Active Directory, AntiVirus, Programming, Security, Software, Technology, Tool

Temporarily Bypassing the GPO: Access to TEMP has been restricted by your Administrator

It can happen that when you are trying to install new software on your device, the installation gets only so far and then mysteriously vanishes without completing the installation. This can happen for various reasons, but in this example, we’ll handle the cause as a policy set by system administrators to protect users from malware trying to exploit their system.

System Administrators commonly push group policy objects (GPOs) that restrict executables from running from your Windows Temp folder. This Temp folder can be located in different locations based on your setup, but the for this example we’ll say it is in c:\windows\temp. An alternate path is often c:\users\xxxxx\appdata\local\temp

How to Check or Change where your Temp Folder Is

In Windows 10 you can check or change where your Temp folder is under: Control Panel\System and Security\System and clicking on ‘Advanced System Settings’ on the sidebar. Then in the System Properties popup, select the ‘Advanced’ tab, and click the button at the bottom called ‘Environment Variables’. Scroll through the list of System variables and you should see ones called TEMP and TMP. You’ll also see where they are pointing to on your machine, and you can even change them if you wish.

Why this Security Policy is Commonly Applied

The policy to stop executables from running in the Temp folder is a security feature that helps prevent malware from installing itself on your system. However, sometimes it can also stop you from installing legitimate software on your system which can be a problem. For example, the Firefox setup file is commonly blocked by this rule. You may see a popup message when you try to run the setup file for your application, but in my case, the installer simply blinked off without saying what was going on.

Steps to Temporarily Disable the Policy

To temporarily remove this security feature, you’ll need to disable it in your Windows registry. Make sure to re-enable it after you are done installing the software since it is an important security feature.

The main steps involve: identifying the registry key responsible for the policy using Windows Event Viewer and then finding and redirecting the key value using the regedit registry editor. Here’s how it’s done:

  1. Try installing the application. When it fails, make a note of the time. A Windows Event log will be created with the failure message and the name of the responsible registry key
  2. Open up the Windows Event Viewer logs and click on ‘Windows Logs’ and then on ‘Application’
  3. Look up the log by the time when you tried to install the application. It will be a yellow Warning log saying something along the lines of:
    Access to C:\WINDOWS\TEMP\000000.tmp\setup.exe has been restricted by your Administrator by location with policy rule {0000000000000000} placed on path C:\WINDOWS\temp
  4. Open notepad and copy in the policy rule inside the curly braces. This is the registry entry that is blocking the installation from happening.
  5. Open the registry editor (regedit.exe). Don’t forget to right click and run as administrator or else you won’t be able to make your changes.
  6. In the registry editor, click Ctrl-f to start a search
  7. Paste in the policy rule id that you copied from the Windows Event log and click the Find button
  8. When the registry entry for the policy is found, it will contain a number of key values. The key called ItemData is the one which likely has the value %windir%\temp
  9. Go to the file system explorer and browse to the Windows directory and create a new folder (maybe called ‘Temporary’).
  10. Back in the registry editor, right-click on the ItemData property and choose the option: Modify
  11. Modify the ItemData value to point to the new folder you just created: %windir%\temporary
  12. Close the registry editor and reboot your machine.
  13. The policy will now be applied to your newly created folder rather than the actual Temp folder.
  14. Try installing the software now. The installation should no longer be blocked by the policy.
  15. Important: once the software is installed, go back into the registry and change the registry entry back so that your computer is protected again (back to: %windir%\temp) also make sure to reboot your machine after you make the change.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s