Appguard Review

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,537
I have completely disabled AppLocker so this is not causing the issue.
Group Policy can cause weirdness too - but I have never seen it cause the policy error.

Group Policy can cause unexpected install\uninstall and function issues. It is difficult to diagnose Group Policy issues as they seem to be system specific; I have never identified any general trends with Group Policy that cause AppGuard issues. Also, I have never seen the Group Policy defaults cause problems with AppGuard. It still is possible - especially if policies have been changed from their defaults.
 
Last edited:
Likes: Umbra

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,537
@ParaXY
@Umbra

It has only been established that characters in a file path on a non-system partition\drive will cause the policy error.

All of the below are file paths with symbol characters created on the System drive and none have - to my knowledge - ever caused an AppGuard policy error.

On Windows 10 CU these file paths are created:
  • C:\Users\User\Favorites\Movies, Videos & TV (As a part of troubleshooting the policy error I would eliminate the "&" character in this file path)
  • C:\Users\User\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!??? where ? = wildcard for individual numbers
* * * * *
  • There is a large number of file paths with the "#" character in it - most notably .NET Framework

example,

C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.*# where * = wildcard for all numbers

  • There is a large number of file paths with the "-" and "_" character in it - most notably WinSxS

example,

C:\Windows\WinSxS\amd64_c_hdc.inf.resources_31bf3856ad364e35_10.0.15063.0_en-us_5085ebedc393d4cc

  • Then there are the hidden, non-accessible file paths with the "$" character

example,

C:\$Extend\$RmMetadata

  • There are only a couple of file paths with the "%" character in it

example,

C:\Users\User\AppData\Roaming\Microsoft\Word\AppGuard%20Enterprise%20Folder%20Maps305882162702476631

  • There are file paths with the "(" and ")" characters in them

example,

C:\Program Files (x86)\Intel\Intel(R) Processor Graphics

  • There are usually only a very few file paths with the "+" character in it

example,

C:\Users\User\AppData\Local\Microsoft\Office\16.0\Wef\{EDDF5CCA-76A7-4076-9BEB-7BF04E507BA2}\Omex\Qxcohx+CWETDnICWSgcWrw==

  • There are some file paths with the "=" in it

example,

C:\ProgramData\Microsoft\VisualStudio\Packages\Microsoft.VisualStudio.Component.CoreEditor,version=15.0.26208.0

  • There are some file paths with the "~" character in it

example,

C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.WindowsMaps_2017.317.1503.0_neutral_~_8wekyb3d8bbwe

  • There are some file paths with the "," character in it

example,

C:\ProgramData\Microsoft\VisualStudio\Packages\Microsoft.VisualStudio.Component.CoreEditor,version=15.0.26208.0

  • There are file paths with the "{" and "}" characters in it

example,

C:\Users\User\AppData\Local\Microsoft\Office\16.0\Wef\{EDDF5CCA-76A7-4076-9BEB-7BF04E507BA2}

  • These characters will not be found in file paths - ` - ; - " - ' - < - < - * - ? - / - | - [ - ] as they are disallowed by Windows
 
Last edited:
Joined
Mar 14, 2017
Messages
279
@Lockdown: Thanks for taking the time on a weekend to respond to my issues!

Before I proceed with doing anything, am I correct in saying that I am searching for the & character in FOLDERS only and on NON system drives only? ie: I can ignore folder names on the boot drive?

I just did a search on my D: drive using the following:

Code:
~=&
And this brought back a list of all files and folders with the & in it. Do I just rename the folders and ignore the files? Is it just the folders that contains an & that causes an issue with AppGuard? ie: filenames with & are ok?
 

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,253
OS
Windows 10
Antivirus
Default-Deny
@Lockdown: Thanks for taking the time on a weekend to respond to my issues!

Before I proceed with doing anything, am I correct in saying that I am searching for the & character in FOLDERS only and on NON system drives only? ie: I can ignore folder names on the boot drive?
normally

And this brought back a list of all files and folders with the & in it. Do I just rename the folders and ignore the files? Is it just the folders that contains an & that causes an issue with AppGuard? ie: filenames with & are ok?
try 1st method (only rename folders) if still problematic try with the files.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,537
@Lockdown: Thanks for taking the time on a weekend to respond to my issues!

Before I proceed with doing anything, am I correct in saying that I am searching for the & character in FOLDERS only and on NON system drives only? ie: I can ignore folder names on the boot drive?

