I'm planning on implementing a enterprise-wide solution in accordance with a workaround provided by Microsoft (CVE-2015-2423) and I would like to backup existing registry keys for each users machine before deleting the referenced items for future compatibility, and incase something goes horribly wrong.
I have the task ready to launch via Internal Distribution Software, but I'm at a loss for where these .reg backups should be stored on each machine. My initial assumption was in:
C:\Users\Default\Documents but it doesn't seem quite appropriate as that's meant to be used more as a template for future user accounts, not as a storage space for .reg backup files. I don't want users to be able to access, or even see the .reg files so I won't be putting them into C:\Users\Public\Documents.
Preferably, there should be a directory that exists on all Windows images that I can store this in without having to worry about users finding it and poking around in there. I've considered making a new folder under say, C:\, but I'm hesitant of going to that level...it seems a bit much, and I'm assuming that something like this already exists for Windows and I'm just unaware of where it is.
I've consulted this article but the suggestion was pretty unhelpful:
To back up the registry by manually copying files, copy all files in Systemroot\System32\Config to removable media, a network share, or a compatible partition.
That would work if I were putting it onto a different device but I'm not...it's going to be stored locally on each Hard Drive. I want as few moving parts to this as possible in case I have to undo the work around down the road, if needed. Is anyone where of guidance for securing .reg backups, or is just kind of "follow your heart" and hide/secure it as best you can?
Update: There are several reasons why I'm trying to store these locally per-machine, rather than having say, a single copy of the .reg file stored on our Network Share which would be distributed on request. The main one is this: Unique registry values. That is, some of these machines have Visio, some do not. Some have Visio and Project. Some have neither. Depending on what Office products they have installed changes the number of keys they have. If I revert this action after words, and mistakenly add keys that a machine did not have previously, it might adversely affect a large amount of users Office products.
Additionally, I would also like to keep this somewhat generalized, so if I do need to do something similar in the future, I can refer to this same area to store additional registry keys for backup use.
On top of that, if I do need to use this for some registry fixes in the future, some programs generate randomly assigned key names or values. If I import a .reg key that does not match what the machine expects it to be, this could also cause serious issues.
I think that quoted suggestion might be more helpful than you think . . . in the past I've often used dropbox type (not the well known Dropbox service) network shares -- that is, a share that has write permissions, but not read permissions -- to collect various interesting config files, backups, etc. from user machines.
After a bit more searching, I was able to find a suggestion listing
C:\Windows\System32\config\RegBackas a good location to store backup files.