Policy Plus - Registry IO of large unsigned values

A couple weeks ago, I received a report from a Policy Plus user of an error in saving the POL file. Based on the error message displayed, the failure occurred when RegistryKey.SetValue couldn't figure out how to write a .NET value as Registry data. Unfortunately, there was no indication what type the problematic value was. I tried editing every kind of policy element and they all worked as expected... until I tried a huge numeric value. Apparently SetValue tries to convert the data to a signed 32-bit integer when writing a DWord value (even though the Registry is unsigned, if I understand correctly), which fails for unsigned integers larger than 2,147,483,647. As a workaround, unsigned integer values are now reinterpreted bitwise as signed integers while writing to the Registry and vice versa when reading.

Policy Plus - Policy definition ACL fix

Microsoft apparently changed its mind about only publishing policy definitions through Windows Update - new MSIs are now available for download on the web - so I was able to update Policy Plus's Acquire ADMX feature to download the most recent (20H2) definitions, after dealing with the wrinkle that the directory structure inside the MSI archive changed somewhat.

I recently received an issue report from a Policy Plus user stating that acquiring ADMX files failed in the "securing destination" phase on Windows 7 Home. Sure enough, I got the same error when testing on Windows 7 specifically, but not on Windows 10. Evidently, the PolicyDefinitions folder's ACL is different across Windows versions. I fixed the immediate problem by setting the owner to Administrators (using the take-ownership privilege) in a separate step before adding the ACL that allows Administrators full control. While inspecting the ACLs, however, I also noticed that the newly installed policy definition files had ACLs from the temporary directory under the user's profile folder rather than the typical ACL for publicly readable Windows files. ACLs are now inherited from the PolicyDefinitions directory, like they should be. Finally, I added a check for whether Policy Plus is elevated and, if not, made all permission overrides skipped so that normal users can make their own personal, portable policy definitions folder.

These changes are live on GitHub.

Policy Plus - Explicit checkbox elements and policy state detection

This morning I received a report from a Policy Plus user that its assessment of a policy state was inconsistent with that of the real Local Group Policy Editor. The policy had been set to Disabled in the official editor, but Policy Plus reported it as Unknown, which indicates that some Registry evidence favors it being Enabled while other evidence suggest it's Disabled. Indeed, the policy's main Registry value was deleted, but the value corresponding to a checkbox element was present and set to 0. Zero is that element's "off" value, but an unchecked checkbox is different than the whole policy being Disabled.

Experimenting with several different policies involving checkbox elements, I found that the Local Group Policy Editor writes checkbox elements' "off" values to the Registry when the policy is Disabled if the element has data explicitly defined. If the element's data is left implicit/default, disabling the policy deletes its Registry value like I expected. I still think it would be better if things worked the way I had previously assumed, since the way it actually works allows cases (in real policies!) where "policy Enabled but checkbox unchecked" is literally indistinguishable from "policy Disabled", but Policy Plus needs to reflect reality rather than my preferred design.

When judging a policy's state, Policy Plus now considers the presence of a checkbox element's "off" value as weak evidence for the policy being Disabled. When saving the state of Disabled policies, it writes checkbox elements' "off" values, if specified, instead of deleting them. While I was at it, I adjusted the setting editor window to avoid crashing when editing a mixed-state policy, not that there should be any anymore. The changes are live on GitHub.

Policy Plus - Fix list element REG export

I received a Policy Plus issue report on GitHub stating that the Export REG feature failed. After experimenting with the GPOs on a couple machines, I found what was necessary for the crash: list policy elements that clear the list key before adding values. When the PolFile representing the GPO tried to apply the key clearance, it requested the list of existing values in the target RegFile, which crashed because the REG file implementation of PolicySource is write-only. Changing ApplyDifference to use the ClearKey interface method instead fixed the problem.

But in the course of hunting down the issue and testing the fix, I found multiple other problems related to list elements. The POL editor window had an off-by-one error that caused a crash if adding a "clear the key before adding values" directive to the last key in the list - an easy fix. The list editor window (launched from the setting editor dialog) showed the **delvals. pseudo-value on subsequent launches of the setting editor for list elements that clear the key first. That was caused by the PolFile implementation of GetValueNames returning raw POL value names, which is important for the POL editor window but problematic here. For consistency with the RegistryPolicyProxy implementation, I changed the interface method implementation to return only true values and added another method to get raw POL entries.

