Closed Dees7 closed 2 years ago
Hi,
Did you run the Set-OutputEncodingToUnicode.ps1
script in the Support folder before scanning the directories?
See also notes on pages 16 and 17 in the documentation.
Sorry for getting to this so late - I wasn't getting notifications - hopefully I've got that straightened out. Dees7 does rmoreas' suggestion fix your issue?
Hello. No. Set-OutputEncodingToUnicode.ps1 did not help. I see "???" in xml.
What does the output of this command look like by itself:
AccessChk.exe /accepteula -nobanner -w -d -s c:\windows\tasks
C:\Users\user\Documents\AaronLocker\AaronLocker>AccessChk.exe /accepteula -nobanner -w -d -s c:\windows\tasks
c:\windows\Tasks
RW NT AUTHORITY\????????? ????????
RW BUILTIN\??????????????
RW NT AUTHORITY\???????
OK. Confirmed that it's a bug in AccessChk.exe that doesn't handle Unicode properly. Bug filed and hopefully resolved soon. Thanks for the alert.
Does the "AaronLocker" rule generation still work correctly in spite of this bug? The design intent is to rely on SIDs and not have to depend on successful SID-to-name conversion. The bug here makes it harder for a human to review the results of the scans of the Windows and Program Files subdirectories, but it shouldn't otherwise block generation of correct rules. Is that what you're seeing?
Hello. Yes AaronLocker rule generation works and applies correctly.
OK. Sysinternals team has fixing the Unicode issue in their backlog now.
Hello. I use Windows10 (ltsb) and if I generate reports I see "??" instead of groups