This article explains how unprivileged users can bypass user group policies by copying registry hives using OFFREG.dll on Windows systems. It discusses potential countermeasures to prevent unauthorized modifications and highlights the security implications of registry hive ownership. #OFFREGdll #RegistryHiveBypass
Keypoints
- Unprivileged users can copy registry hives to bypass group policies using OFFREG.dll.
- Policies stored in the registry are protected by access controls limited to SYSTEM and administrators.
- Copiable registry hives include βntuser.datβ and βntuser.man,β which can be manipulated offline.
- Microsoft states that writing to HKCU hive does not violate security boundaries since the user owns the hive.
- Countermeasures involve denying users permission to modify NTFS DACLs of user profile directories and files.