What program is used to write events to the event log??????

[BillMadison]

Hi All,

Been testing software restriction policies on virtual PC for the last couple a days and have
encountered a minor problem.

I have now created a deny all exe policy with certain "allow only exe's" that windows needs in
normal operation.
The problem however is that in a normal user account everything works ok but for one
issue....whenever there is an exe being started it normally writes this event to the event log so as
admin you can see what program or exe it was that was about to get started.
After applying my restrictions I now don't see these events in my log anymore so that means that one
exe is being denied from writing to the log.

Now my question ofcourse,...what exe or program is used to write these events to the event log?

Also, a few days ago I posted a question about wether these policies could be exported...the
question remained unanswered then but I have now found a way to do it (maybe....)

The thing is, these policies get written to three different parts of the registry

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]

[HKEY_USERS\***insert ADMIN SID here***\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers]

So, normally you would think that by exporting these and reimporting them in a default install would
be sufficient for these policies to be applied on a new installation. Would I be correct in that
assumption????

I noticed that each path rule I created has an unique GUID associated with it but when using the
search function it can only be found in the registry at the three above mentioned registry branches.
Does this then mean that they will work on a new machine when importing them since no other
reference of these GUIDs can be found on the system.
I even searched my harddrive to all files with a text containing one of these gui's to see if there
would be a place where windows stores these GUID's as a reference and also came up empty. Maybe they
are just created as GUIDS for the sole purpose of creating a unique string each time under these
registry keys but thats only my logical conclusion to this and I could ofcourse be wrong.

Anyway, thats about all I wanted to ask for now,...and as always I hope someone who has read this
till the end and can provide some more details then I would be much obliged.

Kind Regards,
J

 

[Roger Abell [MVP]]

Hi J,

I believe that the event logging functionality is implemented as
a part of services.exe
It may be that part of one of the mechanisms that may be used
to get an event message into the logs is what is actually blocked.

You have gone about as far in trying to decipher how Safer is
persisting its settings as have I to date. I have seen as of yet
no references that detail how to export Safer settings so that
they are transportable, but I have searched, and have seen this
asked a few times (in NGs frequented by MS staff) with no answer.
I would be interested in your further experiments, as it has been
on my to-do (but not of urgent need) list.

Regards,
Roger

Hi All,

Been testing software restriction policies on virtual PC for the last couple a days and have
encountered a minor problem.

I have now created a deny all exe policy with certain "allow only exe's" that windows needs in
normal operation.
The problem however is that in a normal user account everything works ok but for one
issue....whenever there is an exe being started it normally writes this event to the event log so as
admin you can see what program or exe it was that was about to get started.
After applying my restrictions I now don't see these events in my log anymore so that means that one
exe is being denied from writing to the log.

Now my question ofcourse,...what exe or program is used to write these events to the event log?

Also, a few days ago I posted a question about wether these policies could be exported...the
question remained unanswered then but I have now found a way to do it (maybe....)

The thing is, these policies get written to three different parts of the registry

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifie
rs][HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifier
s]

[HKEY_USERS\***insert ADMIN SID

here***\Software\Microsoft\Windows\CurrentVersion\Group Policy

Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifie
rs]

So, normally you would think that by exporting these and reimporting them in a default install would
be sufficient for these policies to be applied on a new installation. Would I be correct in that
assumption????

I noticed that each path rule I created has an unique GUID associated with it but when using the
search function it can only be found in the registry at the three above mentioned registry branches.
Does this then mean that they will work on a new machine when importing them since no other
reference of these GUIDs can be found on the system.
I even searched my harddrive to all files with a text containing one of these gui's to see if there
would be a place where windows stores these GUID's as a reference and also came up empty. Maybe they
are just created as GUIDS for the sole purpose of creating a unique string each time under these
registry keys but thats only my logical conclusion to this and I could ofcourse be wrong.

Anyway, thats about all I wanted to ask for now,...and as always I hope someone who has read this
till the end and can provide some more details then I would be much obliged.

Kind Regards,
J

 

[BillMadison]

Roger,

I have done some further testing and have come up empty. The result when importing the exported
registry files is that while apparently the restrictions are aplied...you can't see them in the mmc
editor.
That to me is not acceptable since I have to be able to see the settings in future when I have to
make adjustments.

