I've some .reg and .bat I'd like to execute every time I logon/logoff.
Expecially regs, are "removed" after a win update.
What's the best way to do that? If It doesn't show any shell window is even better.
I've some .reg and .bat I'd like to execute every time I logon/logoff.
Expecially regs, are "removed" after a win update.
What's the best way to do that? If It doesn't show any shell window is even better.
Assign User Logon Scripts
Assign User Logoff Scripts
You can use Windows PowerShell scripts, or author scripts in any other language supported by the client computer. Windows Script Host (WSH) supported languages are also used, including VBScript and Jscript.
I'm on pro, so I can use that eventually.
For reg files, which is the best? A reg loaded by batch or can I hook directly the .reg file?
Script method or task scheduler way?
I'm on pro, so I can use that eventually.
For reg files, which is the best? A reg loaded by batch or can I hook directly the .reg file?
Script method or task scheduler way?
REG IMPORT FileName.reg
From a security perspective, PowerShell should be disabled on your system; it is not recommended to use PowerShell unless you absolutely must use it because there are no other options.
There are security best practices for powershell one should consider.
Ok, I try a plain task schedule for now and see how it goes
How load/install reg from bat, in case direct hook fails?
I used to know, but I forgot the command structure: batch should be precise or they wont work XD
This should be ok(?)
(filename.bat)
Code:REG IMPORT FileName.reg
The vast majority of home users do not use nor need PowerShell. The widely accepted best practice for them is to disable the PowerShell shell.
Many of our Enterprise clients also disable PowerShell. It's a part of the reduction of attack surface strategy. If an interpreter is not needed, then it should be disabled. This is established industry practice.
As you broke this subject down, things are completely different. You cannot generalize, as you did, in the previous post.
I agree, home users, most of them, don't use powershell and if they don't they should disable it.
Enterprise (not small business) clients have a completely different approach on security. The security standard is to block access to anything a user or department does not need, contain the user space as much as possible. Permissions are distributed on the same machine to different users (even if the user space is virtualized). Administrators almost never disable powershell for themselves because 99% (if not 100%) of them actively use it; they disallow access to powershell and many other resources for a regular user. This is the established industry standard for the enterprise zone. I never heard of a enterprise client which completely disables powershell across all the users.
There are exceptions (the extreme end), government and military entities. I'm not getting into details. They use a completely different security approach. What i can say is that in many cases you don't get access to a PC, and the support goes through hell just to get some basic info. Access to logs? That's a joke in many cases, they edit everything, you get 99% of useless junk in 100% of the support cases.
In our case, @Hadden needed a reliable method to run scripts when logging in and out, to add/modify registry keys. Access to registry by malware is extremely used, might say even more used than powershell. I can't bet on this though, this is a personal opinion. If he wants to allow access to registry (which can be easily disabled from group policy settings), don't know if blocking powershell helps him much.
Also, the scheduled task must be properly configured, which usually it is not correctly configured by regular users. Microsoft created a place exactly (targeted) for Hadden's needs. Why not use it? If powershell is the problem, he can use any other language. All he had to do is to write the script, just copy it to the specified location in the article and add a path, without using 2 files in the process. The one thing i do not know, if this works when the machine is not joined to a domain, since i only use this in active directory environments.
I've been doing this long enough to know that all @Hadden wants out of this thread is to get his batch and registry files to run as he wishes. He asked simple, to the point questions and I answered them, gave him a few tidbits to consider, and pointed him to a resource.
I respect that you are entitled to your own opinions with your own perspectives -- and will leave it at that. One thing that I am not going to do is engage in a running debate. It's pointless relative to the OP's purpose for this thread.
Thanks, I'll take in account everything said here
For example, I - really - hate UAC so I keep it off, but I think 2-3 times before hook/install something in my pc, and I mess only with registry keys/dll/paths I know it's (quite) safe to fiddle with and in the worst scenario I can always rollback damages with backup/PE usb key (I doubt I'll need it.. but it's better to have it xD)