I just did a search on my D: drive using the following:

Code:
~=&
And this brought back a list of all files and folders with the & in it. Do I just rename the folders and ignore the files? Is it just the folders that contains an & that causes an issue with AppGuard? ie: filenames with & are ok?
I would first just look at file paths on non-system drives and partitions for non-letter and non-number characters.

First, just rename the folders. Folders with & in their name have been confirmed as a cause of the policy error that you have reported.

Troubleshooting these type issues is a process of elimination.
 
Joined
Mar 14, 2017
Messages
279
Ok, renaming the folders on my non-system drives with & in it didn't work. I even went one step further and disconnected the two data drives from Windows that contained folders with & in them and rebooted and AppGuard is still throwing the same errors when I change settings/slider.

So I'm assuming it's not the folder names and has to be something else.

What else can I check?
 

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,253
OS
Windows 10
Antivirus
Default-Deny
- do you have RAMdisks? if yes disconnect them
- Any reg tweaks you did ? can you unload them?
- Appguard was installed in admin account right?

i saw you have VM partitions? what are those exactly ? classic partitions with VM images in them or mounted VM images?
 
Joined
Mar 14, 2017
Messages
279
- do you have RAMdisks? if yes disconnect them
- Any reg tweaks you did ? can you unload them?
- Appguard was installed in admin account right?

i saw you have VM partitions? what are those exactly ? classic partitions with VM images in them or mounted VM images?
I don't have RAMdisks.

Yes, lots of registry tweaks. Most of them are look and feel changes (like FIle Explorer). I've attached my registry tweaks as I keep them all in a single file. The one that caught my eye was:

Code:
;Enable LSA Protection:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000001
I installed Appguard using my SUA account but was prompted for my admin credentials to continue the install.

The V: drive just contains the VMware disk files for VMware Workstation. They aren't mounted and are only used when a VM is powered on.

I looked at the Event Viewer entries for AppGuard and they didn't tell me much (they were all informational). Does AppGuard have a more useful/details log somewhere that can assist with the troubleshooting?
 

Attachments

Likes: askmark

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,253
OS
Windows 10
Antivirus
Default-Deny
Code:
;Enable LSA Protection:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000001
try to disable it.


I installed Appguard using my SUA account but was prompted for my admin credentials to continue the install.
Install AG under admin account first because users are separated. The settings you do in one isn't transferred to another. I never installed AG under SUA .

So uninstall AG from SUA, reboot , install it under Admin account.

It is not a good practice to install from SUA; SUA is made for daily tasks.
 
Last edited:

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,537
@ParaXY

AppGuard must be installed in an Administrator account.

When you sign-in to a SUA account you will have to create a separate policy.

Policies are separate for each User Profile.

A lot of registry tweaks is a problem. You might have to backtrack every single one of the registry tweaks if installing in an Administrator account does not fix the issue.

There are no other AppGuard logs other than those in the Event Viewer. Our logging only shows AppGuard events. You will find Windows logging in SYSTEM.

I can tell you right now - when registry tweaks are involved - if the problem persists, then support is going to tell you to clean install the OS. In the case of persistent problems, your best bet to resolve issues is to always clean install the OS.
 

askmark

Level 12
Verified
Joined
Aug 31, 2016
Messages
561
OS
Windows 10
Antivirus
Default-Deny
You could try using Sysinternals' Process Monitor, with a filter that includes only the AppGuard processes. Then look for any file and registry blocks when you change the slider.
You could try this... has worked for me in the past when tracking down elusive registry key or file permission issues.
 
Likes: Umbra

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,537
I said that to him :D
I saw it. I can't force anybody to do a clean install. At the same time, neither I nor support are going to spend any time troubleshooting modified\tweaked Windows. Troubleshooting on a system with Windows tweaks is the responsibility of the user.

Anything that modifies user and\or file system permissions can create issues that are very difficult to troubleshoot.
 
Last edited:

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,537
And who has not experienced this one before ? -- you make tweaks to the OS, at some later point they seem to be causing a problem, you then spend hours undoing those tweaks, reboot the system, and the problem still persists after you undo the tweaks...

In the end you clean install the OS and that fixes the problem.
 

Peter2150

Level 7
Verified
Joined
Oct 24, 2015
Messages
300
OS
Windows 7
Antivirus
Emsisoft
Hi Para

In reading through this thread I noticed you said you disabled Applocker. If you can you should try uninstalling it. I have found with security program conflicts disabling doesn't help. Drivers can still be active and cause issues.
 
Joined
Mar 14, 2017
Messages
279
@ParaXY

AppGuard must be installed in an Administrator account.

