Playing with Produtct Policy - My XPS10 just joined AD domain

Search This thread
By:
Advanced…
kitor

kitor

Senior Member
Apr 11, 2007
170
30
kitor.pl
Inspired by this post:
http://xdaforums.com/showthread.php?t=1885399&page=22

I wanted to play a bit to join my XPS10 to my home domain. But
Check that the process is working on RT - a provided .NET program obviously would not work, so you should do the same manually
Click to expand...
Click to collapse
Well... it's for .net 4.0, AFAIR we have only 4.5, yep (?) And I was to lazy to read sourcecode.
So I loaded project into Visual Studio, changed target to 4.5 Any CPU. After that:
1. Took ownership of c:\windows\system32\sppsvc.exe and removed all rights (so noone, even system can execute it)
2. Created a copy of runJailbreak.bat and removed all exit commands in it (as a workaround for closing cmd - that will be needed later)
3. Added in registry:
HKEY_LOCAL_MACHINE\SYSTEM\Setup
SetupType=1
CmdLine="cmd.exe"
4. Reboot

After reboot I got cmd window on bootscreen background. Somehow, mouse cursor disappeared even with USB mouse.
5. Started jailbreak by running modified .bat
6. Started attached ProductPolicyEditor, enabled WorkstationService-DomainJoinEnabled policy, wrote changes to registry
7. Closed PPE, cmd, system self restarted in normal mode
8. Connected to domain as usual.

Proof - screenshots attached

After this RT went to not activated state. But when already connected to domain, I reverted changes I done (changed policy to 0, restored sppsvc rights), activated it again - everything works, computer is still in domain, only change is that in system properties I can only leave it, not change to another one.
This method may be used to exploit more hidden RT features.
 

Attachments

  • ProductPolicyEditor.zip
    12.4 KB · Views: 211
  • 1.jpg
    1.jpg
    218 KB · Views: 585
  • 2.jpg
    2.jpg
    213.5 KB · Views: 439
  • 3.jpg
    3.jpg
    192.2 KB · Views: 439
Last edited:
  • Like
Reactions: jordanmills
syn3h

syn3h

Senior Member
Mar 2, 2012
88
18
Stockholm
aperturepsychoacoustics.com
kitor said:
Inspired by this post:
http://xdaforums.com/showthread.php?t=1885399&page=22

I wanted to play a bit to join my XPS10 to my home domain. But

Well... it's for .net 4.0, AFAIR we have only 4.5, yep (?) And I was to lazy to read sourcecode.
So I loaded project into Visual Studio, changed target to 4.5 Any CPU. After that:
1. Took ownership of c:\windows\system32\sppsvc.exe and removed all rights (so noone, even system can execute it)
2. Created a copy of runJailbreak.bat and removed all exit commands in it (as a workaround for closing cmd - that will be needed later)
3. Added in registry:
HKEY_LOCAL_MACHINE\SYSTEM\Setup
SetupType=1
CmdLine="cmd.exe"
4. Reboot

After reboot I got cmd window on bootscreen background. Somehow, mouse cursor disappeared even with USB mouse.
5. Started jailbreak by running modified .bat
6. Started attached ProductPolicyEditor, enabled WorkstationService-DomainJoinEnabled policy, wrote changes to registry
7. Closed PPE, cmd, system self restarted in normal mode
8. Connected to domain as usual.

Proof - screenshots attached

After this RT went to not activated state. But when already connected to domain, I reverted changes I done (changed policy to 0, restored sppsvc rights), activated it again - everything works, computer is still in domain, only change is that in system properties I can only leave it, not change to another one.
This method may be used to exploit more hidden RT features.
Click to expand...
Click to collapse

Confirmed working on Surface RT :good:
 
Myriachan

Myriachan

Senior Member
Feb 11, 2013
117
175
I wonder whether this technique could also be used to allow incoming Remote Desktop sessions in Windows RT...

Melissa
 
M

mbjun

Member
Feb 10, 2006
41
12
You can also get "full BitLocker" from "limited Device Encryption" by changing:

SecureStartupFeature-Enabled-Premium
from 0 to 1

Then you can for example add USB-startup-key to encrypted OS volume by:

manage-bde -protector -add C: -StartupKey

...after changing back to "non-Premium" created start-up key protector will stay (survive),
so instead of nonsence TPM (which unlocks drive everytime unless you rip storage outside TPM chip), you can have fully encrypted and protected tablet.

BTW: @Myriachan: On jailbroken RT, how to get rid of inability to auto-start programs, when OS starts?
Can be system service made, which will only launch EXEs (in TXT list, minimised, maximised, normal) or is there other solution (TaskScheduler method doesn't work in W81RT)?
 
You must log in or register to reply here.

Similar threads

G
Desktop apps ported to Windows RT
Replies
1K
Views
2M
M
michael.santos
M
[Beta] Win86emu: Running x86 apps on WinRT devices
Replies
427
Views
590K
G
gailium
revxx14
[Q] Hacking Windows RT to Run Desktop Apps?
Replies
378
Views
348K
N
nar001
V
[Windows RT 8.1] Development Tool V3.0 BUILD XXXX
Replies
685
Views
340K
N
naytmare66
B
Windows Phone and Windows 10 Mobile for Surface RT
Replies
261
Views
276K
jwa4
jwa4

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 1
    kitor
    kitor
    Inspired by this post:
    http://xdaforums.com/showthread.php?t=1885399&page=22

    I wanted to play a bit to join my XPS10 to my home domain. But
    Check that the process is working on RT - a provided .NET program obviously would not work, so you should do the same manually
    Click to expand...
    Click to collapse
    Well... it's for .net 4.0, AFAIR we have only 4.5, yep (?) And I was to lazy to read sourcecode.
    So I loaded project into Visual Studio, changed target to 4.5 Any CPU. After that:
    1. Took ownership of c:\windows\system32\sppsvc.exe and removed all rights (so noone, even system can execute it)
    2. Created a copy of runJailbreak.bat and removed all exit commands in it (as a workaround for closing cmd - that will be needed later)
    3. Added in registry:
    HKEY_LOCAL_MACHINE\SYSTEM\Setup
    SetupType=1
    CmdLine="cmd.exe"
    4. Reboot

    After reboot I got cmd window on bootscreen background. Somehow, mouse cursor disappeared even with USB mouse.
    5. Started jailbreak by running modified .bat
    6. Started attached ProductPolicyEditor, enabled WorkstationService-DomainJoinEnabled policy, wrote changes to registry
    7. Closed PPE, cmd, system self restarted in normal mode
    8. Connected to domain as usual.

    Proof - screenshots attached

    After this RT went to not activated state. But when already connected to domain, I reverted changes I done (changed policy to 0, restored sppsvc rights), activated it again - everything works, computer is still in domain, only change is that in system properties I can only leave it, not change to another one.
    This method may be used to exploit more hidden RT features.
    View

New posts