Set_FDCC_LGPO: Updated for 2008 Q3

[2009-04-15:  Attachment removed.  Bookmark this page for the latest versions of these utilities.] 

Set_FDCC_LGPO is a utility that we originally released in December that applies the Group Policy Objects provided by NIST on their web site to the Local Group Policy on the Windows XP or Windows Vista computer you run the tool on.

NIST recently released FDCC Major Version 1.0 (Q3 2008), and so this utility has also been updated to incorporate the new GPOs.  The updated utility is provided as an attachment to this blog post.

This update also incorporates improved logging of its SecEdit.exe results.  The updated source code and project files for this release have also been posted.  (For the time being, it’s still a Visual Studio 2005 project.)

See the earlier post for documentation.

Comments (11)

  1. Apologies for the delay in my response.  

    First, the error code 0x80070020 translates to "The process cannot access the file because it is being used by another process."  I’ll ensure that the next version of Set_FDCC_LGPO produces the proper human-readable text and not just an error code when a
    failure occurs in that spot.

    The more important question is why should that error ever occur?  My immediate suspicion is that anti-virus is involved.  Committing the policy changes results in the repeated opening and closing of the policy files (System32GroupPolicyMachineRegistry.pol
    and System32GroupPolicyUserRegistry.pol).  I have seen many cases over the years where a file that is modified, closed and then re-opened will fail on the re-open because an anti-virus program is busy checking the previous changes for virus signatures.
     In this case, the fact that the policy files are opened and closed many times is not something under the control of Set_FDCC_LGPO — it’s making just one function call (if you downloaded the source, it’s the gpo.Save() call in RegPolProcessor.cpp).

    My suggestion would be to ensure that when this tool is running, either disable anti-virus or configure it not to look at files in the local GroupPolicy folder.

    Is anyone seeing this error on systems where no anti-virus is installed?

    — Aaron

  2. Anonymous says:

    I have this same issue. Clean XP SP2 build with no additional applications or drivers. Sometimes I get the errors, sometimes I don’t. Running Set_FDCC_LGPO in safe mode works every time.

  3. Anonymous says:

    [Mandy Tidwell] No.Unfortunately we don’t have any current tools with that functionality.  However, that is an area we are pursuing and will post updates to this blog as they become available. 


    Are there any global files that we can revert an XP instance to its defaults, in effect, removing all the applied FDCC controls?  We are looking at this as a troubleshooting idea.

    Using secedit.exe /configure will not revert any controls to "not configured".  Also, using the sececit.exe /configure using the default secsetup.inf does some of the job but not all.

  4. Anonymous says:

    There is absolutely nothing on said tested systems but drivers.  No anti-virus software, or ANY software for that matter.  Any other ideas on what could be using GroupPolicy when nothing is installed after a FRESH XP SP2 install other than drivers for unknown devices?

  5. Are these systems domain-joined, or are they still workgroup?

    The next step would be to run Process Monitor (from to see where the sharing violations are and what is causing them.  I have yet to repro this on any system I’ve tested on.

    — Aaron

  6. Anonymous says:

    Set_FDCC_LGPO – source code and Visual Studio project files, updated for Q3 2008 (FDCC Major Version 1.0)

  7. Anonymous says:


    So for you running it in Safe Mode works everytime?

  8. Anonymous says:

    Just wondering if this issue has been resolved

  9. Anonymous says:

    I have not heard anything back or resolved the issue.  This problem is being reflected upon several makes and models of laptops/workstations.

  10. Anonymous says:

    Running Set_FDCC_LGPO reports 0 errors in Safe Mode for my case as well.  

    I ran Process Monitor while running Set_FDCC_LGPO.  What kind of items listed under Results am I to look for errors?  Other than SUCCESS and NO NAME FOUND there are 941 registry modifications associated with the process, resulting in:




    All of the BUFFER OVERFLOW items are associated with the path HKLMSystemCurrentControlSetServicesWinSock2ParametersProtocol_Catalog9Catalog_Entries

    All of the NO MORE ENTRIES and CANNOT DELETE items are associated with Group Policy Objects.

    Let me know what other information you need from me, I can elaborate wherever needed on the results I have come across.  Thanks again!

  11. Anonymous says:

    I am having some issues with Set_FDCC_LGPO.  Some machines will report no errors, and others will.

    I am currently working with a Panasonic CF-30, with a clean Windows XP SP2 build and nothing else but drivers for listed unknown devices.  Upon running Set_FDCC_LGPO, the error text file generated states:

    Computer policy save failed; error code 0x80070020.

    I have seen that users can resolve this issue by running the exe again.  Sometimes this resolves the issue (no errors reported) while other times it may give the same error, or "User policy save failed; error code 0x80070020".  I have seen no pattern in this issue.  Here is the example I ran through while typing this comment (each time, deleting the previous error text file):

    1st execution: Computer user policy failed; error code 0x80070020

    2nd execution: No errors reported

    (for fun)3rd execution: Computer user policy failed; error code 0x80070020

    Computer user policy failed; error code 0x80070020

    (yes, it printed twice).

    4th execution:User policy save failed; error code 0x80070020

    User policy save failed; error code 0x80070020

    Sometimes it gives me a combination of the two errors.  I tried several more times to try to get 0 errors reported, but gave up after several tries.

    Sorry for the large comment, I’m going to copy this over in an email as well as the I am pressed to resolve the issue.  Any ideas?  Thanks.