In this post I described how it’s possible to hide the VMware Tools Control Panel applet in Windows 7 using Active Directory GPO. Another thing I like to clean up is the VMwareTray application. It’s again a way into the VMware Tools applet and regular users should need no access to it. Also it’s a running process without a real purpose. VMwareTray.exe is located in C:\Program Files\VMware\VMware Tools. It’s started by default for every user by the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VMware Tools.
VMware’s solution for these things is again KB 1006354. It advises to remove this key so the process does not run. This works of course but for me there are two problems:
- The user could start vmwaretray.exe manually. Not a disaster this, but still not what you’re trying to achieve
- If the VMware Tools are upgraded the keys will re-appear and will have to be removed again
So I prefer it to be fixed by GPO. If it’s done right it works better and is far less troublesome from a management point of view.
My solution is to use Software Restriction Policies. It’s a standard part of Active Directory’s GPO’s. It can be found under Computer \ Policies \ Windows \ Security Settings \ Software Restriction Policies. By default, no SRP’s are defined. It’s also good to really think about what you’re going to do. SRP’s are really powerful and you could easily produce results you don’t want. To enable SRP:
Click on: “New Software Restriction Policies”. Some default rules are now created. They should probably remain as they are. They make sure that by default everything is allowed to run. What you must do now is create a new “Additional Rule” and choose “Hash Rule”:
In this hash rule you’re given the opportunity to browse to the file you want to block:
Browse to VMwareTray.exe in C:\Program Files\VMware\VMware Tools. Windows will now enter the file information. Leave the Security Level on “Disallowed” and give a meaningful description:
Now you’re done. After a policy update you’ll no longer be able to start VMware tray.exe. If you try to do so anyway you’ll get this message:
“This program is blocked by group policy”. It will also be blocked when the VM starts, so it won’t be running in your System tray. Of course you could also block VMControlPanel.cpl while you’re at it.
Now, when VMware Tools are updated later the VMwareTray.exe might be changed so much that it’s no longer blocked by an SRP. You’d have to make a new hash rule in that case. But that’s still much better than manually editing things in the registry and messing with file security in your View image.
That will give solution to confusions and problems of users.
ReplyDelete