sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-11 19:16:35
Author: Mike Swanson Machine: DESKTOP-0O8A1RL Timestamp: 2026-05-11 19:16:35
This commit is contained in:
@@ -483,3 +483,114 @@ $resp = Invoke-RestMethod -Uri "https://rmm.azcomputerguru.com/api/agents/$agent
|
|||||||
- Folder Redirection CSE history ({25537BA6}): NONE confirmed
|
- Folder Redirection CSE history ({25537BA6}): NONE confirmed
|
||||||
- OneDrive HKCU/HKLM policies: NONE
|
- OneDrive HKCU/HKLM policies: NONE
|
||||||
- DisablePersonalDirChange: NOT SET
|
- DisablePersonalDirChange: NOT SET
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## Update: 19:11 PT — Root cause: SHSetKnownFolderPath flags bug
|
||||||
|
|
||||||
|
## User
|
||||||
|
- **User:** Mike Swanson (mike)
|
||||||
|
- **Machine:** DESKTOP-0O8A1RL
|
||||||
|
- **Role:** admin
|
||||||
|
- **Session span:** 2026-05-11 evening continuation
|
||||||
|
|
||||||
|
## Session Summary
|
||||||
|
After reboot, a post-reboot registry diagnostic via RMM confirmed that USF and SF registry entries showed all local paths with no redirection markers or CSE history, indicating a clean registry state. Despite this, the Location tab for Documents, Desktop, and Pictures remained greyed, prompting further investigation. A OneDrive-specific diagnostic confirmed no policies were set in HKLM or HKCU, and OneDrive was using a personal account with valid registry entries. However, attempts to access ClientPolicy.ini files via PowerShell hung due to an exclusive lock held by OneDrive. A profile type check confirmed the pst-admin profile was local, eliminating roaming profile reapplication as a potential cause.
|
||||||
|
|
||||||
|
Further checks of desktop.ini files, CLSID overrides, ntuser.pol, and FolderDescriptions found no redirection markers or anomalous settings. The root cause was identified: prior scripts had been calling `SHSetKnownFolderPath` with `flags=0x4000` (KF_FLAG_DONT_VERIFY), which is only valid for the GET call. Per MSDN, `SHSetKnownFolderPath` requires `flags=0` (reserved). All SET calls across all prior script iterations had been returning `0x80070057 (E_INVALIDARG)` silently — the shell's internal Known Folder state was never updated. The registry was correct from our direct HKU edits, but the shell's in-process known folder infrastructure still showed the folders as policy-managed.
|
||||||
|
|
||||||
|
A corrected script, `reset_kf_final.ps1`, was written with `flags=0` for SHSetKnownFolderPath. When run in pst-admin's session context, it will properly update the shell's Known Folder state, which is what controls both the Location tab editability and OneDrive's KFM eligibility check.
|
||||||
|
|
||||||
|
## Key Decisions
|
||||||
|
- Eliminated roaming profile as cause by checking `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\{SID}` — `ProfileImagePath=C:\Users\pst-admin`, `Flags=0`, confirming local profile.
|
||||||
|
- Investigated ClientPolicy.ini lock rather than assuming it contained a blocking entry — the file was inaccessible due to OneDrive holding an exclusive lock; HKLM/HKCU OneDrive policy paths confirmed NONE.
|
||||||
|
- Identified the correct diagnostic gap: all prior SHSetKnownFolderPath calls failed silently with E_INVALIDARG due to invalid flags=0x4000; the registry workaround (HKU direct writes) was correct for data but bypassed the shell API layer that maintains known folder state.
|
||||||
|
- Chose to write a new script (`reset_kf_final.ps1`) rather than patch existing ones, ensuring the API call is correct before the next pst-admin session.
|
||||||
|
|
||||||
|
## Problems Encountered
|
||||||
|
- **ClientPolicy.ini reads hung**: Get-Content and FileShare.ReadWrite both blocked because OneDrive held an exclusive lock on the settings .ini files. Deferred; HKLM/HKCU policy paths confirmed NONE, so lock contents were not blocking KFM from the policy path.