The thing is...when making new path rules these settings get written to a temporary branch in the
registry in two locations ( the "GROUP POLICY OBJECTS")

[HKEY_USERS\***insert ADMIN SID here***\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers]

These directories disappear when you do a logoff and log back on. The only reference to these
settings that remains are the ones in the HKEY local Machine.

I have also tried exporting the entire group policy objects directory from both these registry
locations without duplicate entries and importing them in a new install, logging of and logging back
on and still I dont see these entries.

If MS didn't include or can provide some way in which admins can exported "path rules" then that
means that which each new install you have to manually add them and that is ....YAWN....a very
tedious affair.
So if you or anyone else knows some MS programmers or such and contact them about this issue I will
have to let this slip for a while.

They can hardly expect me to install file/registry watchers and such to monitor dll access, file
creation, file deletion, registry key creation, accessing stamps and GOD knows whatever action is
taken from the moment you click apply when creating a new path rule.

Kind Regards,
J

Hi J,

I believe that the event logging functionality is implemented as
a part of services.exe
It may be that part of one of the mechanisms that may be used
to get an event message into the logs is what is actually blocked.

You have gone about as far in trying to decipher how Safer is
persisting its settings as have I to date. I have seen as of yet
no references that detail how to export Safer settings so that
they are transportable, but I have searched, and have seen this
asked a few times (in NGs frequented by MS staff) with no answer.
I would be interested in your further experiments, as it has been
on my to-do (but not of urgent need) list.

Regards,
Roger

Hi All,

Been testing software restriction policies on virtual PC for the last couple a days and have
encountered a minor problem.

I have now created a deny all exe policy with certain "allow only exe's" that windows needs in
normal operation.
The problem however is that in a normal user account everything works ok but for one
issue....whenever there is an exe being started it normally writes this event to the event log so as
admin you can see what program or exe it was that was about to get started.
After applying my restrictions I now don't see these events in my log anymore so that means that one
exe is being denied from writing to the log.

Now my question ofcourse,...what exe or program is used to write these events to the event log?

Also, a few days ago I posted a question about wether these policies could be exported...the
question remained unanswered then but I have now found a way to do it (maybe....)

The thing is, these policies get written to three different parts of the registry

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifie
rs][HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifier
s]

[HKEY_USERS\***insert ADMIN SID

here***\Software\Microsoft\Windows\CurrentVersion\Group Policy

Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifie
rs]

So, normally you would think that by exporting these and reimporting them in a default install would
be sufficient for these policies to be applied on a new installation. Would I be correct in that
assumption????

I noticed that each path rule I created has an unique GUID associated with it but when using the
search function it can only be found in the registry at the three above mentioned registry branches.
Does this then mean that they will work on a new machine when importing them since no other
reference of these GUIDs can be found on the system.
I even searched my harddrive to all files with a text containing one of these gui's to see if there
would be a place where windows stores these GUID's as a reference and also came up empty. Maybe they
are just created as GUIDS for the sole purpose of creating a unique string each time under these
registry keys but thats only my logical conclusion to this and I could ofcourse be wrong.

Anyway, thats about all I wanted to ask for now,...and as always I hope someone who has read this
till the end and can provide some more details then I would be much obliged.

Kind Regards,
J

 

[Roger Abell]

I have in the past tried reading through the MSDN library info
for the SAFER technology to find where/how it is persisting its
mastering info, but never followed it to a final, definitive answer.
I was left with the impression that it, similar to the COM+ technology
has its own catalog with currently ill-documented info on way to
access in ways outside of the pre-planned interfaces.

The intent of Safer is for it to be applied from AD in GPOs.
Using it with transportable definitions on stand-alone machines
seems to have been outside of the design scope.

The registry key trees with \Policy\ in them are volitile, meaning
that they are refteshed by the sce policy engine. Changes that you
manually make in these are subject to overwriting based on what
the group policy engine sees as appropriate. The exact tie-in of
the Safer extension to the policy system is also not clearly doc'd
in today's admin-level writeups.

It sounds like you have progressed down this road to about the
same roadblocks where I have stalled out.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

Roger,

I have done some further testing and have come up empty. The result when importing the exported
registry files is that while apparently the restrictions are aplied...you can't see them in the mmc
editor.
That to me is not acceptable since I have to be able to see the settings in future when I have to
make adjustments.

