‘GPCul8r – Group Policy Bypassing Tool’



‘The information has been provided by Eric Rachner.
The original article can be found at: http://www.rachner.us/blog/?p=15
To keep updated with the tool visit the project’s homepage at: http://www.rachner.us/files/GPCul8r/GPCul8r-0.1-src.zip


The following tool is quick little program for bypassing certain group policy restrictions under Windows. It s not technically novel or interesting, but it s handy to have if you need to operate within a domain-joined desktop environment that s subject to group policy controls.

Installing GPCul8r:
1. Copy GPCul8r.dll and detoured.dll to a permanent location.

2. Use withdll.exe to launch regedit.exe with GPCul8r.dll & detoured.dll mapped into its process space as follows:

c:> withdll /p:<full pathname of detoured.dll> /d:<full pathname of gpcul8r.dll> regedit.exe

3. Edit HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs, adding both GPCul8r.dll and detoured.dll to the list of DLL’s.

That should do it.

Note that if you don’t have admin rights, you won’t be able to perform this last step — sorry. You’ll still be able to launch individual programs using GPCul8r as described in step #2, but if you want GPCul8r to be loaded automatically by all applications, you’re on your own.

(Also, technically speaking, detoured.dll is only necessary in order to be compliant with the Microsoft Detours licensing terms. GPCul8r will work just fine without it.)

The AppInit_DLLs key specifies a list of DLL’s to be loaded by all processes — from this point forward, both of these DLL’s will be loaded in every desktop application process that gets created.)

If GPCul8r doesn’t seem to be working, use Process Explorer or any standard debugger to check whether GPCul8r.dll is mapped into the process space you’re trying to liberate. If you don’t see it in the list of loaded DLL’s, that’s why it’s not working. 🙂

Also — since GPCul8r intentionally lies to callers about the existence of certain registry keys (see below), this means that GPCul8r will interfere with normal editing of these registry keys. In other words, don’t be surprised when Regedit.exe has problems editing the keys named below.

How it works
In order to do its thing, GPCul8r.dll needs to be loaded into the process space of whatever program needs to bypass group policy. Once loaded, GPCul8r works by detouring calls to the ZwQueryValueKey function to see if the program is querying one of the keys related to a group policy setting we want to bypass. If so, GPCul8r returns STATUS_OBJECT_NOT_FOUND, thereby tricking the caller into thinking the key doesn’t exist.

GPCul8r being a quick & dirty little tool is not configurable. The targeted key names are hard-coded in the source. They are:

– TransparentEnabled (controls software restriction policy settings)
– ProxySettingsPerUser (controls access to the IE proxy settings dialog)
– DisableRegistryTools (duh)
– DisableTaskMgr (duh)

For more on the technique that GPCul8r uses, see Mark Russinovich’s original article on the subject: http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx

Categories: Tools