| T O P I C R E V I E W |
| Pesos |
Posted - 04/14/2010 : 02:27:44 AM
Ugh just took me a long time troubleshooting this one... We are migrating our citrix environment from win2003 to win2008r2 so I am redoing my user UI lockdown GPO. Went through all the usual stuff and when I tested it, I noticed that users were not able to unzip zip files (using the built-in windows explorer unzip).
So I undid the policy elements one by one and finally realized that the culprit is the "remove run menu from the start menu" option. Ugh, that is kind of an important one. I am hoping that I can mitigate it for now using GPO preferences to keep it removed and AppLocker to prevent anything I don't want to be launched.
If anyone gets a moment to duplicate this in their environment it would be much appreciated!
Thanks,
Wes |
| 30 L A T E S T R E P L I E S (Newest First) |
| Pesos |
Posted - 06/22/2012 : 2:54:02 PM
Unfortunately it was never resolved - that GPO definitely seems to break unzipping. We removed that part from our lockdown GPO and instead remove the run command from the start menu using GPO preferences. That plus applocker is tight enough for us. |
| XDGrim |
Posted - 02/09/2012 : 12:50:21 AM
Hi guys, this still appears to be an issue with Folder Redirection.
I'm having the same problem with 2008 R2 SP1.
Can you shed any light? |
| Pesos |
Posted - 04/19/2010 : 5:42:38 PM
hmm, the "app" is windows explorer... so I guess I could try it by applying the custom GP to an admin account on the server?
the default GP has nothing altered at all other than password policy... |
| JSCLMEDAVE |
Posted - 04/19/2010 : 5:40:51 PM
I mean line by line in the default GP..? Try using an elevated level to run the app. Just out of curiosity... |
| Pesos |
Posted - 04/19/2010 : 5:27:01 PM
Hi Tim, there are no other GPs applied except the one I specifically created separate to test with, applying only this one change (confirmed in GPMC)... And no command prompt involved, elevated or otherwise... |
| JSCLMEDAVE |
Posted - 04/19/2010 : 5:21:10 PM
Just a WAG and not having a R2 server to test on myself I have to ask, are you running it with an elevated cmd prompt? I'm at a loss, especially without a test R2 box...
Did you check ALL the GPs being applied line by line? You may be surprised what someone may have set for you. |
| Pesos |
Posted - 04/19/2010 : 3:04:53 PM
Oh, no TS... hmm I wonder if that has something to do with it... Don't suppose you could install RDSH? |
| wkasdo |
Posted - 04/19/2010 : 2:39:44 PM
Well, I have no TS, no office, no acrobat, no nothing. Just a clean server. The truth is somewhere in between, I suppose. |
| Pesos |
Posted - 04/19/2010 : 1:45:04 PM
Yep, thanks for trying! Very strange that you can't reproduce, especially since I can on a fresh new server. |
| wkasdo |
Posted - 04/19/2010 : 1:42:43 PM
Could be anything, really. Sorry, my remote debugging skills stop here, especially because I'm not reproducing! You're not in a position to log a case yourself, I suppose? |
| Pesos |
Posted - 04/19/2010 : 12:27:14 PM
the only thing I can see in procmon that seems to be related is this:
Date & Time: 4/19/2010 9:26:38 AM
Event Class: Registry
Operation: RegEnumKey
Result: NO MORE ENTRIES
Path: HKCR\Drive\SHELLEX\FolderExtensions
TID: 2096
Duration: 0.0000023
Index: 1
Length: 288 |
| JSCLMEDAVE |
Posted - 04/19/2010 : 12:06:25 PM
Shouldn't you actually run this from another server to avoid the Heisenberg effect? To avoid changing the monitored system by the very act of monitoring it..? |
| Pesos |
Posted - 04/19/2010 : 12:03:13 PM
about to try that now! |
| wkasdo |
Posted - 04/19/2010 : 12:02:20 PM
Does procmon run on this newly installed server? |
| Pesos |
Posted - 04/19/2010 : 11:49:27 AM
Finally made time to build up a new 2008 R2 terminal server - nothing installed but Acrobat, Office 2010, and Communicator 2007 R2. Can unzip just fine. Apply nothing but the "remove run" GPO setting, and get the same error. So doesn't look like Citrix is the culprit... Let me know what you find out Claus. For now I can get by without this setting, other lockdown options should prevent run from being accessible. |
| Pesos |
Posted - 04/18/2010 : 5:48:46 PM
Cool thanks! |
| Xenophane |
Posted - 04/18/2010 : 1:59:18 PM
Wes, I have a citrix consultant coming in tomorrow, and I know that he has had some trouble with GPO's, but on R2 only... I spoke with him last week, and he has a case open with MS, I am not sure it is 100% the same problem as yours, but MS acknowledged that it was a bug in Windows.
