B
BillMadison
Hi All,
Been testing software restriction policies on virtual PC for the last couple a days and have
encountered a minor problem.
I have now created a deny all exe policy with certain "allow only exe's" that windows needs in
normal operation.
The problem however is that in a normal user account everything works ok but for one
issue....whenever there is an exe being started it normally writes this event to the event log so as
admin you can see what program or exe it was that was about to get started.
After applying my restrictions I now don't see these events in my log anymore so that means that one
exe is being denied from writing to the log.
Now my question ofcourse,...what exe or program is used to write these events to the event log?
Also, a few days ago I posted a question about wether these policies could be exported...the
question remained unanswered then but I have now found a way to do it (maybe....)
The thing is, these policies get written to three different parts of the registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
[HKEY_USERS\***insert ADMIN SID here***\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
So, normally you would think that by exporting these and reimporting them in a default install would
be sufficient for these policies to be applied on a new installation. Would I be correct in that
assumption????
I noticed that each path rule I created has an unique GUID associated with it but when using the
search function it can only be found in the registry at the three above mentioned registry branches.
Does this then mean that they will work on a new machine when importing them since no other
reference of these GUIDs can be found on the system.
I even searched my harddrive to all files with a text containing one of these gui's to see if there
would be a place where windows stores these GUID's as a reference and also came up empty. Maybe they
are just created as GUIDS for the sole purpose of creating a unique string each time under these
registry keys but thats only my logical conclusion to this and I could ofcourse be wrong.
Anyway, thats about all I wanted to ask for now,...and as always I hope someone who has read this
till the end and can provide some more details then I would be much obliged.
Kind Regards,
J
Been testing software restriction policies on virtual PC for the last couple a days and have
encountered a minor problem.
I have now created a deny all exe policy with certain "allow only exe's" that windows needs in
normal operation.
The problem however is that in a normal user account everything works ok but for one
issue....whenever there is an exe being started it normally writes this event to the event log so as
admin you can see what program or exe it was that was about to get started.
After applying my restrictions I now don't see these events in my log anymore so that means that one
exe is being denied from writing to the log.
Now my question ofcourse,...what exe or program is used to write these events to the event log?
Also, a few days ago I posted a question about wether these policies could be exported...the
question remained unanswered then but I have now found a way to do it (maybe....)
The thing is, these policies get written to three different parts of the registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
[HKEY_USERS\***insert ADMIN SID here***\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
So, normally you would think that by exporting these and reimporting them in a default install would
be sufficient for these policies to be applied on a new installation. Would I be correct in that
assumption????
I noticed that each path rule I created has an unique GUID associated with it but when using the
search function it can only be found in the registry at the three above mentioned registry branches.
Does this then mean that they will work on a new machine when importing them since no other
reference of these GUIDs can be found on the system.
I even searched my harddrive to all files with a text containing one of these gui's to see if there
would be a place where windows stores these GUID's as a reference and also came up empty. Maybe they
are just created as GUIDS for the sole purpose of creating a unique string each time under these
registry keys but thats only my logical conclusion to this and I could ofcourse be wrong.
Anyway, thats about all I wanted to ask for now,...and as always I hope someone who has read this
till the end and can provide some more details then I would be much obliged.
Kind Regards,
J