[File] [PATCH] Support Windows AD GPO Registry Policy files (Registry.pol)

Christos Zoulas christos at zoulas.com
Sat Jun 24 16:24:10 UTC 2023 

Applied, thanks!

christos

> On Jun 24, 2023, at 12:13 AM, Yuuta Liang <yuuta at yuuta.moe> wrote:
> 
> Signed PGP part
> Hello,
> 
> The attached patch adds basic support for Registry.pol files (Windows Active Directory Group Policy Registry Policy). Thanks!
> 
> Registry.pol files store GPO-configured registry values, and they are located in the AD sysvol, such as \\<Domain FQDN>\\sysvol\\<Domain FQDN>\\policies\<GUID>\Machine\Registry.pol.
> 
> 
> Docs on the file format: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/registry-policy-file-format.
> 
> Best regards,
> 
> Yuuta Liang
> 
> 
> ---
>  magic/Magdir/windows        |   6 ++++++
>  tests/registry-pol.result   |   1 +
>  tests/registry-pol.testfile | Bin 0 -> 7094 bytes
>  3 files changed, 7 insertions(+)
>  create mode 100644 tests/registry-pol.result
>  create mode 100644 tests/registry-pol.testfile
> 
> diff --git a/magic/Magdir/windows b/magic/Magdir/windows
> index 12976c88..d6e254b8 100644
> --- a/magic/Magdir/windows
> +++ b/magic/Magdir/windows
> @@ -1814,3 +1814,9 @@
>  0    string MetaView\x20Service\x20Assurance\x20Export\x20File    MetaView SAS export
>  >39     string  Version\x20
>  >>47    byte x                                                       \b, version %c
> +
> +# Active Directory Group Policy Registry Policy File Format
> +# From: Yuuta Liang <yuuta at yuuta.moe>
> +# URL: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/registry-policy-file-format
> +0    string    PReg
> +>4    lelong    x        Group Policy Registry Policy, Version=%d
> diff --git a/tests/registry-pol.result b/tests/registry-pol.result
> new file mode 100644
> index 00000000..7ca512f0
> --- /dev/null
> +++ b/tests/registry-pol.result
> @@ -0,0 +1 @@
> +Group Policy Registry Policy, Version=1
> diff --git a/tests/registry-pol.testfile b/tests/registry-pol.testfile
> new file mode 100644
> index 0000000000000000000000000000000000000000..643e4a6dffd7f9302ed408723622dc5a904671db
> GIT binary patch
> literal 7094
> zcmds+U279j5Qaw)1 at Y1!&}*U4CT-f7t0YaN^uv%;L5xU at o3@Z<rJJZh#9uD;nc0Rt
> z(Tz8{J%<p^+1aya*>~ohuibRI(fK_Qc`H4MWh7JiA_KXWNcz%YWh|F6WJHp%a$;xK
> ztS7g-`_g3hTt0DUEa%7r<O^0rYVwTV0r!p>Q^pZv&b at j~pIVcN&Hww^F7`Q^Md12u
> zvp)M>0owMZE;F-13!T(LV}4gWbHb`>T9=k%(bPT<>`FR6@`mgsypN3O33yxb6$USj
> z$tlMe4LWAKp`(q9{Bgj at d&Y_S^C_OGe7N5C(CmLAZwk{Oi=jXLux3wB<KWcfZ?Y#P
> z*_DcHNn0ASFPkPeWgBUSYh{xfL{*c0n^I-9fp3*K-?mZZyd>W}Y1GD#2IPU%%C46H
> zsG!JOZR0-n+9Q8e<s)+$tB$bE7HfLcxq{UO$RpcVMvmCK%N_g370yb?dd~+|cZ{W1
> z(v at SAQtqCZd<-XbBIWto=;_+^5bd(8y$;@5jBm8bn_4X=c+r?zx5zq~?b>F?I{v8H
> zRjbklw$*$a*;<S=XDzReZ2VS1im7BS at 5{BbD4VUy8Bf<HmeTIvf~>wu*ZXUuYm=TK
> zx$Sz~3h?vh=EuKyY|nZ}?IW+KblTHt1dSL&a<#5&k6Pzim!3~M)BHUei|NSbyTzsT
> zBdw4b0w96wZgHG>#L<MQ&^TIP^2yHvgHLX>9wo$-zQe at 45o%8q8ds|@`s8jECcj*E
> z=t5qQ6T^$Q1Ns>kn_uphvH0YyEwAbSLW{Tzl~0~B6#f}{kM|zo!(lSzqVvy~i^eB&
> zT`F2kw-_2{E-s&Jxj20CbVh$av-gP5m|8~WldEMUVX&pWqJA%q`HHOH{ljH14`~=|
> h<{=A--5Fm)^`D`He|q#CJ9Lio at P@>69=^Zv{R^y6)}{ae
> 
> literal 0
> HcmV?d00001
> 
> --
> 2.40.0
> 
> <OpenPGP_0x07000ADCB05A5BC4.asc>
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20230624/8a0ae281/attachment.asc>

More information about the File mailing list