Advice Request Exploit Guard for Windows 10 Store Apps?

Please provide comments and solutions that are helpful to the author of this topic.

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
To apply Exploit Guard to store apps the path under c:\program files\WinowsApps (hidden folder) needs to become readable by the local administrator if the executables are to be referenced by full path.

The reason I want to reference them by full path is Persistence of settings between windows updates

To do that the local administrator must become the owner of the folder. The security tab doesn’t show me who is the current owner but in any case, if after I take ownership I don’t touch the permissions of the current owner, just give read access to local admin - does this break anything ? (I’d assume no but want to check )

Also, Is there any other way to write exploit Guard profiles without changing the ownership of that folder ?
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
To apply Exploit Guard to store apps the path under c:\program files\WinowsApps (hidden folder) needs to become readable by the local administrator if the executables are to be referenced by full path.

The reason I want to reference them by full path is Persistence of settings between windows updates

To do that the local administrator must become the owner of the folder. The security tab doesn’t show me who is the current owner but in any case, if after I take ownership I don’t touch the permissions of the current owner, just give read access to local admin - does this break anything ? (I’d assume no but want to check )

Also, Is there any other way to write exploit Guard profiles without changing the ownership of that folder ?
Example for calculator.exe .
Add any application with full path via Exploit Protection. Navigate to the Registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Find the name of your application and rename it to calculator.exe. Expand the renamed key, click on the GUID, click on the FilterFullPath registry value, edit the path.
Now you can use Exploit Protection to add the needed mitigations.
 
  • Like
Reactions: harlan4096

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Example for calculator.exe .
Add any application with full path via Exploit Protection. Navigate to the Registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Find the name of your application and rename it to calculator.exe. Expand the renamed key, click on the GUID, click on the FilterFullPath registry value, edit the path.
Now you can use Exploit Protection to add the needed mitigations.

Still the full path (which is under WinowsApps) is non readable even by Admins- is there a way to see the full path of an app without changing ownership & permissions for windowsapps?

Essentially it’s more a question about how to find out the path without changing owner & permissions for folder WinowsApps
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Still the full path (which is under WinowsApps) is non readable even by Admins- is there a way to see the full path of an app without changing ownership & permissions for windowsapps?

Essentially it’s more a question about how to find out the path without changing owner & permissions for folder WinowsApps
Use CMD or PowerShell console with admin rights to list the folders and files.
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Use CMD or PowerShell console with admin rights to list the folders and files.

Interesting , why can I enter the folder with powershell admin but not via explorer as admin ? In the Unix word with rwx permissions all the ways to list content or go to a dir would have the same outcome, in Win 10 powershell can while normal shell can’t
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
So eg path to Word (not Word Mobile) when it’s installed via the store is

Microsoft.Office.Desktop.Word.X.Y.Z.0_x86_mumbojumbo/Office16

X.Y.Z looks like versioning info to me, no clue what mumbojumbo is.

If indeed x.y.z is versioning then the path is version dependent and this is not convenient at all for putting full paths in Exploit Guard as changes in the versioning imply a need to change paths in Exploit Guard.
In my view this is bad design

Same goes Eg for Foxit, there’s versioning info in the path
 

notabot

Level 15
Thread author
Verified
Oct 31, 2018
703
Why do you expect that it should be convenient? This does not follow from the way M$ makes security software in Widows Home and Pro.:unsure:

:ROFLMAO: I’d imagine even in enterprise this is a pita. Paths would be passed via GPO but the issue of having the pathname include versioning info is still there for enterprise
 
  • Like
Reactions: Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top