How to block logon scripts?



Lurka
07-09-2005, 11:23 PM
A lot of issues have been discussed about creating and executing logon
scripts, but little about deliberately blocking their execution.

Provided I have administrative privileges on my computer, I'd like to
know how to prevent the execution of both scripts launchd from the
netlogon share and scripts launched from the registry key

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts]

even if this means altering system files.

Thank you,
/_urka

andy smart
07-09-2005, 11:23 PM
Lurka wrote:
> A lot of issues have been discussed about creating and executing logon
> scripts, but little about deliberately blocking their execution.
>
> Provided I have administrative privileges on my computer, I'd like to
> know how to prevent the execution of both scripts launchd from the
> netlogon share and scripts launched from the registry key
>
> [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts]
>
> even if this means altering system files.
>
> Thank you,
> /_urka
>
I assume, as there are logon scripts, you are on a network. I also
assume there is a logon script because the sysadmin put it there. Do you
want to stop it running because there is a problem with what it does?

Might I suggest you discuss it with them before you try to block it?

Pegasus \(MVP\)
07-09-2005, 11:23 PM
"Lurka" <loneluke@hotmail.com> wrote in message
news:1115903784.099600.133790@f14g2000cwb.googlegroups.com...
> A lot of issues have been discussed about creating and executing logon
> scripts, but little about deliberately blocking their execution.
>
> Provided I have administrative privileges on my computer, I'd like to
> know how to prevent the execution of both scripts launchd from the
> netlogon share and scripts launched from the registry key
>
> [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts]
>
> even if this means altering system files.
>
> Thank you,
> /_urka
>

If you have administrative privileges then you simply modify
your profile by either removing the current script file name or
by inserting name that meets your requirements. You could
also modify the script itself by inserting this line at the start:

if /i "%Username%"=="_urka" goto :eof

Kerry Brown
07-09-2005, 11:23 PM
"Lurka" <loneluke@hotmail.com> wrote in message
news:1115903784.099600.133790@f14g2000cwb.googlegroups.com...
>A lot of issues have been discussed about creating and executing logon
> scripts, but little about deliberately blocking their execution.
>
> Provided I have administrative privileges on my computer, I'd like to
> know how to prevent the execution of both scripts launchd from the
> netlogon share and scripts launched from the registry key
>
> [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts]
>
> even if this means altering system files.
>
> Thank you,
> /_urka
>

You'll have to talk to someone with domain permissions to edit the relevant
group policies for the domain. There is a reason why this is. It's called
security. If anyone could change log on scripts malicious software/users
would have a field day. At the domain level you could create a group policy
that cancels the script with the deny read and apply permissions for
everyone except the users/computers that you don't want to execute the
script. See the following link for details on filtering the scope of group
policies.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/filter.mspx

If you are not in a domain then you should be able to go into computer
management and remove the script from the user properties.

Kerry

RJ
07-09-2005, 11:23 PM
If you are logging into a Win2000 or Win2003 domain, then no, you can't block it.
Especially if the login script is being distributed via Group Policy.
An admin would have to modify the user properties for a user (from a Domain
Controller) to prevent a logon script from running, or if using group policies,
modify the group policy membership - also from a DC.

You can only prevent Local logon scripts from running. Type start, run
gpedit.msc. Look under Computer and User Configurations, Windows settings.
You will then be able to add/remove any Local scripts running.
(Local being a script located on your PC)



"Lurka" <loneluke@hotmail.com> wrote in message
news:1115903784.099600.133790@f14g2000cwb.googlegroups.com...
> A lot of issues have been discussed about creating and executing logon
> scripts, but little about deliberately blocking their execution.
>
> Provided I have administrative privileges on my computer, I'd like to
> know how to prevent the execution of both scripts launchd from the
> netlogon share and scripts launched from the registry key
>
> [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts]
>
> even if this means altering system files.
>
> Thank you,
> /_urka
>

NoneOfBusiness
07-09-2005, 11:30 PM
On 12 May 2005 06:16:24 -0700, "Lurka" <loneluke@hotmail.com> wrote:

>A lot of issues have been discussed about creating and executing logon
>scripts, but little about deliberately blocking their execution.
>
>Provided I have administrative privileges on my computer, I'd like to
>know how to prevent the execution of both scripts launchd from the
>netlogon share and scripts launched from the registry key
>
>[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts]
>
>even if this means altering system files.
>
>Thank you,
>/_urka


There is a program called scriptsentry that will do it (domain login
or not), if the logon script is a vbs file.. If it is a .bat or .cmd
then i don't know.


How to block logon scripts?