The thing is...when making new path rules these settings get written to a temporary branch in the
registry in two locations ( the "GROUP POLICY OBJECTS")

[HKEY_USERS\***insert ADMIN SID

here***\Software\Microsoft\Windows\CurrentVersion\Group Policy

Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifie
rs]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifie
rs]

These directories disappear when you do a logoff and log back on. The only reference to these
settings that remains are the ones in the HKEY local Machine.

I have also tried exporting the entire group policy objects directory from both these registry
locations without duplicate entries and importing them in a new install, logging of and logging back
on and still I dont see these entries.

If MS didn't include or can provide some way in which admins can exported "path rules" then that
means that which each new install you have to manually add them and that is ....YAWN....a very
tedious affair.
So if you or anyone else knows some MS programmers or such and contact them about this issue I will
have to let this slip for a while.

They can hardly expect me to install file/registry watchers and such to monitor dll access, file
creation, file deletion, registry key creation, accessing stamps and GOD knows whatever action is
taken from the moment you click apply when creating a new path rule.

Kind Regards,
J

Hi J,

I believe that the event logging functionality is implemented as
a part of services.exe
It may be that part of one of the mechanisms that may be used
to get an event message into the logs is what is actually blocked.

You have gone about as far in trying to decipher how Safer is
persisting its settings as have I to date. I have seen as of yet
no references that detail how to export Safer settings so that
they are transportable, but I have searched, and have seen this
asked a few times (in NGs frequented by MS staff) with no answer.
I would be interested in your further experiments, as it has been
on my to-do (but not of urgent need) list.

Regards,
Roger

Hi All,

Been testing software restriction policies on virtual PC for the last couple a days and have
encountered a minor problem.

I have now created a deny all exe policy with certain "allow only

exe's"
that windows needs in

normal operation.
The problem however is that in a normal user account everything works

ok
but for one

issue....whenever there is an exe being started it normally writes this event to the event log so as
admin you can see what program or exe it was that was about to get started.
After applying my restrictions I now don't see these events in my log anymore so that means that one
exe is being denied from writing to the log.

Now my question ofcourse,...what exe or program is used to write these events to the event log?

Also, a few days ago I posted a question about wether these policies

could
be exported...the

question remained unanswered then but I have now found a way to do it (maybe....)

The thing is, these policies get written to three different parts of

the
registry

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy

Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifi e

rs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifie r

s]

[HKEY_USERS\***insert ADMIN SID

here***\Software\Microsoft\Windows\CurrentVersion\Group PolicyObjects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifi e

rs]

So, normally you would think that by exporting these and reimporting

them
in a default install would

be sufficient for these policies to be applied on a new installation. Would I be correct in that
assumption????

I noticed that each path rule I created has an unique GUID associated

with
it but when using the

search function it can only be found in the registry at the three above mentioned registry branches.
Does this then mean that they will work on a new machine when importing them since no other
reference of these GUIDs can be found on the system.
I even searched my harddrive to all files with a text containing one of these gui's to see if there
would be a place where windows stores these GUID's as a reference and

also
came up empty. Maybe they

are just created as GUIDS for the sole purpose of creating a unique

string
each time under these

registry keys but thats only my logical conclusion to this and I could ofcourse be wrong.

Anyway, thats about all I wanted to ask for now,...and as always I hope someone who has read this
till the end and can provide some more details then I would be much obliged.

Kind Regards,
J

 

[BillMadison]

Hi Roger,

Well I also have read the documentation on this and understand that using AD to transport these
policies is the way they intented it to be used but that still means that the computer which holds
these policies always has to be kept backed up.

What I'm saying here is that for instance,...suppose one of these computers get messed up, stolen,
hacked or whatever and you have no backup then it still means you have to manually created these
policies again. Seems just so stupid that admins can't make backups of their working path rules in
case heaven forbids one of their main AD comps get knocked out of commission. Sure there is ghost
and NTbackup and whatever but that is not what I'm after, I need backups of individual
configurations like you have for instance with the security templates and such. Much easier and you
can choose what to install.

Well, I geuss thats it then for now...adventure over regarding software policies. Geuss I'll have to
add them manually whenever I get the misfortune off loosing any backups. Anyhow, I'll be keeping an
eye out for any information that might come out.

Kind Regards,
Jan