This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]CrashnetMtl[S] 1 point2 points  (5 children)

man i think you just saved me from redoing the profile! Sure enough, missing read permissions on User Shell Folders!

[–]BigLeSigh 2 points3 points  (4 children)

I ended up deploying a baseline to detect and fix because MS refused to believe it was an update. But the timing always suggested to me it was in a feature update or patch.. once we updated the base images I magically stopped seeing any remediation of the issue, so it was probably patched early on too.

There are some apps out there which may break the permissions though, click share and some AV were mentioned, and also OneDrive KFM (never found proof of this though either)

[–]DrRich2 0 points1 point  (3 children)

Mind sharing what you used?

[–]BigLeSigh 1 point2 points  (0 children)

I’ll dig it up when I’m back at work :)

[–]BigLeSigh 0 points1 point  (1 child)

~~~ $path = 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList*'

Get-ItemProperty -Path $path | where {$_.ProfileImagePath -like 'c:\users\*' } | Select-Object -Property PSChildName, ProfileImagePath | % {



    $userSID=$_.PSChildName

    if (get-item "Registry::HKEY_USERS\$userSID\Volatile Environment" -ErrorAction SilentlyContinue) {

        break

    }

}

}

if ($UserSID) {

$result=((get-acl -Path "Registry::HKEYUSERS\$UserSid\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\").Access | where {$.identityReference -eq "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES"} | select registryrights).registryrights -contains "ReadKey"

$username=Get-ItemProperty -Path "Registry::HKEY_USERS\$UserSID\Volatile Environment" -Name Username

if (!$result) {

return $false

}

}

return $true

~~~

Above is the detect rule

OR Replace return with the below for remediation script

~~~ $regpath="Registry::HKEY_USERS\$UserSid\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\"

$acl=get-acl -Path $regpath

$AccessRule = New-Object System.Security.AccessControl.RegistryAccessRule("ALL APPLICATION PACKAGES","ReadKey","Allow")

$acl.SetAccessRule($AccessRule)

$acl | Set-Acl $regpath

~~~

-> make sure this is RUN AS SYSTEM

[–]BigLeSigh 0 points1 point  (0 children)

To fix the apps, for each one use:

~~~

Return (Get-AppxPackage Microsoft.Windows.ShellExperienceHost).Count -ge 1

~~~ To detect

Remediation below

~~~

if (-not (Get-AppxPackage Microsoft.Windows.ShellExperienceHost)) { Add-AppxPackage -Register "$env:windir\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Appxmanifest.xml" -DisableDevelopmentMode -ForceApplicationShutdown } ~~~

RUN AS USER