[Bug]: The new Downloads Defence Measures category fails to run

[agpt8]

Tools category

Harden Windows Security Module

Does your system meet the requirements?

• [X] Yes, my system meets the requirements 👍

Is your Windows installation genuine?

• [X] Yes, I am using genuine Windows installation. 💯

Please explain the bug

The new Downloads Defence Measures category fails to run with the following error.

Before running, all the modules were updated using this command: Update-Module -Name Harden-Windows-Security-Module, WDACConfig, WinSecureDNSMgr -Force

After the update, the entire Harden-Windows_security module was run in its entirety without any tampering of the files.

Exception: The 'New-DenyWDACConfig' command was found in the module 'WDACConfig', but the module could not be loaded due to the following error: [The module has been tampered with, signature status of the file
C:\Users\ayush\OneDrive\Documents\PowerShell\Modules\WDACConfig\0.2.9\Shared\Update-self.psm1 is HashMismatch] For more
information, run 'Import-Module WDACConfig'.

If I run Import-Module WDACConfig, I am seeing a similar error:

Import-Module: The module has been tampered with, signature status of the file C:\Users\ayush\OneDrive\Documents\PowerShell\Modules\WDACConfig\0.2.9\Shared\Update-self.psm1 is HashMismatch

[HotCakeX]

Thanks for reporting, looking into it, can you please attach that psm1 file to the issue? Wanna see how it's different, if at all. You might need to zip it first

[agpt8]

0.2.9.zip

Attaching the entire WDACConfig v0.2.9 module for reference

[HotCakeX]

Thanks, everything looks normal, can you also tell me what you get when you run this command?

Assert-WDACConfigIntegrity -Verbose

[agpt8]

I get the following message when I run the mentioned command:

Assert-WDACConfigIntegrity: The 'Assert-WDACConfigIntegrity' command was found in the module 'WDACConfig', but the module could not be loaded due to the following error: [The module has been tampered with, signature status of the file C:\Users\ayush\OneDrive\Documents\PowerShell\Modules\WDACConfig\0.2.9\Shared\Update-self.psm1 is HashMismatch]
For more information, run 'Import-Module WDACConfig'.

Update: I also tried forced reinstall of the module but still got the same error.

[HotCakeX]

That's so odd, I'm trying to reproduce it but so far I couldn't.

The WDACConfig module has a code like this that checks the integrity of its files before running. If you run it, you should see all green lines.

$ModuleRootPath = 'C:\Users\ayush\OneDrive\Documents\PowerShell\Modules\WDACConfig\0.2.9\'
foreach ($File in (Get-ChildItem -Recurse -File -Path $ModuleRootPath -Include '*.ps1', '*.psm1')) {
    # Get the signature of the current file
    [System.Management.Automation.Signature]$Signature = Get-AuthenticodeSignature -FilePath $File

    # Ensure that they are code signed properly and have not been tampered with.
    if (($Signature.SignerCertificate.Thumbprint -eq '1c1c9082551b43eec17c0301bfb2f27031a4d8c8') -and ($Signature.Status -in 'Valid', 'UnknownError')) {
        Write-Host -Object "File $($File.FullName) is $($Signature.Status)" -ForegroundColor Green
    }
    else {
        Throw [System.Security.SecurityException] "The module has been tampered with, signature status of the file $($File.FullName) is $($Signature.Status)"
    }
}

[agpt8]

This is what I am seeing:

Very odd indeed.

I'll retry reinstall but also remove any traces from the install directory as well. Update: Still the same! 😓

Could this be related to the code signing that was recently introduced? The necessary certs are already configured on your machine but nothing like that exists on mine? (yeah I know this is not how it works and is very far fetched but still...??)

[HotCakeX]

So for some reason on your system that one file isn't being verified but the same files you gave me are verifiable with the same command i gave you on my system and also VMs! 🤔

On my test VMs I don't have the root cert installed and this is what i get which is expected.

The only other thing I can think of is that on your system that heart 💓 emoji is somehow not being parsed correctly?

The hash mismatch status is for when that long signature block at the end of the file is intact but at least one character in other prats of the file is different, including whitespaces.

So we're gonna test this theory, here is the same psm1 file but I removed the heart emoji and re-signed it, please put it in the same folder and overwrite the previous file. then do the import Import-Module -Name WDACConfig -Force and see if the error still exists.

Update-self.zip

[agpt8]

Yup, works fine now!

I should have included the windows version as well. I am currently running Windows 11 Beta build 22365.2921

[HotCakeX]

Okay that is really good to know what caused it. So emojis in the code is bad idea when the code is digitally signed, fortunately that is the only emojis in the WDACConfig module so i'll push an update to remove it. Thanks for testing it!

I'm on the same build as you and after removing the root certs, i get unknown error status but never hash mismatch.

Maybe difference in system locale could be the reason that I didn't catch this earlier, even though I tested them both with Spanish and German language packs installed and set as system locale. It might even have a totally unrelated cause that I don't know.

[agpt8]

Interesting! Currently, I have only two language packs installed. One is the default English (United States) which is also set as WIndows Display Language.

Another is English (India) which is set as my Regional Format and India as the region. I dont know if this might be the cause of the hash mismatch. Even weirder that after removing root certs, you are getting Unknown error status.

Could this be because of some other larger bug hidden in there?

[HotCakeX]

Uknown error status is correct when the root cert is not installed. With root cert installed, it would be valid. If file is not signed or the signature block is modified then the status is Unsigned. If other parts of the file is changed then the status is Hash Mismatch.

Maybe there are some customizations on your PowerShell or system that is different than mine? I noticed these extra items in the screenshot, i don't have them on my console. Are they from Oh My Posh?

[agpt8]

Yes. This is oh-my-posh with the spaceship theme. No other config was changed other than that for oh-my-posh.

The string "Loading personal and system profiles took 1227ms." is also not configured by me. I believe this is directly from Powershell but not sure.

Could this error be something because of what is present in the powershell profile files?

[HotCakeX]

It could be yeah, specially if you didn't configure it, i've never seen it before 🤨 Maybe could also be caused by Oh-my-posh