Interesting. This confirms the usernames are indeed the same. If you log back off and back in after you can manually run it (i.e. log in a second time after you confirm it works while logged in), is the login script still blocked? If not, does it work properly if you reboot and wait a few minutes before logging in? If so, try "always wait for the network at startup" to see if it happens to help.
Other than that, I unfortunately don't have any other ideas. -Aakash Shah From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Sean Chapman Sent: Wednesday, December 6, 2017 9:38 AM To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] RE: Applocker AppIDsvc autostart Thanks for the help. Its strange, its like there is no rules processing so it blocks it and then if it run it later it picks up the rule and its fine. THIS IS AT LOGIN WHEN ITS BLOCKED - System - Provider [ Name] Microsoft-Windows-AppLocker [ Guid] {CBDA4DBF-8D5D-4F69-9578-BE14AA540D22} EventID 8007 Version 0 Level 2 Task 0 Opcode 0 Keywords 0x4000000000000000 - TimeCreated [ SystemTime] 2017-12-06T14:23:49.289420900Z EventRecordID 538 Correlation - Execution [ ProcessID] 6124 [ ThreadID] 5124 Channel Microsoft-Windows-AppLocker/MSI and Script Computer -REMOVED- - Security [ UserID] S-1-5-21-851404035-2101509786-1845911597-10248 - UserData - RuleAndFileData PolicyNameLength 6 PolicyName SCRIPT RuleId {00000000-0000-0000-0000-000000000000} RuleNameLength 1 RuleName - RuleSddlLength 1 RuleSddl - TargetUser S-1-5-21-851404035-2101509786-1845911597-10248 TargetProcessId 6124 FilePathLength 46 FilePath \\-REMOVED-\NETLOGON\MAPDRIVE.CMD<file://-REMOVED-/NETLOGON/MAPDRIVE.CMD> FileHashLength 0 FileHash FqbnLength 1 Fqbn - TargetLogonId 0x36c0cdb THEN THIS IS RUNNING IT MANUALLY LATER + System - Provider [ Name] Microsoft-Windows-AppLocker [ Guid] {CBDA4DBF-8D5D-4F69-9578-BE14AA540D22} EventID 8005 Version 0 Level 4 Task 0 Opcode 0 Keywords 0x4000000000000000 - TimeCreated [ SystemTime] 2017-12-06T17:26:27.398344200Z EventRecordID 552 Correlation - Execution [ ProcessID] 3684 [ ThreadID] 396 Channel Microsoft-Windows-AppLocker/MSI and Script Computer -REMOVED- - Security [ UserID] S-1-5-21-851404035-2101509786-1845911597-10248 - UserData - RuleAndFileData PolicyNameLength 6 PolicyName SCRIPT RuleId {ED97D0CB-15FF-430F-B82C-8D7832957725} RuleNameLength 11 RuleName All scripts RuleSddlLength 53 RuleSddl D:(XA;;FX;;;S-1-5-32-544;(APPID://PATH Contains "*")) TargetUser S-1-5-21-851404035-2101509786-1845911597-10248 TargetProcessId 3684 FilePathLength 46 FilePath \\-REMOVED-\NETLOGON\MAPDRIVE.CMD<file://-REMOVED-/NETLOGON/MAPDRIVE.CMD> FileHashLength 0 FileHash FqbnLength 1 Fqbn - TargetLogonId 0x36c0cb2 From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Aakash Shah Sent: Tuesday, December 5, 2017 4:23 PM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] RE: Applocker AppIDsvc autostart >From what I've seen, if the AppIdSvc is not running, then nothing should be >blocked until the service starts. So in theory, if the AppIdSvc has not >started, then it should not have blocked the first script below. I assume that for both events below, the username is the same? Also, it may be helpful to review the Details tab for these event log entries to read the RuleName/RuleSddl fields to see what rule allowed the second attempt to run and see if that may help explain why the first attempt didn't run. -Aakash Shah From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Sean Chapman Sent: Tuesday, December 5, 2017 6:41 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] Applocker AppIDsvc autostart Hey guys, Im trying to set up Applocker policies and move away from SRP whitelisting but im having trouble getting some stuff that runs via login script to work properly. If I go to the event viewer and see the blocked scripts I can click them and they then run fine. Im leaning toward the AppID Service not starting before this is trying to run but I cant see anywhere to change it from Automatic trigger to Automatic. Ive tried using SC to change it but since its turned on via GPO its just not changing, and maybe that's how its supposed to be? Ive definitely made rules to allow these as well. Either way its frustrating, any advice? This is from the login: Error 12/5/2017 7:33:05 AM AppLocker 8007 None *REMOVED FOR SECURITY*\POWERLINK_XA_ENV_CHANGE\POWERLINK_XA_ENV_CHANGE.BAT was prevented from running. This is me looking at the event log and then clicking on the link to what was blocked: Information 12/5/2017 7:41:30 AM AppLocker 8005 None *REMOEVD FOR SECURITY*\POWERLINK_XA_ENV_CHANGE\POWERLINK_XA_ENV_CHANGE.BAT was allowed to run. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The information contained in this communication and all accompanying documents from Coilcraft may be confidential and/or legally privileged, and is intended only for the use of the recipient(s) named above. If you are not the intended recipient you are hereby notified that any review, disclosure, copying, distribution or the taking of any action in reliance on the contents of this transmitted information is strictly prohibited. If you have received this communication in error, please return it to the sender immediately and destroy the original message or accompanying materials and any copy thereof. If you have any questions concerning this message, please contact the sender.
