[Bug]: New-KernelModeWDACConfig -Mode AuditAndEnforce cannot scan Event logs.

LittleNyanyay commented 1 month ago

Tools category

WDACConfig Module

Does Your System Meet The Requirements?

[X] Yes, I acknowledge that I've read the requirements and my system meets them. 👍

Is your Windows Installation Genuine?

[X] Yes, I acknowledge that the installation media of the Windows OS I used the tool on was downloaded from the official Microsoft website and I didn't tamper or modify it. 💯

Did You Read The Frequently Asked Questions?

[X] Yes, I've referred to the FAQs and my issue is not covered/explained in there.

Please Explain The Bug

New-KernelModeWDACConfig -Mode Prep -Deploy after this command and reboot .

Next use the command: New-KernelModeWDACConfig -Mode AuditAndEnforce

Description of the phenomenon:

An yellow error was encountered reporting: “Unable to create a Volume Shadow Copy of the target drive. Files in use may generate warnings and cannot be scanned. To enable volume shadow copies, ensure that you run powershell as administrator and enable the Win32_Shadowcopy service.”
I checked C:\Program Files**WDACConfig\StagingArea\New-KernelModeWDACConfig\KernelModeDriversDirectory while the command was running and all files in this directory were 0kb**
Seen new error in the Event logs: Volume Shadow Copy Service Error: hr = 0x80070005, Access is denied. DeviceIoControl(\?\Volume{9c701525-febc-47a0-a129-2b54ac21c11d} - 00000000000002B4,0x0053c028,000001D214A07810,0,000001D214A067E0,4096,[0])。hr = 0x80070005, Access is denied. 。 Operation: Automatically choosing a diff-area volume Processing EndPrepareSnapshots Context: Execution Context: System Provider
Win32_Shadowcopy is also known as the Volume Shadow Copy service, and the Software Protection service is running in the service, and powershell is the administrator.
The newly added C:\Program Files\WDACConfig\StagingArea\New-KernelModeWDACConfig**DefaultWindows_Enforced_Kernel.xml file has no content changes compared to the “C:\Program Files\WDACConfig\DefaultWindows_Audit_Kernel.xml**” file. there is no new added driver.

Error Details

PS C:\Windows\System32> New-KernelModeWDACConfig -Mode AuditAndEnforce
VERBOSE: Receive-CodeIntegrityLogs: Collecting the Code Integrity Operational logs
VERBOSE: Receive-CodeIntegrityLogs: Grouped the Code Integrity logs by ActivityId. The total number of groups is 90 and the total number of logs in the groups is 260
VERBOSE: Receive-CodeIntegrityLogs: Collecting the AppLocker logs
VERBOSE: Receive-CodeIntegrityLogs: Could not collect the AppLocker logs, the number of logs collected is 0
VERBOSE: Receive-CodeIntegrityLogs: Grouped the AppLocker logs by ActivityId. The total number of groups is 0 and the total number of logs in the groups is 0
VERBOSE: Receive-CodeIntegrityLogs: Returning 30 Audit Code Integrity logs.
Scanning the Event logs [Step 1/2

“无法创建目标驱动器的卷影副本。正在使用的文件可能会生成警告，并且无法进行扫描。若要启用卷影副本，请确保以管理员身份运行 powershell 并启用 Win32_Shadowcopy 服务。”
警告: "处理子目录 \\?\C:\Program Files\WDACConfig\StagingArea\New-KernelModeWDACConfig\KernelModeDriversDirectory
时发生错误"
警告:  已添加了具有相同键的项。
“扫描已成功完成”
Strict Kernel mode Enforced policy has been created
C:\Program Files\WDACConfig\StagingArea\New-KernelModeWDACConfig\DefaultWindows_Enforced_Kernel.xml
PS C:\Windows\System32>

LittleNyanyay commented 1 month ago

I'm not sure what's happening in this command, on the surface it says access denied. The powershell has administrator rights and the service is working. windows11 professional workstation edition 23H2 22631.3880

HotCakeX commented 1 month ago

Hi,

so about this part

I checked C:\Program FilesWDACConfig\StagingArea\New-KernelModeWDACConfig\KernelModeDriversDirectory while the command was running and all files in this directory were 0kb

This is expected. Those are symlinks to the files to be scanned, not the actual files.

The rest of the errors appear to be only related to the ShadowCopy service. Currently, the WDACConfig module offloads all of the file scanning operations to the built-in cmdlets of the ConfigCI module but soon i'm planning on implementing the entire logic myself, customized for the module's requirements.

I've never ran into the access denied issue with ShadowCopy before though, but i know the built-in ConfigCI module has a known issue with ShadowCopy service, I've talked about it here

https://github.com/MicrosoftDocs/WDAC-Toolkit/issues/302 https://github.com/MicrosoftDocs/WDAC-Toolkit/issues/362

I'll keep you posted when i know more about this, i'll try to reproduce it myself too

HotCakeX commented 1 month ago

So it's been over a week and I still can't reproduce this error. I'm fairly certain it's a problem on your end, most likely caused by a 3rd party program or configuration, if you test it on a clean system you will see the problem you're experiencing won't happen.

Doing a Bing search for Volume Shadow Copy Service Error: hr = 0x80070005, Access is denied you can find multiple articles offering fixes, so i suggest trying the out see if they will fix it.

Also, you have other options for creating a strict kernel-mode enforced policy.

You can use this command to deploy the audit mode policy first as you normally would

New-KernelModeWDACConfig -Mode Prep -Deploy

Then restart your system and use the following command (Change policy path if you need to)

ConvertTo-WDACPolicy -BasePolicyFile "C:\Program Files\WDACConfig\DefaultWindows_Audit_Kernel.xml" -KernelModeOnly -Deploy

I created it specifically for this purpose. It gives you even more control over which .sys files will be included in the enforced mode policy.

Then remove the audit mode policy using the following command

Remove-WDACConfig -UnsignedOrSupplemental -PolicyNames <Strict Kernel Audit mode Policy Name>

Note that It has one caveat at the moment, it doesn't support WHQLFilePublisher, it supports FilePublisher, Publisher, Hash levels.

Support for WHQLFilePublisher for ConvertTo-WDACPolicy will be added in a future update along with the reduced reliance on built-in modules that I mentioned in earlier comments.

Documentations:

HotCakeX / Harden-Windows-Security