The changes are live on GitHub.

Policy Plus - ADMX download suggestion

A Policy Plus user filed an issue today stating that it was not showing many policies. I suggested using Help | Acquire ADMX Files if they were on a Home edition and this brought in all the expected policies. That step is mentioned in the GitHub README, but not all users will see that. So I added a first-run check: if Policy Plus is running on a Home edition and there are several orphaned non-empty categories (which happens if referenced ADMX files are missing), the user will be asked whether they want to download ADMX files. Selecting Yes produces the standard Acquire ADMX Files dialog. This should improve the new-user experience.

Policy Plus - Versioning with Git

For a long time, Policy Plus's Help | About dialog stated that the program had no version number because the project was in early development. The development is no longer so early, and I received a request to release stable binaries, so it seemed like time to add a version system. Since Policy Plus isn't at 1.0 yet, I'm not ready to start issuing normal version numbers. Instead, each Git commit can represent a version. I rigged up a batch file to write the current tag or commit into a file that gets compiled into the program and used to show the version. I then released the May2020 snapshot.

Policy Plus - More list UI fixes

The list policy element might be the most finicky part of Policy Plus. Today I received an issue report from a user stating that adding entries to a list in a certain policy failed to make the policy Enabled. That specific policy had no affected Registry entries of its own, only a key populated by the list element. Since the list element was set to clear all existing values, it was always interpreted as evidence in favor of the Disabled policy state. I corrected this by also checking for list entries, which are evidence in favor of the Enabled state.

While investigating that specific policy, I found a problem in the Element Inspector. Even though the list element had a prefix attribute (albeit an empty one), the inspector said "no prefix." I corrected the conditional.

Policy Plus - REG file tolerance

I got a report from a Policy Plus user that the Import REG feature could not handle comments. This is true; I wrote the REG parser for exactly the format emitted by the Registry Editor. Even whitespace differences could cause parse failures. So to make it easier to manually write REG files used by Policy Plus, I adjusted that parser. Comments and extra blank lines are now allowed.

I also happened to notice that searching for a certain policy made the search dialog say it found a hit but not actually display a result. Apparently I had only put the list-updating code in the progress-update, not completion, handler. So up to 19 policies could never be shown in the search results. I fixed that with a tweak to the search dialog.

Policy Plus - Several fixes

I had some fun today fixing a couple issues with Policy Plus. I previously thought that the undocumented multiTextBox presentation element had no attributes other than ID, but it turns out to sometimes have a label as the tag's inner text. Policy Plus will now display the multiline text box's label if specified.

While double-checking that multiTextBoxes work with Semantic Policy, I noticed that Semantic Policy import was broken for user policies; all policies were always imported to the machine policy source. That was an easy fix.

The changes are live on GitHub.

Policy Plus - Apply button fix

Today I received an email informing me of a Policy Plus bug. When the Apply button in the setting editor window is used to commit the settings but the window is then dismissed by clicking the X, the main window's policies list doesn't refresh with the new policy setting. (It does if the Cancel button is used instead.) I fixed this by adding a FormClosed listener and altering the DialogResult if appropriate, thereby indicating to the main window that it should refresh.

The change, which happens to be the hundredth commit to Policy Plus, is live on GitHub.

Policy Plus - Dependencies cleanup

I recently noticed that Policy Plus had dependencies on a few .NET assemblies from which it never used anything. In the interest of cleanliness I removed those.

I also investigated a report of an "an item with the same key has already been added" error when loading policy definitions. I was unable to reproduce it; IDs are qualified by the target namespace of the ADMX file that defines them and defining a duplicate target namespace produces a different error. I'll remain on the lookout for problems related to that system.

Policy Plus - Refresh on Home

Yesterday I found that the WM_SETTINGCHANGE message is sent after a policy refresh to tell applications to detect the new policy. On Home editions Policy Plus uses its own POL-to-Registry applier rather than calling RefreshPolicyEx, so it didn't cause the message to be broadcast. That required Home users to logout/login or reboot after changing policies, which was unfortunate. As suggested by a user I made Policy Plus broadcast that message after applying the policy changes.

The change is live on GitHub.

