Win_region affected by Windows Registry Hardening

[adam-kosseck]

SUMMARY

Windows Registry editing can be blocked by changing specific settings in the Registry. When these settings are enabled win_region fails to make changes to a target system.

ISSUE TYPE

• Feature Idea

COMPONENT NAME

win_region

ADDITIONAL INFORMATION

There are two Windows registry settings related to hardening the registry, they can be found under:
"User Configuration\Policies\Administrative Templates\System\". These settings are:
"Prevent access to registry editing tools" and "Disable regedit from running silently".

Feedback from jborean93:
It looks like this is will cause a failure when using reg.exe or regedit.exe. In the case of win_region it's doing a reg load and reg unload when copying the settings to a new profile

community.windows/plugins/modules/win_region.ps1

Line 348 in c303637

reg load $defaultHiveKey 'C:\Users\Default\NTUSER.DAT'

.
These can be fixed up to use the Win32 API that is in place for win_regedit which doesn't rely on reg.exe at all.

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at <ScriptBlock>, <No file>: line 348
fatal: [HOSTNAME]: FAILED! => {"changed": false, "msg": "Unhandled exception while executing module: ERROR: Registry editing has been disabled by your administrator."}

[jborean93]

The PR #288 should solve this issue for you. If you get a chance to test it out that would be great.

[adam-kosseck]

The PR #288 should solve this issue for you. If you get a chance to test it out that would be great.

Hi Jordan, I have tested this PR in our environment.
I no longer get the error message about registry editing being disabled, and I can confirm that the settings do change successfully.

Thanks for this fix!

[jborean93]

Thanks for confirming, it will be part of the next release.