Disabling System Features via Registry/Group Policy

  • Description: Windows offers extensive configuration options through the Registry and the Local Group Policy Editor (gpedit.msc - available on Pro/Enterprise editions). Bypassers can leverage these legitimate configuration tools to disable or modify system features, potentially hindering the ScreenSharer's access to tools or artifacts.

  • Mechanism: Involves editing specific Registry keys/values or configuring Group Policy settings. Common targets include:

    • Disabling Program Compatibility Assistant (PCA): Setting DisablePCA registry values under HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat or HKCU\Software\Policies\Microsoft\Windows\AppCompat.

    • Preventing Command Prompt Access: Enabling the policy "Prevent access to the command prompt" (User Configuration > Administrative Templates > System) or setting the corresponding registry key HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD to 1 or 2.

    • Hiding Drives in Explorer: Setting the NoDrives value under HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer using a bitmask to hide specific drive letters from File Explorer (though they remain accessible via direct path).

    • Disabling Run Dialog: Setting the NoRun value under the same Explorer Policies key disables the Win+R Run dialog.

    • Disabling Registry Editor Access: Enabling the policy "Prevent access to registry editing tools" blocks regedit.exe.

  • Why Cheaters Use It: To directly obstruct the ScreenSharer by disabling tools (cmd.exe, regedit.exe, Run dialog) commonly used during checks, hide potential evidence locations (hiding drives), or prevent specific logging mechanisms (disabling PCA).

  • Detection:

    • Check Specific Registry Keys: Manually navigate to the relevant policy keys mentioned above in regedit or Registry Explorer and check the values.

    • Check Group Policy: Run gpresult /h gpreport.html in CMD to generate an HTML report of applied Group Policies (both local and domain-level). Examine the report for restrictive policies.

    • Execution Logs: Look for recent execution of regedit.exe or reg.exe in Prefetch/BAM, which might indicate recent manual changes to these settings.

    • Observe Behavior: Directly encountering disabled features (e.g., CMD not opening, Run dialog blocked) during the screenshare is immediate evidence that such policies are active.

PreviousCommand Prompt (CMD) ObfuscationNextArtifact Clearing Techniques

Last updated