I was just researching a little on how Group Policies are applied in Windows Vista. The client processing is actually done by the Group Policy Client Service. So can a user prevent Domain Policies from being applied by stopping this service?

If you go to the service properties you can see that even a local administrator cannot stop or disable the service:

gpsvc

The description says: “The service is responsible for applying settings configured by administrators for the computer and users through the Group Policy component. If the service is stopped or disabled, the settings will not be applied and applications and components will not be manageable through Group Policy. Any components or applications that depend on the Group Policy component might not be functional if the service is stopped or disabled.”

That sounds good! Let’s try it…

So I used the RunAsSys tool to run services.msc as system and stopped the service. Apart from a little balloon popup indicating that there was a problem with the service everything seemed to work and Domain Policies were not applied.

Then I tried logging in as a non admin user, and this happened:

gpsvcerror

This means that non admin users are not allowed to login when the service isn’t running!

Next I looked in the disassambly of the service (gpsvc.dll) and I noticed this function:

.text:6F2EA543 ; public: static int __stdcall CSKU::IsDomainIncapableSystem(void)

It calls an exported function of SLC.DLL called SLGetWindowsInformationDWORD with parameter pwszValueName of GroupPolicy-License-DomainIncapableSystem. So this function is used to determine if we are running on a system that is not capable (read allowed) to join a domain. This would be the case for the Starter and Home editions of Vista.

So I decided to try patching this value to return always 1, so we change it to:

/Edit: I made an error here: xor eax, eax should be mov eax, 1 (we want the function to return true and not false).


.text:6F2EA543 ; public: static int __stdcall CSKU::IsDomainIncapableSystem(void)
.text:6F2EA543 ?IsDomainIncapableSystem@CSKU@@SGHXZ proc near
.text:6F2EA543 ; CODE XREF: ProcessGPOs(_GPOINFO *)+963p
.text:6F2EA543 ; CGroupPolicySession::ApplyGroupPolicyForPrincipal(void *,void *,void *)+124p …
.text:6F2EA543 mov eax, 1
.text:6F2EA545 retn
.text:6F2EA545 ?IsDomainIncapableSystem@CSKU@@SGHXZ endp

I tested it and I can login with any account and Domain Policies are not applied!

Here is the dup2 file: Group Policy Client Service Patch (3149 downloads )

PS: please check if your license agreement and your country’s law permit it before create and/or applying the patch.

PS2: And don’t tell the Domain Admins 😉

Related article(s): Registry editing has been disabled by your administrator (not anymore!)