Use the REGUTIL utility to manipulate the registry of Windows 9x workstations, and to install a new login screen wallpaper on any Windows workstation.
This utility deploys changes which simplify password management across an entire enterprise, without having to touch each individual workstation. Normally, REGUTIL is executed from a global network login script.
REGUTIL makes a change to a workstation once and makes backup copies of the registry keys it touches. This simplifies deployment, as you can run REGUTIL at every login, but it make changes only once.
In some cases after making registry changes, REGUTIL prompts users to restart their workstations, since some changes do not take effect in Windows until after a reboot.
This program is a Win32 executable and can run on any Windows workstation.
| Argument | Description |
| -nobackup | Disable the default behaviour, which is to back up any changed registry keys. |
| -ghost E/D/R | E: Enable ghosting of drive connections. D: Disable ghosting. R: Restore the setting that was backed up by a previous use of REGUTIL. |
| -mustvalidate E/D/R | E: Enable mandatory login validation. D: Disable mandatory validation - users can press Esc to skip the initial Windows 9x login window. R: Restore the setting that was backed up by a previous use of REGUTIL. |
| -domainlogin E/D/R | E: Authenticate initial Windows 9x passwords against the NT domain. D: Revert to local Windows 9x password validation (insecure!). R: Restore the setting that was backed up by a previous use of REGUTIL. |
| -cachepw E/D/R | E: Enable password caching (insecure!). D: Disable password caching. R: Restore the setting that was backed up by a previous use of REGUTIL. |
| -ssnetwork E/D/R | E: Change Windows 9x screen saver authentication to validate passwords on the network, rather than locally. D: Disable password network password authentication for the Windows 9x screen saver. R: Restore the setting that was backed up by a previous use of REGUTIL. |
| -noredundant E/D/R | E: Removes a behaviour of the screen saver / change password dialog box, which would normally try to change a user's password twice (with one success and one failure, since the two changes are actually applied to the same provider). D: Disable the above change. R: Restore the setting that was backed up by a previous use of regutil. |
| -setbgimg | |
| URL/FILE1 | |
FILE2 C TS |
Set the login screen background image (wallpaper) of the workstation. The new image is a BMP file, given by a file path or URL (first argument). The name of the file on the workstation is the second argument. The image may be centered (C), tiled (T) or stretched to fill the whole screen (S). |
Windows 9x may 'ghost' connections - which means that it only makes them if the user accesses something on the named drive. This behaviour combined with a different machine (e.g., the P-Synch server) making password changes can result in a P-Synch lockout, since the workstation will make several attempts to use an incorrect password to map a drive.
The option -ghost D changes the following registry key:
[HKEY_LOCAL_MACHINE\
System\CurrentControlSet\Services\
MSNP32\NetworkProvider]
"LogonDisconnected]=hex:00,00,00,00
Windows 9x normally allows users to press the Esc key to bypass the workstation login prompt. You can force users to enter a valid login ID and password with this feature. (Users can still invoke safe mode or boot from a floppy)
The option -mustvalidate E changes the following registry key:
[HKEY_LOCAL_MACHINE\Network\Logon] "MustBeValidated"=hex:01,00,00,00
Windows 9x workstations can validate user login IDs and passwords against a Windows NT domain rather than against a password stored on the workstation. This is more secure, as passwords stored on Windows (in .PWL cache files) may be decrypted.
The option -domainlogin E changes the following registry key:
[HKEY_LOCAL_MACHINE\Network\Logon] "LMLogon"=hex:01,00,00,00
Windows is able to remember, or cache passwords you use to access various servers on the network. This is convenient, as it eliminates additional login prompts when you access those servers.
Windows password caching is insecure, since the cache files are not well protected. It is also difficult to support alongside a password management program, since the cache on a workstation is unaware of password changes made by a password server (such as P-Synch) on the network.
If you synchronize passwords with PSYNCH, then caching becomes pointless, since Windows will automatically try to use the password typed by the user to log into the workstation when it tries to access network servers. With synchronization, this will be the right password.
When you disable password caching, you should also delete *.pwl files (cache files) from the Windows directory (%WINDIR%) after applying this setting.
The option -chachepw D changes the following registry key:
[HKEY_LOCAL_MACHINE\
Software\Microsoft\Windows\
CurrentVersion\Policies\Network]
"DisablePwdCaching"=hex:01,00,00,00
Windows 9x workstations implement a supposedly secure screen saver. In practice, the screen saver stores the user's current password in the registry, with very weak protection. To make matters worse, this password cannot be easily managed by P-Synch or by the help desk. Things are easy for an intruder, but hard for the support organization.
You can configure the screen saver to authenticate passwords on the network. This is more secure and easier to support.
The option ssnetwork E changes the following registry key:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\PwdProvider\SCRSAVE]
"ProviderPath"="msnp32.dll"
"UseMasterKey"=hex:01,00,00,00
The option -noredundant E changes the following registry key:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\PwdProvider\MSNP32]
"Description"="Microsoft Networking (Don't use this one)"
"ChangePassword"=""
The option -nopassword E changes the following registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoSecCPL" = DWORD:0x00000001
You may advertise P-Synch by replacing the background image (wallpaper) on workstation login screens. This can be used to educate users about the self-service password reset facility, so they don't call the help desk when they have password problems.
The option -setbgimg FILE1URL FILE2 T changes the following
registry key:
[HKEY_USERS\.Default\Control Panel\Desktop]
"Wallpaper" = FILE2
"WallPaperStyle" = DWORD:0x00000000
"TileWallpaper" = DWORD:0x00000001
The option -setbgimg FILE1URL FILE2 S changes the following
registry key:
[HKEY_USERS\.Default\Control Panel\Desktop]
"Wallpaper" = FILE2
"WallPaperStyle" = DWORD:0x00000002
"TileWallpaper" = DWORD:0x00000000
The option -setbgimg FILE1URL FILE2 C changes the following
registry key:
[HKEY_USERS\.Default\Control Panel\Desktop]
"Wallpaper" = FILE2
"WallPaperStyle" = DWORD:0x00000000
"TileWallpaper" = DWORD:0x00000000
The recommended registry settings for use with P-Synch are as follows. Type the command as one line in the global network login script, and refer to the REGUTIL program and wallpaper file at the appropriate locations on your network.
regutil
-ghost D
-mustvalidate D
-domainlogin E
-cachepw D
-ssnetwork E
-noredundant E
-setbgimg http://password/wslogin.bmp %WINDIR%\wslogin.bmp C
When users first run this command during their network login script, their registry will be updated, the image at
http://password/wslogin.bmp
will be copied to their Windows directory, and they may be asked to restart their workstation or to log off.
The next time users log on, there will be no changes to their registry, no file copies, and no prompt to restart.
| Note: |
|
| P-Synch® is a password management solution developed by M-Tech. Note: This document is intentionally obsolete to limit the release of proprietary information to competitors. For full and current documentation contact your sales representative | ||||
|
|
||||
|