Protected it is a violation of windows policy to modify что это
Protected it is a violation of windows policy to modify что это
This forum is closed. Thank you for your contributions.
Asked by:
Question
I already posted my question on Microsoft answers (http://answers.microsoft.com/en-us/ie/forum/ie11-windows_7/choose-your-homepage-and-search-settings/2966bcb3-3ddb-4a26-8c51-07b5aa40e4ef), it was suggested there that I post it here as well:
Since the latest update to Microsoft Internet Explorer 11 (KB3148198), my users experience the following message (on Win7, Win 8.1 and Win 10):
Of course, this is disturbing for many of my users, and, what’s worse, since we use dynamic local profiles in our company (i.e. the user profile is created from the DEFAULT profile on each and every login), this message shows up after each and every login which normally happens once a day.
My colleagues (and my boss!) have asked me to get rid of this message.
Specifically, I’m talking about what’s written in
If I export those regkeys and deploy them to users, there will be an error message on the first start of IE, stating that settings had to be reset as they were corrupt.
The default homepage and search providers at our company are set via regkeys (or have been, until now).
Is there any way to still set default search provider and start page in IE 11 WITHOUT users seeing ANY popups? Even for dynamic local users?
I’m not sure if uninstalling KB3148198 is an option, it looks like this update does more than just add this «feature» I don’t want, and maybe it’s even required in order to get further updates.
So what can I do? Any help would be greatly appreciated.
All replies
Based on your description, I want to confirm that have you made any changes before the issue occurred?
You mentioned that after installing KB3148198, the problem occurred. Have you tried to uninstall the update and check the result? If not, please try it.
We could also try popup blocker and see if it helps, please refer to the link:
Internet Explorer Pop-up Blocker: frequently asked questions:
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
Thanks for taking the time to reply. I can confirm that uninstalling KB3148198 «solves» the problem, the message does not appear anymore. However, I don’t think this is a real solution, because this update contains a lot more security updates than just the annoying message, and I would like to have IE11 as secure as possible.
I’m looking for a way to get rid of the annoying popup, but I would like to have the rest of the security and other fixes which come with KB3148198 installed.
Popup blocker won’t help here, as the popup is not an ordinary popup triggered by a webpage, but a popup triggered by some sort of mechanism in Internet Explorer which detects that homepage is not MSN and the default search provider is not Bing. Have a look at the picture again please:
As you can see, the popup we are talking about here has nothing whatsoever to do with the popups the popup blocker of IE deals with.
What I need is some sort of way to tell IE that it should NOT check whether the homepage and default search has been changed. While this makes sense for home users, it does not make sense in a business environment where computers are centrally managed.
We haven’t heard from you in a couple of days, have you solved the problem? We are looking forward to your good news.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
sorry to tell you, but I still don’t have any good news.
I tried setting the default search provider and the homepage with local group policy, but even then I get the annoying popup. Where could I ask how Internet Explorer works on this? What would be especially useful would be the algorithm used to calculate the binary regkeys, if I at least knew that, I could maybe script something.
At the moment, I have solved the problem by making Firefox the default browser for my users, but that feels like giving up somehow.
Still no luck on my side either, nor in the Microsoft community:
On the downside, depending on what your boss is like, having to say «Sorry, I can’t fix this, we have to switch browsers.» might not sched a good light on us admins, even though it’s absolutely not our fault. Please, Microsoft, whenever you make changes in the future, think of all the admins out there who have to live with them!
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
After uninstalling KB3148198 last month to resolve the issue, now this month we get KB3154070 which reintroduces the issue.
Note that we are receiving the prompts with Windows 7 Professional, though the PCs are not domain-joined.
Unfortunately, because we can’t be making it a matter of practice to not install major security patches, we will likely have to move to Chrome or Firefox as our primary browser until Microsoft fixes this for enterprise users running Windows 7 Pro in non-domain-joined environments. Microsoft, if you are listening, please help us.
Is there any way to still set default search provider and start page in IE 11 WITHOUT users seeing ANY popups? Even for dynamic local users?
I think that is the sort of thing that IEAK is made for. E.g. perhaps this feature would satisfy your requirement
Completely silent installation. Lets you make all of the decisions for your employees
I’ve been following this post closely on this forum & your other post on Windows Community for any sign of an answer. I’m in the exact same boat as far as trying to get rid of this new IE11 pop-up. A quick update.
