[Bug]: Some events in Applocker EXE & MSI (e.g. .tmp) not detected as part of -Source LocalEventLogs

[zygmuntszpak]

Tools category

WDACConfig Module

Does Your System Meet The Requirements?

• [X] Yes, I acknowledge that I've read the requirements and my system meets them. 👍

Is your Windows Installation Genuine?

• [X] Yes, I acknowledge that the installation media of the Windows OS I used the tool on was downloaded from the official Microsoft website and I didn't tamper or modify it. 💯

Did You Read The Frequently Asked Questions?

• [X] Yes, I've referred to the FAQs and my issue is not covered/explained in there.

Please Explain The Bug

I have created a DefaultWindowsAudit policy and deployed it via intune.

I'm trying to whitelist Adobe Standard PDF Reader by running the setup.exe as per the installation instructions.

Upon installing and launching the program, I attempt to create a whitelist using

ConvertToWDACPolicy -BasePolicyFile "C:\Program Files\WDACConfig\DefaultWindowsAudit.xml" -Source LocalEventLogs -SuppPolicyName "Adobe Reader"  -Level FilePublisher

which detects and parses the following log events.

However, parsing the log event with the App Control Wizard I notice that there were other events which were detected that are associated with Applocker MSI and Script Events which were not detected by the ConvertToWDACPolicy cmdlet. For example, there are numerous .tmp files which are related to something called ADelRPC.dll

If I only select the events detected by ConvertToWDACPolicy then the whitelist appears to be incomplete. Specifically, after selecting all of these events, I uninstall Adobe, switch to enforcing DefaultWindows and attempt to install the Adobe Reader again only to find that it fails. Some of the dll's in the .tmp files are blocked during installation as part of Applocker MSI and Script Events and if I run ConvertToWDACPolicy with PolicyAddTo it still doesn't detect them.

I can confirm this dll is not detected in the logs:

I presume this is a bug?

Many thanks for this excellent package.

Error Details

No response

[HotCakeX]

Hi, Thanks for making such detailed report. It seems like a bug, i will check what's happening and fix it.

I'm currently in the process of adding this feature, ConvertTo-WDACConfig, plus Edit-WDACConfig + Edit-SignedWDACConfig to the new AppControl Manager app. The features that will be added to the app will have different logic which will fix this bug as well.

It's going to take approximately ~2 weeks, maybe less, before i can release new version of WDACConfig module and AppControl Manager.

[HotCakeX]

@zygmuntszpak

After having another look at the code, i think i found out why you couldn't see those logs. I think it's because those temp files are deleted after installation and are not included in the result. There is however an option you can try. First export the code integrity or AppLocker logs from event viewer to an .evtx file and then use this syntax

ConvertTo-WDACPolicy -Source EVTXFiles -EVTXLogs "Path To .evtx files"

It should show you everything. Just a temporary workaround.

[zygmuntszpak]

Thank you very much. You are right, when I load the EVTXLogs explicitly it correctly detects the .tmp files. Regarding the new App Control Manager App, will it still support the creating of policies without automatic deployment? My use case is built around Intune and from what I understood from reading a previous issue, it is best not to mix how policies are deployed but to consistently use Intune.

[HotCakeX]

@zygmuntszpak my pleasure!

Of course, it will definitely have deployment as optional feature, using it for Intune or remote systems in general is one of the main focus points. After this new update is released, you can try it out and give me more feedback so i can improve it to meet your other needs.

[HotCakeX]

I've resolved this issue, please take a look at this release note:

https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/WDACConfigv0.4.9