When you sign-in to a SUA account you will have to create a separate policy.

Policies are separate for each User Profile.

A lot of registry tweaks is a problem. You might have to backtrack every single one of the registry tweaks if installing in an Administrator account does not fix the issue.

There are no other AppGuard logs other than those in the Event Viewer. Our logging only shows AppGuard events. You will find Windows logging in SYSTEM.

I can tell you right now - when registry tweaks are involved - if the problem persists, then support is going to tell you to clean install the OS. In the case of persistent problems, your best bet to resolve issues is to always clean install the OS.
Thanks for all the replies everyone.

So I uninstalled (again), rebooted and this time logged in as the admin account and installed AppGuard. Same behaviour, errors whenever changing anything in AppGuard.

Before even considering a rebuild, I am running Windows 10 Enterprise Creators Update (Build 1703), is this an issue since it was only released a few weeks ago?

Also, I use Bitlocker on all my drives with ReFS, is this an issue? The boot drive uses NTFS.

I also use Secure Boot in UEFI.

Hi Para

In reading through this thread I noticed you said you disabled Applocker. If you can you should try uninstalling it. I have found with security program conflicts disabling doesn't help. Drivers can still be active and cause issues.
You can't uninstall AppLocker but you can remove all the rules and disable the service which is what I have done.

Hi Para

In reading through this thread I noticed you said you disabled Applocker. If you can you should try uninstalling it. I have found with security program conflicts disabling doesn't help. Drivers can still be active and cause issues.
I did have a quick look in ProcMon but I almost never use this tool so may need some guidance on how to use this to troubleshoot this issue!
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,537
@ParaXY

Please read this support policy: AppGuard 4.x 32/64 Bit

I really can't give you a definitive answer on Win 10 Enterprise CU (1703).

There are no known incompatibilities between BitLocker and AppGuard. However, with BitLocker anything is possible.

I recommend a clean uninstall of AppGuard. After uninstalling it do the following in both the Admin and SUA accounts\user profiles:

1. Search for Blue Ridge Networks using UltraSearch or Search Everything

Any folders that are found, delete them

There should be folders for C:\Program Files (x86), C:\ProgramData, and C:\Users\User\AppData\Roaming

2. Search for AppGuard using UltraSearch or Search Everything

Any AppGuard objects that are found, delete them

There should be prefetch items

3. Search for brnfilelock.sys

Delete it

4. Reboot the system

5. Perform a registry clean-up using CCleaner or equivalent

6. Reboot the system

7. Reinstall AppGuard
 
Joined
Mar 14, 2017
Messages
279
I read your support policy. Not sure what you're hinting at but are you saying my version of Windows isn't legitimately activated:

That means if you install a Windows image that has not been paid for and activated using the official activation method designated by Microsoft for that image, and you then install AppGuard on that Windows image, that AppGuard installation will be unsupported by AppGuard LLC\Blue Ridge Networks.

Anyway, yes this Windows "image" is activated using the official method. I work for a Microsoft Gold partner so that is how I have an Enterprise license.

I really can't give you a definitive answer on Windows 10 Enterprise CU (1703).

There are no known incompatibilities between BitLocker and AppGuard. However, with BitLocker anything is possible.
I uninstalled AppGuard from my physical PC and have installed AppGuard successfully in a VM. The VM is running Windows 10 Enterprise Creators Edition 1703, has a bitlocker enabled ReFS partition and, most importantly, I have run my registry customisation batch file on the VM and I can still change AppGuards slider/settings without any errors prompting me. Obviously there are still many differences between the VM and my physical PC (like other apps installed and the data drives) but it does prove that all my tweaks of the OS work.

I recommend a clean uninstall of AppGuard. After uninstalling it do the following in both the Admin and SUA accounts\user profiles:

1. Search for Blue Ridge Networks using UltraSearch or Search Everything

Any folders that are found, delete them

There should be folders for C:\Program Files (x86), C:\ProgramData, and C:\Users\User\AppData\Roaming

2. Search for AppGuard using UltraSearch or Search Everything

Any AppGuard objects that are found, delete them

There should be prefetch items

3. Search for brnfilelock.sys

Delete it

4. Reboot the system

5. Perform a registry clean-up using CCleaner or equivalent

6. Reboot the system

7. Reinstall AppGuard
Ok, I am going to try what you mentioned and report back.

Thanks for the help and assistance.

Stay tuned!
 
Likes: Andy Ful

Similar Threads

Similar Threads