There was another IE patch KB3154070 that came out a few days ago, but this update still contains the pop-up. As a quick test I did the following:
I built 2 identical machines (make, model, OS (Win7 6xbit)) got all Windows Updates up to date, changed each machine’s Home Page to an alternate from the default MSN site. & then installed IE11.
Both machine now got offered the update KB3154070 instead of KB3148198.
I joined 1 device to our domain & left one in a Workgroup, Rebooted each, installed the KB3154070, Rebooted.
Upon launching IE, the non-domain machine was prompted with the pop-up. The domain joined machine did not receive the pop-up.
I’m trying to compare registry hives between the 2 devices to see if I can find anything that may point to some other location other then those mentioned in previous posts (Since modifying, deleting etc. of the EUPP entries in HKCU and/or HKLM doesn’t seem to do anything other then corrupt the search provider settings causing a different message when launching IE)
But unfortunately the current KB released around May 10 (KB3154070) still seems to display this message and not take GPO’s into consideration. Does anyone know why/where the settings would differ in IE11’s behavior on Domain-Joined device vs. one in a Workgroup? Especially when we have no Domain policies being pushed to devices that should really affect IE11’s behavior.?
(we have devices on an isolated network that cannot be joined to our Domain, and have a user profile that gets recreated @ each reboot to keep the device from retaining user data. We’re using settings in the Default User Hive and local GPO’s to set IE’s behavior) but this pop-up does not seem to take into consideration any GPO’s we’ve set including: «Prevent Changing the Default Search Provider» and «Disable Changing Homepage Settings» etc.)
Anyone else had any luck removing this pop-up after the recent KB’s?
Browsers Hijacked
Our AV (Sophos endpoint) did not find this, nor has Malwarebytes.
Any one seen this or have recommendations on how to remove?
The help desk software for IT. Free.
Track users’ IT needs, easily, and with only the features you need.
11 Replies
Bad dns, or a proxy defined in internet-setting
Merryworks is an IT service provider.
I would look at any new or newly edited GPO’s
Or a possible bad update from your AV/Malware provider.
Checked. Only two, nothing irregular.
I would look at any new or newly edited GPO’s
Just want to be sure. By hijack, you mean the browsers are being redirected to another site besides the selected one?
Check permissions of the registry key, compare key with unaffected machine, change permissions if required, modify settings as required or delete key.
Also may want to check for any new startup/run once/etc apps/programs. I use Ccleaner to check for for these. If you find and remove, then run reg cleaner, it’ll fix the registry. Reboot and see if the startup/reg keys returns.
I would scan in Safe mode or try an online scanner such as
Turns out NOT to be hijacked but a conflict with having both Sophos Central Endpoint and MalwareBytes installed at the same time? Sophos tech said the webfilters between the two were causing conflicts. Removing Malwarebytes remedied the issue.
Has anyone heard of this? We have used both in the past year without issue.
Also, regarding that reg key. Is that installed with Windows? Can someone check their computer to see if they have it?
Thanks to all who helped out.
Yes, they bork each other quite often
We used to love Malwarebytes. Now days we just download and install it on a computer that needs scanned then remove it when finished.
We also use RKill and AdwCleaner when scanning.
Turns out NOT to be hijacked but a conflict with having both Sophos Central Endpoint and MalwareBytes installed at the same time? Sophos tech said the webfilters between the two were causing conflicts. Removing Malwarebytes remedied the issue.
Has anyone heard of this? We have used both in the past year without issue.
Also, regarding that reg key. Is that installed with Windows? Can someone check their computer to see if they have it?
Thanks to all who helped out.
WDF Violation Windows 8.1 with Ext HD
I use a Toshiba 2TB external HD for a backup of my photo library.
Problem: With 8.1 when I turn on the power for my external HD, I immediately get the blue screen of death, with «WDF Violation Microsoft is collecting data and the computer will reboot». The computer then attempts to reboot, I see the windows 8 logo, and the rotating circle. Then the screen go black and remains black. By unplugging the external HD and manually rebooting the computer, the computer again works properly.
I cannot access my photo library on the external HD. Any recommendations or a solution?
Replies (7)
Have you made any hardware or software changes to the PC prior to this issue?
As you are getting a Blue screen error when connecting external hard driver, it could be possible that the drive is corrupted.
I would suggest you to perform a check disk on the external hard drive and check if it helps.
Important: While performing check disk on the hard drive if any bad sectors are found on the hard drive, check disk tries to repair that sector. Any data available on that might be lost.
