HotCakeX
commented
1 month ago So this trace is different than the one in the discussion post that you first showed me, but that's okay.
This one is about the strange access denied error that would happened randomly, can't do anything about it but i also can't reproduce it anymore either. Since then build 26100.2033 of 24H2 was released, fixed a couple of issues, maybe it was fixed by it.
For notifications, i installed PowerToys, set up the command not found feature, and when i run the module, i don't see notifications, which is expected since it allows other competing modules to load their dlls in the session.
I couldn't reproduce the issue you showed me here, although i did make the notification showing method more resilient just in case. That trace appears to be unrelated to the module. After having a closer look, it's referring to the Microsoft.Windows.SDK.NET dll with version 10.0.26100.38 but since version 0.6.5, the module uses dll's latest version which is 10.0.26100.46.
I reviewed any related code but they all seemed fine and work fine, with this pull request for version 0.6.6 i'm gonna mark this as closed. You can try version 0.6.6 to see if you continue seeing that error, i think if you install the latest cumulative update and version 0.6.6 it's gonna be okay.
agpt8
Tools category
Harden Windows Security Module
Does Your System Meet The Requirements?
Is your Windows Installation Genuine?
Did You Read The Frequently Asked Questions?
Please Explain The Bug
This issue was initially discussed in discussion #349. This is the tracking issue for it and all communications going forward regarding this will be held here.
@agpt8: While configuring ASR rules in the GUI, there seems to be a bug. When attempting to change the setting to 'Audit' for the preview rules, which often cause issues (particularly when updating Nvidia drivers), selecting the appropriate rule from the dropdown and clicking the play button results does something in the background, but the GUI displays an error message with links to GitHub. After clicking 'okay', the GUI freezes and exits to the terminal PS process without closing the GUI window itself, displaying the trace there. The ASR rule setting does not change during all this and must be modified from GPO manually.
Frozen window while executing ASR rule changes:
@HotCakeX : It's related to displaying notifications at the end, so it does its job but when at the end it should show the notification it throws error. I couldn't reproduce it but do you see this for any other action too? like when checking for compliance or applying protection, do you see notification properly? You might not see notification at all if there are conflicting modules that use the same dlls and the module should gracefully back off when that happens.
@agpt8: I dont see any other notifications when compliance checking or using specific protection from the protect tab, maybe because of the modules that I am using. These execute just fine and I havent had any issues. However, with the ASR rules, I saw this issue.
Okay I was trying to reproduce above issue with ASR rules. but I again hit this issue this time with protect tab itself. Again the window froze including the window controls. I had to use End task button from the taskbar to close it. The trace is similar to what I posted above. Here is a video.
https://1drv.ms/v/s!AkRt3_pvmCxG4pkhz0NQX2g7N1Rx0w?e=qNyC8y
This second video is taken after removing all PS modules that were loaded by removing everything in the $PROFILE file. I did not remove/turn off anything that was loaded from powertoys, since it hasnt really caused any issues before and I used it this morning to apply the updated protections and it worked fine. While the compliance check worked fine and I got the notifications as well (this did not happen when my modules were loaded but the compliance check would still work). However, the Protect tab gave me an error as seen on the video. I could not capture trace this time. I'll update this comment after capturing extended trace using Get-Error. I'll also post the link once it is uploaded on onedrive.
Update 1: video link: https://1drv.ms/v/s!AkRt3_pvmCxG4pkkeR3FZW7Iu8qwQA?e=zl7nd7
@HotCakeX: That's a weird error, it happens randomly when the existing country IP blocking rules are being deleted in order to add new rules. Sometimes this deletion throws an error about access denied, sometimes it doesn't, i can't consistently repro it, making it very hard to solve. Out of over 30 times i tried it, i only got the error about 3 times.
Access denied errors usually mean there are not enough privileges, but we are running as Admin already and that should be enough for that task. I don't think it's too far fetched to attribute this problem to 24H2, I haven't changed this part of the code in a while and it always used to work.
This is the exact line that intermittently throws that access denied error, in case anyone wants to take a look
Harden-Windows-Security/Harden-Windows-Security Module/Main files/C#/CimInstances/FirewallHelper.cs
@agpt8: Could this be related to the new enhanced admin protection setting that was added in windows? I have that enabled. That is the only setting that changes how the privileges are granted.
@HotCakeX: Could be (easy to test the theory) but then again why is it so random! 🤷‍♀️
Error Details