Information
This policy setting controls whether application write failures are redirected to defined registry and file system locations.
This policy setting mitigates applications that run as administrator and write run-time application data to:
- '%ProgramFiles%'
- '%Windir%'
- '%Windir%\system32'
- 'HKEY_LOCAL_MACHINE\Software'
The recommended state for this setting is: 'Enabled'.
Rationale:
This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations.
Solution
To establish the recommended configuration via GP, set the following UI path to 'Enabled':
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations
Impact:
None - this is the default behavior.