|
||||||
|
- **Location tab still greyed post-reboot despite clean registry**: Root cause: `SHSetKnownFolderPath` was called with `flags=0x4000` in every prior script iteration. The SET function rejects any non-zero flags with E_INVALIDARG. This caused the shell to never update its internal known folder state. Our direct HKU registry writes were correct for the data layer but the shell's known folder infrastructure reads its own internal state (not just the registry) to determine policy-management status.
|
||||||
|
- **RMM commands hanging on file reads**: Several diagnostic scripts hung when attempting to read OneDrive settings files or use `SHGetKnownFolderPath` P/Invoke from SYSTEM context. Mitigated by isolating commands to simple registry reads and cmd-based file access; P/Invoke shell API calls from SYSTEM context are not safe.
|
||||||
|
|
||||||
|
## Configuration Changes
|
||||||
|
|
||||||
|
### Scripts written (DESKTOP-0O8A1RL)
|
||||||
|
- `C:\Users\guru\Desktop\reset_kf_final.ps1` — corrected SHSetKnownFolderPath with flags=0; run as pst-admin to update shell Known Folder state
|
||||||
|
|
||||||
|
### No registry changes this segment
|
||||||
|
Registry was confirmed clean from previous segment. No further writes made.
|
||||||
|
|
||||||
|
## Credentials & Secrets
|
||||||
|
|
||||||
|
No new credentials this segment.
|
||||||
|
|
||||||
|
## Infrastructure & Servers
|
||||||
|
|
||||||
|
| Component | Value |
|
||||||
|
|-----------|-------|
|
||||||
|
| HP RMM agent UUID | 13cb3629-5043-4bd6-b977-6968eeccf804 |
|
||||||
|
| pst-admin SID | S-1-5-21-1105246401-3156558273-4088333098-1118 |
|
||||||
|
| pst-admin profile type | LOCAL (C:\Users\pst-admin, Flags=0, not roaming) |
|
||||||
|
| OneDrive account | Personal — mara.concordia@gmail.com (cid: 25f0851177ceabfd) |
|
||||||
|
| OneDrive version | 26.070.0414.0001 |
|
||||||
|
|
||||||
|
## Commands & Outputs
|
||||||
|
|
||||||
|
### Post-reboot registry state (confirmed clean via RMM)
|
||||||
|
```
|
||||||
|
USF server paths: NONE - all local
|
||||||
|
SF server paths: NONE - all local
|
||||||
|
FolderRedirectionPolicyValue markers: NONE
|
||||||
|
CSE history (25537BA6): NONE
|
||||||
|
OneDrive HKCU/HKLM policies: NONE
|
||||||
|
```
|
||||||
|
|
||||||
|
### SHSetKnownFolderPath bug — prior vs corrected
|
||||||
|
```powershell
|
||||||
|
# WRONG (all prior scripts) — flags=0x4000 is GET-only, causes E_INVALIDARG on SET
|
||||||
|
$hr = [KFHelper]::SHSetKnownFolderPath([ref]$guid, [uint32]0x4000, [IntPtr]::Zero, $path)
|
||||||
|
# Result: HRESULT=0x80070057 (E_INVALIDARG) for every folder
|
||||||
|
|
||||||
|
# CORRECT (reset_kf_final.ps1)
|
||||||
|
$hr = [KFHelper2]::SHSetKnownFolderPath([ref]$guid, 0, [IntPtr]::Zero, $path)
|
||||||
|
# flags MUST be 0 per MSDN ("reserved, must be 0")
|
||||||
|
```
|
||||||
|
|
||||||
|
### pst-admin profile check
|
||||||
|
```
|
||||||
|