If that does not help, I would suggest you to contact Toshiba support to check if there is any issue with the external hard drive.
Hope this information helps.
Was this reply helpful?
Sorry this didn’t help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
How satisfied are you with this reply?
Thanks for your feedback.
No hardware changes have been made.
This happened after Windows 8.0 was upgraded to 8.1.
The blue screen error happens when I plug in the power supply for the external HD, therefore I have no way to check the drive, because as soon as I turn it on, I get the blue screen. If I unplug it, and re-boot the computer, it still works normally, therefore no access to the drive. The drive is from August, is always connected to the USB, but the power supply only plugged in when I intend to use the drive and back up info to the drive. The drive has only been used, perhaps 3 or 4 times since I bought it.
Since this only happened after 8.1 was installed, I suspected it was responsible.
Any more suggestions?
Should I try the drive with my notebook to see if I get the same results?
Was this reply helpful?
Sorry this didn’t help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
How satisfied are you with this reply?
Thanks for your feedback.
It may help to look at the minidump files from the crashes with a debugger.
Can you zip up the minidump files in the C:\Windows\Minidump folder and make available (provide link) via Windows Live SkyDrive or similar site?
The following link has information on using Windows Live SkyDrive:
If you have problems zipping the minidump files copy the minidump files to another location such as a folder on the Desktop
Also, you do not necessarily have to zip up the minidump files, you can upload them one at a time.
Was this reply helpful?
Sorry this didn’t help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
How satisfied are you with this reply?
Thanks for your feedback.
Hi, and thanks for the suggestion.
Actually I found a solution. I connected the Ext HD to my notebook and it worked perfectly. Looking at the Ext HD, I discovered that the cable which has a SS USB on the cable end, had been plugged into a SS USB jack on the back of the computer. The notebook does not have a SS USB jack, and the External was just plugged into a regular USB. So I reconnected the Ext HD to the desktop, and did not use the SS USB jack, but used a regular USB port. It worked perfectly. Problem solved.
This may not answer the question as to why a SS USB to SS USB did not work, but I regained use of my Ext HD which is all that I needed.
Thanks for the suggestions. Very much appreciated.
Was this reply helpful?
Sorry this didn’t help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
How satisfied are you with this reply?
Thanks for your feedback.
You’re welcome for the help.
Glad to see you found a solution.
Thanks for the follow-up.
Was this reply helpful?
Sorry this didn’t help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
How satisfied are you with this reply?
Thanks for your feedback.
If you could, please upload a dump file. I’m interested in knowing which driver is crashing the system.
Was this reply helpful?
Sorry this didn’t help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
How satisfied are you with this reply?
Thanks for your feedback.
I’m having the almost the same* problem. I haven’t made any changes to any hardware whatsoever. Same USB cable, same drive, same everything. Just one PC connected to a USB harddrive used as a dump drive. Updated to Windows 8.1 and this problem started.
The problem is the same as OP I think, although when I detach the drive it doesn’t BSOD automatically. It BSODs when I try to restart the machine. And in the meanwhile, the drive still shows up even after detaching it. Although I can’t write to it and it shows almost all empty folders except for the ones I accessed when it was still attached, but I still can’t access the files.
After detaching and then re-attach the drive doesn’t help. It still behaves as if it were detached, I can’t write or read files, and the system still BSODs upon attempting to restart.
The BSOD happens right after the «Restarting. » message.
Here are my Minidump if it helps
Was this reply helpful?
Sorry this didn’t help.
Great! Thanks for your feedback.
How satisfied are you with this reply?
Thanks for your feedback, it helps us improve the site.
Microsoft Edge and ProtectedHomepages
Recently I have had a small but curious research project with the requirement to decrypt ProtectedHomepages binary value stored under [HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected – It is a violation of Windows Policy to modify. See aka.ms/browserpolicy]. While googling around the problem I have seen a related question on StackOverflow, so I decided that it may have sense to share the results of this research with the community.
If you open [HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected – It is a violation of Windows Policy to modify. See aka.ms/browserpolicy] you will see several values with two of them are of particular interest. These are ProtectedHomepages and ProtectedSearchScopes. Both are represented in binary form and it is not that easy to understand what is behind it. An example, if you set homepage in Microsoft Edge to https://www.ntkernel.com and open ProtectedHomepages in RegEdit then you will see something of this kind:
ProtectedHomepages in Windows Registry
It does not look to have anything common with https://www.ntkernel.com, so let’s try to figure out what happens.