Policy Plus - ADML language override

Normally Policy Plus detects the user's locale and tries to load ADML files for that language. A Policy Plus user requested the ability to change that behavior, which would be helpful when looking for a policy mentioned in a guide written in another language. So I added a simple dialog to change the preferred language:

If a preferred language code has been set, Policy Plus will use that instead of the locale name.

This change is live on GitHub.

Policy Plus - Similar language ADML loading

A Policy Plus issue was filed today suggesting a change to the ADML loading procedure. Previously it tried to find an ADML in the user's display language but fell back to English (en-US) if needed. However, some languages have several dialects that are of course more similar to each other than to US English. So I made the loader look for ADML files in directories with the same language (e.g. de) before falling all the way back to en-US.

Policy Plus - List fix

A Policy Plus user noticed that POLs resulting from the official Local Group Policy Editor differed from those generated by Policy Plus in one policy. That particular policy happened to contain only a list element and didn't even have a Registry value associated with the policy itself. Sure enough, trying to enable and configure it with Policy Plus had no effect; it remained Not Configured. The problem was that the policy state determiner didn't look for list entries, so it found never found evidence that the policy is enabled (or disabled for that matter).

While I was investigating that issue, I also noticed that the Find by Registry feature didn't detect keys used for list storage. Both problems should now be fixed - the changes are live on GitHub.

Policy Plus gets its first pull request

This morning, a Policy Plus user submitted a pull request. Apparently, some ADMX files (like the Office ones) have blank values for some XML attributes specifying numeric default values. I'm pretty sure that's not compliant with the ADMX specification, but if the Local Group Policy Editor supports it, Policy Plus should too. The pull request fixes the problem by assuming the appropriate type's default (in the .NET sense) value if the attribute cannot be parsed into that type.

Policy Plus - Comments in Semantic Policy

One user found that Policy Plus doesn't have a convenient way to export POL files and keep the policies' comments with the policy states. Preserving comments in POL files would be difficult because they never hold comments at all - that's what CMTX files are for. The existing Semantic Policy (SPOL) format seems ideal for keeping everything about each policy together, so today I extended it a bit to include an optional Comment: line between the policy ID and the general state. Since comments can include newline characters, those are escaped as \n and backslashes as \\. The Inspect SPOL Fragment form has been updated to provide the comments from the appropriate policy-to-comment map.

I also updated the ADMX download URL to point to the package for Windows 10 1803.

These changes are live on GitHub.

Policy Plus - Check state inversion fix

While using the Element Inspector tool to get the Registry equivalent of a policy for a Super User answer, I noticed that the default state row for a check box was incorrect. When writing the Element Inspector, I had apparently got the check state display backwards. The fix was easy: switch the texts displayed. It's live on GitHub and the Debug build has been updated (includes this change and the more significant ADMX loading improvements).

Policy Plus - Better ADMX loader

Today I finally got around to addressing this issue report, which pointed out the Policy Plus fails the entire workspace load upon hitting one problem. I added exception handlers to AdmxBundle so that it keeps track of problems but carries on. I could have just done this by making a list of error messages as strings, but it seems weird for the ADMX loader class to care about how its complaints are displayed to the user, so instead it returns a list of objects that represent the failures and expose some properties of them. They provide a ToString override that the main UI uses to show them, but other consumers of the class could do their own rendering. All uses of the ADMX loading functions from the main form are now wrapped in code that notifies the user of the specific problems.

These changes are live on GitHub.

Policy Plus - Considering how to improve the ADMX loader

Today I did some experiments with the official Local Group Policy Editor to determine how Policy Plus should respond to problems with the ADMX complement. The LGPE rejects an ADMX as soon as it sees a duplicate ADMX namespace, while Policy Plus currently waits to fail until a policy object is duplicated. I think that's OK even though it might lead to some strange behavior; being more forgiving than the LGPE can't hurt as long as there's a warning that something bizarre might be going on. Policy Plus should definitely not fail the entire workspace's load when it hits this problem, though.

When it comes to missing ADML files, the LGPE fails the load of the corresponding ADMX. (Again, Policy Plus currently fails the entire workspace.) I think ignoring that one ADMX is reasonable; trying to continue using the display codes as the text would work for simple policies, but without the ADML, there's no way to arrange the presentations of extra options.