ProfileImagePath : C:\Users\pst-admin
|
||||||
|
Flags : 0
|
||||||
|
FullProfile : 1
|
||||||
|
State : 0
|
||||||
|
# No CentralProfile, no UNC path → confirmed LOCAL profile
|
||||||
|
```
|
||||||
|
|
||||||
|
### Desktop.ini checks
|
||||||
|
```
|
||||||
|
Documents\desktop.ini : NOT FOUND
|
||||||
|
Desktop\desktop.ini : NOT FOUND
|
||||||
|
Pictures\desktop.ini : standard ShellClassInfo/icon entries only — no redirection markers
|
||||||
|
ntuser.pol : NOT FOUND
|
||||||
|
CLSID overrides (HKCU) for Documents/Desktop/Pictures: none
|
||||||
|
```
|
||||||
|
|
||||||
|
## Pending / Incomplete Tasks
|
||||||
|
|
||||||
|
| Task | Status | Notes |
|
||||||
|
|------|--------|-------|
|
||||||
|
| Run reset_kf_final.ps1 as pst-admin + logoff/on | **PENDING** | Script at C:\Users\guru\Desktop\reset_kf_final.ps1; must run non-elevated as pst-admin |
|
||||||
|
| Test OneDrive KFM after reset_kf_final + logoff/on | **PENDING** | If SET calls return OK, Location tab should unlock and KFM should work |
|
||||||
|
| Update vault with pst-admin new password | **PENDING** | SpiritWalk26! |
|
||||||
|
| Deploy cert + VPN to Maras-HP-Laptop via RMM | **PENDING** | PFX: C:\Users\guru\AppData\Local\Temp\Maras-HP-Laptop.pfx; agent 13cb3629-5043-4bd6-b977-6968eeccf804 |
|
||||||
|
| Deploy cert + VPN to PST-SURFACE via RMM | **PENDING** | PFX: C:\Users\guru\AppData\Local\Temp\PST-SURFACE.pfx; agent 4a993b61-59b3-42f4-bdb5-d4362941f7d6 |
|
||||||
|
| Test pre-login VPN at Windows logon screen | **PENDING** | |
|
||||||
|
| Browser default (http/https) for pst-admin | **PENDING** | Must click "Make Chrome default" in Chrome once |
|
||||||
|
| Clean up PST-SERVER temp files | **PENDING** | C:\ProgramData\: gen_certs.ps1, *.inf, *.req, *.cer, *.pfx, misc .ps1s |
|
||||||
|
| Remove TEMP firewall rules on PST-SERVER | **PENDING** | TEMP-CertEnroll-RPC (TCP 135), TEMP-CertEnroll-DCOM (TCP 49152-65535) |
|
||||||
|
|
||||||
|
## Reference Information
|
||||||
|
- MSDN: SHSetKnownFolderPath — dwFlags is reserved, must be 0. flags=0x4000 (KF_FLAG_DONT_VERIFY) is only valid for SHGetKnownFolderPath.
|
||||||
|
- Known Folder GUIDs used in reset_kf_final.ps1: Documents FDD39AD0, Desktop B4BFCC3A, Pictures 33E28130, Music 4BD8D571, Videos 18989B1D, Downloads 374DE290, Favorites 1777F761, Links BFB9D5E0, Contacts 56784854
|
||||||
|
- OneDrive settings path: C:\Users\pst-admin\AppData\Local\Microsoft\OneDrive\settings\Personal\ — ClientPolicy.ini locked by OneDrive process; use FileShare.ReadWrite or robocopy /B if needed
|
||||||
|
- RMM result endpoint: GET /api/commands/{cmdId} (not /api/agents/{id}/command/{cmdId})
|
||||||
|
- SHGetKnownFolderPath / SHSetKnownFolderPath P/Invoke hangs when called from SYSTEM context — only use in user-context scripts
|
||||||
|
|||||||
Submodule projects/msp-tools/guru-rmm updated: 250ddbd7e1...48fc64dce9
Reference in New Issue
Block a user