ntuser.pol: How Windows knows which Registry settings are from policies

The Policies subkey under HKLM or HKCU in the Registry is automatically updated when Group Policy is updated (either on the domain or on the local machine). It's also possible to add entries directly to those Registry locations. Settings added in that way won't show up in the Local Group Policy Editor, but they won't be removed in the next policy refresh. I found several mentions of Group Policy cache files, but they don't exist at all on non-domain-joined Pro machines.

Windows can't just rely on delete-value commands in Disabled policies because changing a set policy to Not Configured needs to remove the values too. To figure out how Windows knew to keep around manually-entered values, I used Process Monitor. Evidently, the Group Policy updating service compiles all applicable GPOs into one POL file called ntuser.pol. That file is stored in \ProgramData for the machine settings and in \ProgramData\Micorosft\GroupPolicy\Users\[SID] (*) for user settings. Whenever Group Policy is updated, the service compares the new settings against that file, then removes all Registry items that were set by policy but don't appear in the new version. Once the new settings are written, it rewrites ntuser.pol.

*This was updated in 2025 for Windows 11. When this post was originally written, the file was in the root of each user's profile folder.