Updated LGPO utility sources

The updated sources corresponding to the updated versions of the Apply_LGPO_Delta and ImportRegPol utilities are attached to this post.


Comments (11)
  1. RetiredRecon says:


    How long before we start seeing Windows 7 FDCC Blog related materials?

    From what I have read it appears Microsoft and the Air Force are working on Windows 7 FDCC settings. There is also some indications that DISA has a Windows 7 STIG document but I have yet to see anything formal in public forums yet.

    The Army indicated DISA has a checklist, but I couldn’t find it anywhere yet.

    Any indication when we will see the Windows 7 FDCC settings start rolling out? I would be interested in getting my hands on any LGPO utilities as early as possible.



    [Aaron Margosis]  Hopefully soon.  I can’t really publish anything here until after NIST or the DoD release their drafts for public review.  Chances are very good that the settings will be similar to what’s in the Vista settings, so if you want to do some
    Win7/FDCC testing, apply the Vista settings to a Win7 computer.  One way you can do that is download the latest NIST GPOs, find the registry.pol files in them that apply to Vista or "Both" and apply them with ImportRegPol, and find the security templates (GptTmpl.inf)
    that apply to Vista or "Both" and apply them either with Secedit.exe or Apply_LGPO_Delta (the latter is easier).

  2. Carl Nakamura says:

    Hi Aaron,

    I'm not a developer but I appreciate the functionality of Apply_LGPO_Delta.exe a lot. Would it be possible add functionality to delete a registry branch including all values? if using the action DELETEALLVALUES

    * you need to recursively specify all sub-branches that contains values in the input file.


    I would like to be able to delete HKEY_CURRENT_USERSoftwarePoliciesMicrosoftOffice14.0 by just specifying this string and not have to specify all sub branches eg HKEY_CURRENT_USERSoftwareMicrosoftOffice14.0Access

    HKEY_CURRENT_USERSoftwareMicrosoftOffice14.0Common etc.



  3. jacksoa says:

    How would I apply the policies to win7 using ImportRegPol.exe, or do I use the Set_FDCC_LGPO.exe and Apply _LGPO_Delta.exe as well? is there sample code?

    [Aaron Margosis]  See the PowerShell script on this post:


    Set_FDCC_LGPO is for XP and Vista only.  It will not be updated for Win7.

  4. Mark says:

    I would like to use the provided source as part of my product.  Is this allowed by the license?  It is unclear to me since the license states:






    Copyright (C) 2008.  Microsoft Corporation.  All rights reserved.


    [Aaron Margosis] You can use the source code the way you would any MSDN sample code.

  5. Loren says:

    Would it be possible to add support for REG_MULTI_SZ by adding something like this to the if-else construct in RegFilesProcessor? I'm not a developer and have no idea how to compile or test it, so hoping someone can tell me whether this is worth pursuing before I try to figure it out…

    if ( 0 == wcsncmp(L"MULTISZ:", sAction.c_str(), 8) )
    bSetValue = true;
    sValueData = sAction.substr(8);
    dwRegType = REG_MULTI_SZ;
    cbData = (DWORD)(sValueData.length() + 1) * sizeof(wchar_t);
    pData = (const BYTE *)sValueData.c_str();

    [Aaron Margosis] The problem is coming up with a way to specify the multi-sz input data in a text file. Multi-sz data is a series of null-terminated strings.  One could use a different separator character, but what if you wanted to use that character as part of a string?  I didn't spend a lot of time thinking about it because for the purposes of the tool (mostly FDCC/USGCB policies) there was little need for Multi-Sz — or Binary for that matter.

  6. Loren says:

    Well, I believe the USGCB policies are based on the DISA STIGs, and those do specify a policy for the Optional Subsystems registry key, which is Multi-Sz. I didn't dig any further into how the reg value is parsed and processed…any lessons we could crib from other methods? I believe both secedit and reg can process multi-sz values…

    [Aaron Margosis]  If you ever export a multi-sz or expand-sz from Regedit and look at the resulting .reg file, it's all hex data.  Here are examples of both:


    The former is REG_EXPAND_SZ ("hex(2)") and the latter is REG_MULTI_SZ ("hex(7)").  I'm trying to stick with readable text representations.

    Also, Optional Subsystems is specified in a security template (e.g., GptTmpl.inf) and the MMC Security Templates snap-in serves as a fine editor for those files.  If it were more important to represent an expand or multi-sz in an administrative template (registry.pol), that would raise the priority to solve this issue.

  7. Loren says:

    Ok, I looked over the code a bit more, and it appears there is no parsing of the value data. It's set to pdata and passed directly to RegSetValueEx. In which case, the formatting of the value falls to the user, yes? I'd certainly be fine with that. The format to use would just need to be specified in the readme, I'd think. From the examples I can find, the format would be something like 'value1value2'. Might need a second '' at the end, depending on how the data is read in and how c_str() works.

    [Aaron Margosis]  When you see '' in C/C++ related text, it refers to the ASCII NUL character, not to the sequence of a backslash character and a digit zero.  If I treat that two-character sequence as a representation of the NUL character, then I'd also need a way to allow the literal sequence to be represented also.  It gets complicated.

    What's the scenario you're working with where multi-sz representations are important?

  8. Loren says:

    I get it, we're basically talking about how to support special characters and how to escape them. I know that's not a particularly straight-forward problem.

    I only have the one requirement at the moment. I'm building a framework to automate the application of DISA STIGs to Windows systems (since the tools they provide are waaaaaaay behind), and the W2k8-r2 STIG specifies a requirement for the Optional Subsystems value. At first, I was making the registry edits directly, then I switched to apply_lgpo_delta.exe with the .inf method to configure all the settings, but both those methods get overridden by the security policies in the administrative template. So I changed everything over to the syntax to update the security policy with apply_lgpo_delta.exe. That works for every setting except this one, of course.

    [Aaron Margosis] Nothing in the administrative templates (the registry.pol file(s)) should be overriding the settings for Optional Subsystems.  I see no .admx-based settings that write anything to that part of the registry.  This in a security template file should be all you need:

    [Registry Values]
    MACHINESystemCurrentControlSetControlSession ManagerSubSystemsoptional=7,

  9. Loren says:

    Yes, that's more or less what I've resorted to. It's just annoying to have to configure some settings in one way and other settings in another way. Makes the whole thing more fragile and harder to understand, troubleshoot, and maintain.

    [Aaron Margosis]  Well, it's been that way since the advent of Group Policies and Administrative Templates.  Security templates have been around a lot longer.  (And advanced auditing uses yet another entirely different interface!)

  10. Loren says:

    Yep, I am applying the advanced auditing policies in my toolset as well. I am really thankful for the work you've all been doing on the security baselines, and especially the LocalScript method to apply them. It's really made it easier to figure out how
    all the pieces work, write new baselines to cover custom security policies (like the DISA STIGs), and incorporate the application of the baselines into a larger configuration management framework. Cheers!

  11. Charles Tsai says:

    I used your source to add policy-based QoS rule and it works. But I found one problem with it.
    If I did not run gpedit.msc to create any rule before, the QoS policy rule that I add using the LGPO API cannot be activated. If I run gpedit.msc to create any rule or edit the rule added by LGPO API, it works without any problem. Can you tell me what it is
    enabled by gpedit.msc in this case? I tried to find any API or approach and it seemed not work at all. Is LGPO API is only used to edit the rules created by gpedit.msc?

Comments are closed.

Skip to main content