We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Apply registry fix for MS ID 972890 to corporate using Group Policy or similar

Medium Priority
2,155 Views
Last Modified: 2013-12-08
We are trying to find a nice method of deploying the registry fix workaround from Microsoft for the latest 0-day exploit. ID 972890
http://www.microsoft.com/technet/security/advisory/972890.mspx
The Microsoft webpage says the following
"You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy."
I pretty familiar with Group Policies but, how to deploy a .reg file using a group policy?
Also interested in solutions have other people used to deploy this workaround in a corporate environment?
Comment
Watch Question

deroodeSystems Administrator
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Network Administrator
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
How would you undo this when the all clear is sounded?
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Good question on the undo.  I'd freak out and have everyone go to the Fix It page Microsoft put out.  Otherwise someone else will come up with a .reg to undo, or if I were smart, I'd export the .reg I have in place now from a known working machine and use that to revert if needed.
Do you happen to know of a legit site that uses the activex control - so you could test that it worked and test your "undo" worked?

DonNetwork Administrator
CERTIFIED EXPERT

Commented:
From bottom of page under workarounds
http://www.microsoft.com/technet/security/advisory/972890.mspx
"Impact of Workaround: There is no impact as long as the object is not intended to be used in Internet Explorer."

From what I can tell, there shouldnt be no need to undo it
That's what I read too, but made an undo, just in case.  I guess the best way to test the undo is to see about getting a copy of the source code for the vulnerability and let it go to town on one of my machines.  ;-)  Just kidding of course.
how did you make the undo, did you just change the setting back to
Compatibility Flags"=dword:00000000
in your script
?

Author

Commented:
Thanks for everyones suggestions.
I've created a group policy template which will set the keys and values and can delete them again if we need to disable the policy.
dstewartjr, I wasn't sure if the startup script would work as our users do not have admin rights on their own computers.

; KB972890 Workaround (msvidctl) - Prevent Microsoft Video ActiveX Control in Internet Explorer - v1.2
; Created by DataBitz
;
 
CLASS MACHINE
CATEGORY "KB972890 Workaround (msvidctl) - Prevent Microsoft Video ActiveX Control in Internet Explorer"
KEYNAME ""
POLICY "Set Compatibility Flags KB972890"
EXPLAIN "Enabled will set the ActiveX Compatibility registry key to the value of 1024, as per workaround for Microsoft KB972890. Disabled deletes the Compatibility Flag value only, it does not delete the key"
	    	#if version >= 4
			SUPPORTED "Windows 2000, Windows XP, Windows Server 2003"
		#endif
ACTIONLISTON
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0149EEDF-D08F-4142-8D73-D23903D21E90}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E5-45B6-11D3-B650-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E6-45B6-11D3-B650-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{055CB2D7-2969-45CD-914B-76890722F112}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{15D6504A-5494-499C-886C-973C9E53B9F1}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1C15D484-911D-11D2-B632-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1DF7D126-4050-47F0-A7CF-4C4CA9241333}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{334125C0-77E5-11D3-B653-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B0353C-A4C8-11D2-B634-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03543-A4C8-11D2-B634-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03544-A4C8-11D2-B634-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{418008F3-CF67-4668-9628-10DC52BE1D08}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{577FAA18-4518-445E-8F70-1473F8CF4BA4}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{59DC47A8-116C-11D3-9D8E-00C04F72D980}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{823535A0-0318-11D3-9D8E-00C04F72D980}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8A674B4C-1F63-11D3-B64C-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8A674B4D-1F63-11D3-B64C-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9CD64701-BDF3-4D14-8E03-F12983D86664}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E3074E-6C3D-11D3-B653-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E30750-6C3D-11D3-B653-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AD8E510D-217F-409B-8076-29C5E73B98E8}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B0EDF163-910A-11D2-B632-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B64016F3-C9A2-4066-96F0-BD9563314726}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BB530C63-D9DF-4B49-9439-63453962E598}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C531D9FD-9685-4028-8B68-6E1232079F1E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCC-9B79-11D3-B654-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCD-9B79-11D3-B654-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCE-9B79-11D3-B654-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCF-9B79-11D3-B654-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CD0-9B79-11D3-B654-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D02AAC50-027E-11D3-9D8E-00C04F72D980}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FA7C375B-66A7-4280-879D-FD459C84BB02}"
  VALUENAME "Compatibility Flags"
  VALUE NUMERIC 1024
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0149EEDF-D08F-4142-8D73-D23903D21E90}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E5-45B6-11D3-B650-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E6-45B6-11D3-B650-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{055CB2D7-2969-45CD-914B-76890722F112}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{15D6504A-5494-499C-886C-973C9E53B9F1}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1C15D484-911D-11D2-B632-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1DF7D126-4050-47F0-A7CF-4C4CA9241333}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{334125C0-77E5-11D3-B653-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B0353C-A4C8-11D2-B634-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03543-A4C8-11D2-B634-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03544-A4C8-11D2-B634-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{418008F3-CF67-4668-9628-10DC52BE1D08}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{577FAA18-4518-445E-8F70-1473F8CF4BA4}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{59DC47A8-116C-11D3-9D8E-00C04F72D980}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{823535A0-0318-11D3-9D8E-00C04F72D980}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8A674B4C-1F63-11D3-B64C-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8A674B4D-1F63-11D3-B64C-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9CD64701-BDF3-4D14-8E03-F12983D86664}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E3074E-6C3D-11D3-B653-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E30750-6C3D-11D3-B653-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AD8E510D-217F-409B-8076-29C5E73B98E8}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B0EDF163-910A-11D2-B632-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B64016F3-C9A2-4066-96F0-BD9563314726}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BB530C63-D9DF-4B49-9439-63453962E598}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C531D9FD-9685-4028-8B68-6E1232079F1E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCC-9B79-11D3-B654-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCD-9B79-11D3-B654-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCE-9B79-11D3-B654-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCF-9B79-11D3-B654-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CD0-9B79-11D3-B654-00C04F79498E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D02AAC50-027E-11D3-9D8E-00C04F72D980}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FA7C375B-66A7-4280-879D-FD459C84BB02}"
  VALUENAME "Compatibility Flags"
  VALUE DELETE
END ACTIONLISTOFF
END POLICY
END CATEGORY

