Bypass Windows 10 User Group Policy (and more) with this One Weird Trick

<p>I&lsquo;m going to share an (ab)use of a Windows feature which can result in bypassing User Group Policy (as well as a few other interesting things). Bypassing User Group Policy is not the end of the world, but it&rsquo;s also not something that should be allowed and depending on User Group Policy setup, could result in unfortunate security scenarios. This technique has been tested against Windows 7 and Windows 10 Enterprise x64 (10.18363 1909) and does not require admin access. Leveraging this trick has to do with how the user account registry is loaded upon login, so let&rsquo;s start this off by understanding a bit about what happens when a user logs into a Windows account.</p> <h1>When You Log In</h1> <p>One of the many things that occur as you log into a Windows account, is the user-defined settings are loaded for the account. These settings are loaded from the &ldquo;User&rsquo;s Registry Hive&rdquo;, which you may know of as HKEY_CURRENT_USER whenever you pull up regedit. This hive contains user-related settings for the operating system and various applications that may be installed. This &ldquo;Hive&rdquo; is actually a file that is stored on the filesystem which can be found at &ldquo;%USERPROFILE%\ntuser.dat&rdquo;.</p> <p><a href="https://medium.com/tenable-techblog/bypass-windows-10-user-group-policy-and-more-with-this-one-weird-trick-552d4bc5cc1b"><strong>Click Here</strong></a></p>