[NTSysADM] RE: Applocker AppIDsvc autostart

[Sean Chapman]

Thanks for the help.  Its strange, its like there is no rules processing so it 
blocks it and then if it run it later it picks up the rule and its fine.

THIS IS AT LOGIN WHEN ITS BLOCKED

- System

  - Provider

   [ Name]  Microsoft-Windows-AppLocker
   [ Guid]  {CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}

   EventID 8007

   Version 0

   Level 2

   Task 0

   Opcode 0

   Keywords 0x4000000000000000

  - TimeCreated

   [ SystemTime]  2017-12-06T14:23:49.289420900Z

   EventRecordID 538

   Correlation

  - Execution

   [ ProcessID]  6124
   [ ThreadID]  5124

   Channel Microsoft-Windows-AppLocker/MSI and Script

   Computer -REMOVED-

  - Security

   [ UserID]  S-1-5-21-851404035-2101509786-1845911597-10248


- UserData

  - RuleAndFileData

   PolicyNameLength 6

   PolicyName SCRIPT

   RuleId {00000000-0000-0000-0000-000000000000}

   RuleNameLength 1

   RuleName -

   RuleSddlLength 1

   RuleSddl -

   TargetUser S-1-5-21-851404035-2101509786-1845911597-10248

   TargetProcessId 6124

   FilePathLength 46

   FilePath \\-REMOVED-\NETLOGON\MAPDRIVE.CMD

   FileHashLength 0

   FileHash

   FqbnLength 1

   Fqbn -

   TargetLogonId 0x36c0cdb




THEN THIS IS RUNNING IT MANUALLY LATER


+ System

  - Provider

   [ Name]  Microsoft-Windows-AppLocker
   [ Guid]  {CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}

   EventID 8005

   Version 0

   Level 4

   Task 0

   Opcode 0

   Keywords 0x4000000000000000

  - TimeCreated

   [ SystemTime]  2017-12-06T17:26:27.398344200Z

   EventRecordID 552

   Correlation

  - Execution

   [ ProcessID]  3684
   [ ThreadID]  396

   Channel Microsoft-Windows-AppLocker/MSI and Script

   Computer -REMOVED-

  - Security

   [ UserID]  S-1-5-21-851404035-2101509786-1845911597-10248


- UserData

  - RuleAndFileData

   PolicyNameLength 6

   PolicyName SCRIPT

   RuleId {ED97D0CB-15FF-430F-B82C-8D7832957725}

   RuleNameLength 11

   RuleName All scripts

   RuleSddlLength 53

   RuleSddl D:(XA;;FX;;;S-1-5-32-544;(APPID://PATH Contains "*"))

   TargetUser S-1-5-21-851404035-2101509786-1845911597-10248

   TargetProcessId 3684

   FilePathLength 46

   FilePath \\-REMOVED-\NETLOGON\MAPDRIVE.CMD

   FileHashLength 0

   FileHash

   FqbnLength 1

   Fqbn -

   TargetLogonId 0x36c0cb2



From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Aakash Shah
Sent: Tuesday, December 5, 2017 4:23 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: Applocker AppIDsvc autostart

>From what I've seen, if the AppIdSvc is not running, then nothing should be 
>blocked until the service starts.  So in theory, if the AppIdSvc has not 
>started, then it should not have blocked the first script below.

I assume that for both events below, the username is the same?  Also, it may be 
helpful to review the Details tab for these event log entries to read the 
RuleName/RuleSddl fields to see what rule allowed the second attempt to run and 
see if that may help explain why the first attempt didn't run.

-Aakash Shah

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Sean Chapman
Sent: Tuesday, December 5, 2017 6:41 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Applocker AppIDsvc autostart

Hey guys,

Im trying to set up Applocker policies and move away from SRP whitelisting but 
im having trouble getting some stuff that runs via login script to work 
properly.  If I go to the event viewer and see the blocked scripts I can click 
them and they then run fine.  Im leaning toward the AppID Service not starting 
before this is trying to run but I cant see anywhere to change it from 
Automatic trigger to Automatic.  Ive tried using SC to change it but since its 
turned on via GPO its just not changing, and maybe that's how its supposed to 
be?  Ive definitely made rules to allow these as well.  Either way its 
frustrating, any advice?


This is from the login:

Error   12/5/2017 7:33:05 AM    AppLocker       8007    None
*REMOVED FOR SECURITY*\POWERLINK_XA_ENV_CHANGE\POWERLINK_XA_ENV_CHANGE.BAT was 
prevented from running.

This is me looking at the event log and then clicking on the link to what was 
blocked:

Information     12/5/2017 7:41:30 AM    AppLocker       8005    None
*REMOEVD FOR SECURITY*\POWERLINK_XA_ENV_CHANGE\POWERLINK_XA_ENV_CHANGE.BAT was 
allowed to run.







~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The information contained in this communication and all accompanying documents 
from Coilcraft may be confidential and/or legally privileged, and is intended 
only for the use of the recipient(s) named above. If you are not the intended 
recipient you are hereby notified that any review, disclosure, copying, 
distribution or the taking of any action in reliance on the contents of this 
transmitted information is strictly prohibited. If you have received this 
communication in error, please return it to the sender immediately and destroy 
the original message or accompanying materials and any copy thereof. If you 
have any questions concerning this message, please contact the sender.