Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

Group Policy Blog, by the "GPOGUY"-- Darren Mar-Elia

www.gpoguy.com www.sdmsoftware.com
Registry.pol

Today I’m going to talk about the registry.pol file. What is that, you ask? Well, that’s the file that is used by Group Policy to stored registry-based policy settings. Those include any policy that you set using Administrative Templates policy as well as other policy areas like Software Restriction and Disk Quota. This file is somewhat interesting because its format, while documented on MSDN, is generally not exposed in any of the existing GP tools. This file is basically a Unicode-encoded text file that contains a set of semi-colon delimited values that represent each registry value that has been set within that GPO. The registry.pol file is typically stored in the SYSVOL portion (Group Policy Template or GPT) of AD-based GPOs and is either per-machine (HKEY_LOCAL_MACHINE) or per-user (HKEY_CURRENT_USER), depending upon whether the policy was defined on the computer configuration or user configuration side. Within the file, registry values are stored as a set of bracket ([]) delimited values. Within each value setting, the “records” that store the policy settings are stored semi-colon delimited, like in the following hex dump of a single registry policy setting:

 

00000008:5b 00 53 00 6f 00 66 00 74 00 77 00 61 00 72 00    [.S.o.f.t.w.a.r.

00000018:65 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00    e.\.M.i.c.r.o.s.

00000028:6f 00 66 00 74 00 5c 00 57 00 69 00 6e 00 64 00    o.f.t.\.W.i.n.d.

00000038:6f 00 77 00 73 00 20 00 4e 00 54 00 5c 00 43 00    o.w.s. .N.T.\.C.

00000048:75 00 72 00 72 00 65 00 6e 00 74 00 56 00 65 00    u.r.r.e.n.t.V.e.

00000058:72 00 73 00 69 00 6f 00 6e 00 5c 00 44 00 69 00    r.s.i.o.n.\.D.i.

00000068:61 00 67 00 6e 00 6f 00 73 00 74 00 69 00 63 00    a.g.n.o.s.t.i.c.

00000078:73 00 00 00 3b 00 52 00 75 00 6e 00 44 00 69 00    s...;.R.u.n.D.i.

00000088:61 00 67 00 6e 00 6f 00 73 00 74 00 69 00 63 00    a.g.n.o.s.t.i.c.

00000098:4c 00 6f 00 67 00 67 00 69 00 6e 00 67 00 47 00    L.o.g.g.i.n.g.G.

000000a8:6c 00 6f 00 62 00 61 00 6c 00 00 00 3b 00 04 00    l.o.b.a.l...;...

000000b8:00 00 3b 00 04 00 00 00 3b 00 00 00 00 00 5d       ..;.....;.....]

 

Where, as the documentation shows, the records list the registry key, followed by the value, followed by value type (e.g. REG_SZ, REG_DWORD, etc.), followed by the size in bytes of the data associated with the value, and finally the value itself. Interestingly the documentation for the registry value type field shows that value registry types supported include all those found in the winnt.h header file, which includes all known types of registry values, including obscure ones like REG_QDWORD (used by Software Restriction policy settings). Also interesting is that REG_BINARY is of course included in that list. That’s interesting because the ADM template format does not support creating registry policy templates to modify REG_BINARY values—only REG_SZ and REG_DWORD. That led me to wonder if that limitation was specific only to the Administrative Template ADM syntax or to the registry.pol file and registry policy processing itself. To answer the question, I manually edited a registry.pol file and created a new record for a made-up REG_BINARY value. I copied that new registry.pol file into a local GPO directory and then refreshed policy. Sure enough, my REG_BINARY value showed up as expected in the registry! So it appears that the inability to support REG_BINARY values is strictly an artifact of ADM syntax.

 

To exercise my newfound knowledge of the registry.pol file, I wrote a little .NET GUI application called Polviewer.exe-- which can be downloaded from my web site at www.gpoguy.com/tools.htm -- that reads the contents of any valid registry.pol file and displays them in a list view. Right now, that’s all the tool does but I may take the next step and see if I can write something that allows direct manipulation of the registry.pol file without totally screwing it up!

Posted: Wednesday, December 21, 2005 2:04 PM by dmarelia

Comments

carlos said:

Excellent post very interesting, is that.net1.1 or.net 2.0?

Carlos
# December 23, 2005 12:42 AM

dmarelia said:

Carlos-
Thanks. That app was written in 1.1. I'm just starting to play with 2.0. Very nice!
# December 26, 2005 9:27 AM
Anonymous comments are disabled