Client Management Suite

As an initiative to increase system stability, predictability and reliability, Windows Resource Protection (WRP) is designed to protect a Windows system in a read-only state. This will affect specific files, folders, and registry keys. Updates to protected resources are restricted to the OS trusted installers, such as Windows Servicing. This enables components and applications that ship with the OS to be better protected from the impact of other applications and administrators.

Issues:

• Application installers that attempt to replace, modify, or delete OS files and/or registry keys that are protected by WRP may fail with an error message indicating that the resource could not be updated. This is because access to these resources is denied.
• Applications that attempt to write new registry keys or values to protected registry keys may fail with an error message that indicates that the change failed because access was denied.
• Applications that attempt to write to protected resources may fail if they rely on registry keys or values.

Cause:

• By default, protected registry keys include most COM OS registry keys, for example:

  HKEY_CLASSES_ROOT\Interface\{GUID}
  HKEY_CLASSES_ROOT\Interface\{GUID}\NumMethods
  HKEY_CLASSES_ROOT\Interface\{GUID}\ProxyStubClsid
  HKEY_CLASSES_ROOT\Interface\{GUID}\ProxyStubClsid32
  
  

• A minimal set of folders are protected by WRP. These are folders that are used exclusively by OS resources, for example, some of the inetpub folders, such as:

  $(runtime.bootDrive)\inetpub\uddi\webroot\details\
  runtime.bootDrive)\inetpub\uddi\webroot\edit\
  (runtime.bootDrive)\inetpub\uddi\webroot\controls\
  $(runtime.bootDrive)\inetpub\uddi\bootstrap\
  
  

Analysis:

• When an application installer is detected as a legacy installer (that is, the installer does not have a manifest).
• When there is an Access Denied error that is due to the application trying to create or modify a WRP resource.
• Access Denied return codes are suppressed if the application is detected as a legacy installer (nomanifest) automatically
• In some scenarios, mitigation is automatically provided when delete attempts are made on WRP-protected resources.
• If an application tries to create a new subkey or value under a WRP COM registry key, they may receive an Access Denied error.

Solutions:

• Never redistribute system files.
• Check if any system components are installed or updated on Windows Vista .
• To recognize the key is WRP use Regedit to check permissions on the key.
• Type Regedit, and then click OK. Search for the key. Right-click the registry key. Click Permissions. Keys that are WRP will show Trusted Installer with Full Control. SYSTEM, Administrators and Users will only have Read permissions.
• Apply shim "WRPMitigation" to fix WRP Issues using compatibility administrator
• Rename custom installer to setup.exe to trigger automatic mitigation.
• Use Microsoft-provided redistributable packages designed specifically for Windows Vista.