First steps are obvious, let’s take ProcessMonitor from Sysinternals to find the process which writes the ProtectedHomepages value:
Using ProcessMonitor to find out the process which sets the ProtectedHomepages
So far it looks clear, MicrosoftEdge.exe calls RegSetValue to save new settings. Now let’s attach WinDbg to MicrosoftEdge.exe process and let’s put breakpoint on KERNELBASE!RegSetValueExW. Try to change homepages list once again resulting the call to KERNELBASE!RegSetValueExW with the following call stack:
ChildEBP RetAddr
067fec54 5d0b85fd KERNELBASE!RegSetValueExW
067fee9c 5d10ac31 eModel!SettingStore::CRegistryKey::SetValue+0x3d
067feed8 5d10abb3 eModel!SettingStore::_SetValueInPhysicalStore+0x66
067ff32c 5d10aab4 eModel!SettingStore::SetExtValueWorker+0xe7
067ff374 5d10aa40 eModel!SetExtValue_Internal+0x6d
067ff390 5d117e4c eModel!SPSetExtValue+0x20
067ff3fc 5d117caf eModel!SettingsProtection::SettingProtector::s_SaveSettingBlob+0x16f
067ff450 5d2fcee5 eModel!SettingsProtection::SettingProtector::s_SaveSetting+0x107
067ff48c 5d2fe156 eModel!SettingsProtection::SettingProtector::_SetEffectiveSetting+0x119
067ff4c0 5d2422ce eModel!SettingsProtection::SettingProtector::SetHomepages+0x56
067ff4f4 5d15f7e7 eModel!SpartanCore::SettingsFacadeHelper::SetHomePages+0x94
067ff524 5d0ad939 eModel!SpartanCore::SettingsFacadeHelper::HandleCommand+0xb4283
067ff548 5d1019e2 eModel!SpartanCore::FrameUIFacade::InvokeCommand+0x259
067ff5dc 5d0fef83 eModel!CAsyncBoundaryLayer::_ProcessRequest+0x16d2
067ff64c 75035b83 eModel!CAsyncBoundaryLayer::s_WndProc+0x163
067ff678 75019d1a USER32!_InternalCallWinProc+0x2b
067ff710 75019860 USER32!UserCallWinProcCheckWow+0x1aa
067ff770 750196b0 USER32!DispatchMessageWorker+0x1a0
067ff77c 5d0c911f USER32!DispatchMessageW+0x10
067ff7c4 5d08ba30 eModel!CBrowserFrame::FrameMessagePump+0x16f
067ff804 5d0890d3 eModel!_BrowserThreadProc+0x9e
067ffa94 00ee8372 eModel!LCIEStartAsFrame+0x693
067ffae0 76f395f4 MicrosoftEdge!s_FrameThreadProc+0x62
067ffaf4 7782241a KERNEL32!BaseThreadInitThunk+0x24
067ffb3c 778223e9 ntdll!__RtlUserThreadStart+0x2b
067ffb4c 00000000 ntdll!_RtlUserThreadStart+0x1b
As follows from the call stack the module of our interest is eModel.dll which contains classes responsible for saving/loading settings from the registry and probably for encrypting/decrypting them. If we look closer at the names then the most promising call on the stack is eModel!SettingsProtection::SettingProtector::s_SaveSettingBlob so let’s look closer at this function in disassembler:
You can notice that call to _SPSetExtValue is preceded by a call to Encoding::ObfuscateData which is very likely to be the function of our interest. Actually there are two functions: Encoding::ObfuscateData and Encoding::UnobfuscateData and if we disassembly these functions and step through them in WinDbg we will see that this is what we were looking for. Below is quick and dirty implementation of UnobfuscateData and wrapping code which reads ProtectedHomepages from the registry and decrypts it by calling UnobfuscateData.
I think you have also noticed some mysterious trailing bytes which follow https://www.ntkernel.com string. I think it needs some explanation. Function eModel!Encoding::ObfuscateData actually does not encrypt but instead obfuscates buffer using a random generated seed (it is placed in the header of the block). Encoding::UnobfuscateData reads seed value from the buffer header and un-obfuscates the buffer. If this were the whole story then it would be too easy to modify ProtectedHomepages, so to make this more complex developers added a cryptographic hash to the tail of the buffer.
Complete source code for the project is available on Github