGPO.exe to push many key security settings, but leaves the timeout unconfigured in the LGPO. Instead, I'm trying a hybrid approach with primary settings using LGPO.exe and Timeout using the registry setting that Atera can modify.

    It looks something like this:

    Using LGPO.exe I push:

    ; ----------------------------------------------------------------------
    ; PARSING Computer POLICY
    ; Source file: c:\windows\system32\grouppolicy\user\registry.pol

    User
    Software\Microsoft\Windows\CurrentVersion\Policies\System
    NoDispScrSavPage
    DWORD:1

    User
    Software\Policies\Microsoft\Windows\Control Panel\Desktop
    ScreenSaveActive
    SZ:1

    ;-----------------------------------------------
    ; SCREENSAVERISSECURE requires password leaving screen saver
    ;-----------------------------------------------

    User
    Software\Policies\Microsoft\Windows\Control Panel\Desktop
    ScreenSaverIsSecure
    SZ:1

    ;-----------------------------------------------
    ; TimeOut REMed out, using registry push instead
    ;-----------------------------------------------

    ;User
    ;Software\Policies\Microsoft\Windows\Control Panel\Desktop
    ;ScreenSaveTimeOut
    ;SZ:1800

    User
    Software\Policies\Microsoft\Windows\Control Panel\Desktop
    SCRNSAVE.EXE
    SZ:C:\windows\system32\ssText3d.scr

    ;-----------------------------------------------
    ;ACSettingIndex controls monitor power off
    ;-----------------------------------------------

    Computer
    Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab
    ACSettingIndex
    DWORD:0

    Computer
    Software\Policies\Microsoft\Windows\PowerShell
    EnableScripts
    DWORD:1

    Computer
    Software\Policies\Microsoft\Windows\PowerShell
    ExecutionPolicy
    SZ:AllSigned

    ;-----------------------------------------------
    ; EnumerateLocalUsers displays user on login screen
    ;-----------------------------------------------

    Computer
    Software\Policies\Microsoft\Windows\System
    EnumerateLocalUsers
    DWORD:1

    ; PARSING COMPLETED.
    ; ----------------------------------------------------------------------

    That is followed in the script by a series of registry pushes like this:

    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticecaption /t REG_SZ /d "WARNING" /f
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "This computer is property of <company name> and is for authorized use only. Activities may be monitored and unauthorized access may result in criminal or civil prosecution. By signing into this device, you attest that you are an authorized user." /f
    REG ADD "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 1800 /f
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Screensavers\ssText3d" /v DisplayString /t REG_SZ /d "<Company Name>" /f

    Initially this seems to do the trick under lab testing, but the real trick will be when I put the new computer in production using this updated script to apply uniform modifications for new computers builds.

    Thanks again for all the help. Hopefully this will help someone else.

    Jeff

Topics