Open in new window

DonNetwork Administrator
CERTIFIED EXPERT

Commented:
actually a startup script runs with system privileges(because it runs before user logon) so there would be no issue with applying this. But your Adm should work just as good. ;^D

Author

Commented:
dstewartjr
Thanks will use the ADM this time. But have another quick question about the startup script. What permissions would need to be on the network location to allow it to be read, everyone/authenticated users/system?
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
"B" ????
:-)  I'm glad I at least got a passing grade.  
Another helpful method to push this out is to use a simple script to connect to machines in the enterprise and run the registry modifications remotely. The code snippet below represents a successful at deploying the registry fixes for 972890 throughout the enterprise unattended.

The script uses FOR statements to parse through a text file that lists all the PC's in the enterprise. Each line in the text file has the computer name of a single machine. Microsoft's psexec utility is then used to connect from a network machine with network access to each target machine in the list and logged in with an account that can modify each target machines' registry. After this is done, a text file is dropped on the machine so the registry changes are not made again if the script is run repeated times. Before running this script in your organization just be sure to test it in your environment.

The psexec utility used in this script Microsoft's (formerly Sysinternal's) psexec.exe found at:
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Additionally you will need a .reg file with the changes for 972890. The code snippet earlier in this solution will provide that information for you. Make sure to check the code snippet for the reg file you copy against the keys specified in the security advisory for 972890 found at this URL:
http://www.microsoft.com/technet/security/advisory/972890.mspx

Finally, the value "\\source\" in the code snippet I have provided stands for the UNC pathname to the .reg file and the .txt file specified in the code snippet. This script is not perfect, since it pauses several seconds each time it hits a PC in the specified text file that is offline, but it works and has been tested successfully a few times. Feel free to modify it to correct any deficiencies you may find. Hope this helps. Nice of Microsoft to drop this on us out of band.

:: 12:41 PM 7/7/2009 Script Author
:: This script copies a .reg file and then executes a silent update of the registry for 972890 based on a list of PC's.
FOR /F %%P IN (pclist.txt) DO IF NOT EXIST \\%%P\C$\windows\temp\972890.reg xcopy \\source\972890.reg \\%%P\c$\windows\temp
FOR /F %%P IN (pclist.txt) DO IF EXIST \\%%P\C$\windows\temp\972890.reg Echo "good to go"
FOR /F %%P IN (pclist.txt) DO IF NOT EXIST \\%%P\C$\windows\temp\972890done.txt c:\pstools\psexec \\%%P c:\windows\regedit.exe /s "c:\windows\temp\972890.reg"
FOR /F %%P IN (pclist.txt) DO IF NOT EXIST \\%%P\C$\windows\temp\972890done.txt xcopy \\source\972890done.txt \\%%P\C$\windows\temp
:: Cut and Paste activity log with pause statement
pause

Open in new window

DonNetwork Administrator
CERTIFIED EXPERT

Commented:
Sure, if you want to do it the hard way. The startup script will do the job just fine. There's even a better way described here
 
http://community.spiceworks.com/topic/71312?page=1#entry-181505 
Yes based on the same article - I just tried putting this text below in a startup script (using GP editor)) on several machines and it worked fine, with no user interaction required.

msiexec /i "\\yourserver\fix it msi\MicrosoftFixit50287.msi" /quiet


The first time it added many of the keys *example {FA7C375B-66A7-4280-879D-FD459C84BB02}
) referenced in http://www.microsoft.com/technet/security/advisory/972890.mspx

I even tested it by changing the dword value from 400 back to 000. When I rebooted the machine and it ran the startup script again, i was able to verify that script updated the registry.
Point taken. Unaware that Microsoft Fix it was .msi based. Makes it very easy then to push fix files out via Software Installation in Group Policy. Little vague trying to find full directory of these .msi Fix it files. Found what I believe is a global listing of these files at:
https://fixit.support.microsoft.com/reporting/?gssnb=1 
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.