zero day internet explorer mitigation

I have added the code in the bottom of the link below to group policy to run as a startup script for all my computers.

The script should unregister vgx.dll and mitigate the zero day exploit. However, it appears to work fine when I run it on my computer but I am unable to tell if it successfully unregistered the DLL via group policy.

How can I tell if the DLL was successfully unregistered when the group policy applied and the batch file ran?


Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
bat file surfaced the success or failure msg but pls refer to the article below as for 64bit machine the bat file may not be sufficient

32-bit systems only require the first command. But since 64-bit systems have both a 32-bit and 64-bit version of the vulnerable file, both commands must be used with them:

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"
regsvr32 -u "%CommonProgramFiles(x86)%\Microsoft Shared\VGX\vgx.dll"

These commands unregister (-u) the VML renderer, making it inaccessible to the exploit attempt.  Your IE browser will no longer be able to render vector markup language content, but it’s been unused on the web for many years.

You can perform a “before and after” test to confirm that VML rendering has been disabled with this simple VML rendering of an office layout: The proper response is a BLANK PAGE. If you receive a notice that “A VML capable browser is required…” you must add the domain to IE’s “Compatibility View” for the test to function properly. This is done under the settings menu.

Via GPO to verify may not 100% or straightforward to ascertain it..regsvr32 has error codes as in but best to asign someone to verify that is done - trust but verify...
MereteConnect With a Mentor Commented:
I cant say, trust!
Did you also use this
Symantec has also provided a batch file that you can download to automate the command-line and you can get it here: Zero-Day Internet Explorer Vulnerability Let Loose in the Wild

Justin there is also flash virus getting around as I have had to fix 4 systems here last week
with a message your flash may need updating
have you seen any popups like this if you have it is a virus.
Once the message appears you can't open the web page fully until you close it.
In any browser by the way.
Use this guide to remove it. Do a scan of your system using Eset online scanner.
Remove “WARNING! Your Flash Player may be out of date” virus
I also had to replace our router before finally get rid of it.
We all have windows 7 here use Chrome.
Thought you might appreciate that information.
Regards Merete
BillDLConnect With a Mentor Commented:
Probably the easiest way to verify if VGX.DLL has been Unregistered is to ascertain what the Unregister command actually removes from the registry, and check for the removed registry value(s) or key(s) after unregistering VGX.DLL.

- Export the registry to a "vgx_before.reg" file, then run the regsvr32 -u command.
- Export the registry to an "vgx_after.reg" file.
- Compare the two to ascertain the differences using a program that compares the two files side-by-side with colour-coded differences.

There is a freeware program named "ExamDiff Visual File Comparison Tool" by PrestoSoft which works OK, but I use a better retail tool named "Beyond Compare" by Scooter Software for this type of thing.  There is a "Pro" Retail version of ExamDiff that is probably more powerful than the free version or trial version of the pro, but I have only ever used the free one.
The free version of ExamDiff was last updated on October 1, 2011 as Version 1.9:
There are no doubt other programs that do the same thing.

The comparison should find a couple of registry keys that will have been removed after Unregistering the DLL, and you could use the REG QUERY command to test for the existence of one or more keys or values after deploying your mitigation.

On Windows XP SP3 with IE8 and all current updates I have:
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version 8.00.6001.23580 (longhorn_ie8_ldr.140222-1715)
The following registry keys are removed when I run the regsvr32 - u command:



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector]

Here are the contents of these keys prior to Unregistering VGX.DLL from my system, in case you wanted to test for a particular Value rather than Key, but be aware that different versions of VGX.DLL may create additional or differently named keys on different operating systems:

@="PeerDraw Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Component Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]





Open in new window

@="PeerDraw Class"


@="PeerDraw Class"


Open in new window

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector]

Open in new window

I hope this helps.
btanExec ConsultantCommented:
Also best to test in machine 32 and 64 bits such that if this vgx workaround is applied, as potentially software (if any) that redistributes vgx.dll may fail to install or even run. Hence if so from the error experience or from event log on more appl error, this workaround likely need to (or must) be reverted to the previous configuration for vgx.dll.
Thank you Justin
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.