I will see if I can some more information tomorrow and post it. |
| Pesos |
Posted - 04/17/2010 : 3:29:37 PM
Well everything works swimmingly without that GPO set :-)
Will try to make time to test without citrix. |
| wkasdo |
Posted - 04/17/2010 : 3:25:52 PM
In support of Michael's view: it is know that procmon can be a victim of a misbehaving app with corrupt internal datastructures. Looks to be something seriously wrong here. One thing to try is to disable all the citrix stuff, reboot, and then see what happens. |
| NMDANGE |
Posted - 04/16/2010 : 09:15:31 AM
Well I've never seen procmon crash! Can you try on a machine that does not have any Citrix software installed? ctxsbxhook64.dll appears to be part of the Citrix software. I'd compare a straight Remote Desktop Session Host with no 3rd party software with the same GPOs with one with Citrix on it.
|
| Pesos |
Posted - 04/15/2010 : 7:50:09 PM
Faulting application name: Procmon64.exe, version: 2.9.0.0, time stamp: 0x4bc3b84e
Faulting module name: ctxsbxhook64.dll_unloaded, version: 0.0.0.0, time stamp: 0x4b980155
Exception code: 0xc0000005
Fault offset: 0x000007fefd122f60
Faulting process id: 0x23d8
Faulting application start time: 0x01cadcf5c3805a5a
Faulting application path: C:\Users\zuser_alac\Desktop\Procmon64.exe
Faulting module path: ctxsbxhook64.dll
Report Id: 0a335e20-48e9-11df-972f-00155d20281b |
| Pesos |
Posted - 04/15/2010 : 10:27:38 AM
OK, will try to set that up later today - so strange because I don't feel like I'm doing anything out of the ordinary! |
| wkasdo |
Posted - 04/15/2010 : 03:20:52 AM
Wes, I'm not reproducing this. My next step would be to run procmon and see what exactly is getting denied. |
| Pesos |
Posted - 04/14/2010 : 5:08:33 PM
just tested it without folder redirection, and getting the same error as above! |
| Pesos |
Posted - 04/14/2010 : 4:42:15 PM
I get the same result whether I try to unzip on the desktop (which lists the path using the UNC), or in the mapped O drive. |
| Pesos |
Posted - 04/14/2010 : 4:41:12 PM
 |
| Pesos |
Posted - 04/14/2010 : 4:39:55 PM
Do you have folder redirection applied? The only other things I have applied are Folder Redirection and a policy to enable our UNC path as part of the Intranet zone. I even tried it without the latter one, and manually added our UNC path to the intranet zone within IE, and I get the same result... |
| wkasdo |
Posted - 04/14/2010 : 3:36:06 PM
Sorry Wes, I misunderstood you.
I created a new domain user, and a new 2008 R2 server without any policies except the default domain policy. I enabled just the policy to remove Run from the Start menu for this test user. Before and after, I could create .zip files and open them using the Explorer zip capabilities.
So you are looking at something more complicated, I'm afraid. Does RSoP give any clues? |
| Pesos |
Posted - 04/14/2010 : 12:22:22 PM
I found it hard to believe too - which is why it took me so long to troubleshoot - that was one of the last options I tried disabling!!! I was shocked when it turned out to be it. If you look in my second post, I copied in the extra information contained in the GPO explanation - which appears that this GPO setting does block the TEMP folder (which is my guess as to what is creating the problem). What I'm wondering is why this wasn't an issue with 2003... Is it a change in how the GPO itself applies to 2008r2, or is it a change in how 2008r2 handles unzipping functions via explorer? |
| wkasdo |
Posted - 04/14/2010 : 03:38:13 AM
UNC paths are required for folder redirection.
> I noticed that users were not able to unzip zip files (using the built-in windows explorer unzip).
Perhaps a TEMP folder is blocked by your policy?
> finally realized that the culprit is the "remove run menu from the start menu" option
Hard to believe.... If I have a moment today I'll try and reproduce this. Did you have a look with procmon? |
