Hard_Configurator - Windows Hardening Configurator

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,131
shmu26 said:
I don't understand, why is it blocked, if it runs with admin rights, and ps1 is not a blocked file type?
Click to expand...
Normally it is not run as admin, but @Freki123 have run it as admin to see the log from Advanced SRP logging feature (see TOOLS). (y)
This is probably not necessary, because he could just use <Blocked Events / Security Logs> to see the same blocked events.
The script is created by Windows to manage PowerShell Language modes, but I do not know how it is related to the game from @Freki123 post.

Gandalf_The_Grey said:
Andy, why the question marks instead of 1 asterisk ?
Click to expand...
The whitelisted entries in the user Temp folder should be maximally specific (not general). The best way would be whitelisting the script by hash, but @Freki cannot probably see it because it is quickly deleted.

This script should be blocked!!! See the next post.

@Freki123,
Why do you want to whitelist this PowerShell script? Do you have any problem with the game when the script is blocked? What Windows edition do you use (Home, Pro, E3, E5)?
It seems that this script is a part of PowerShell validating mechanism to find out if SRP or Applocker are activated. When it is blocked, PowerShell turns on Constrained Language mode which is welcome. This script should be blocked, so it should not be whitelisted. If you whitelist this script the test will be fooled and PowerShell will turn off Constrained Language mode (Full Language will be applied).
 
Last edited:
  • Like
Reactions: simmerskool, shmu26, Freki123 and 4 others
F

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
757
@Andy Ful Im on Windows 10Pro, 64 bit, 1809. I didn't really wanted to whitelist powershell but from the log it seemed to me that it was the only thing blocked after i whitelisted all the needed exes.
The game wouldn't start at all that was the problem (Launcher yes, game no).
Since powershell is a bit of a mystery to me I stopped before creating big holes with any ps whitelisting.
After some try and error with H_C I found out that that the game also got a file integrity check. I ran that and it re downloaded a few files.
Tldr: It seems the problem was a corrupt game install and NOT H_C related. (Never thought of that ever).
Will have to try it again tomorrow getting late now.

Thanks for all the helpful answers :)
 
  • Like
Reactions: Gandalf_The_Grey, simmerskool, shmu26 and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,131
Freki123 said:
@Andy Ful Im on Windows 10Pro, 64 bit, 1809. I didn't really wanted to whitelist powershell but from the log it seemed to me that it was the only thing blocked after i whitelisted all the needed exes.
The game wouldn't start at all that was the problem (Launcher yes, game no).
Since powershell is a bit of a mystery to me I stopped before creating big holes with any ps whitelisting.
After some try and error with H_C I found out that that the game also got a file integrity check. I ran that and it re downloaded a few files.
Tldr: It seems the problem was a corrupt game install and NOT H_C related. (Never thought of that ever).
Will have to try it again tomorrow getting late now.

Thanks for all the helpful answers :)
Click to expand...
The fact that you can see this script blocked is normal and was reported in Enterprises when running signed scripts under Applocker (or SRP). I also use H_C on Windows 10Pro, 64 bit, 1809 and cannot see such script blocked. So, maybe it happens when running only digitally signed scripts? I am not sure, because I do not use signed PowerShell scripts.
 
  • Like
Reactions: Freki123, Gandalf_The_Grey, simmerskool and 3 others
F

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
757
Andy Ful said:
I also use H_C on Windows 10Pro, 64 bit, 1809 and cannot see such script blocked. So, maybe it happens when running only digitally signed scripts? I am not sure, because I do not use signed PowerShell scripts.
Click to expand...
For me it was: I wanted to play a game > whitelisted stuff > the game still wouldn't start (only the launcher client). Read the error log >saw powershell stuff (which is above my skill level and I didn't want to mess it up) > gave up and asked for help/ideas.
In hindsight it seemed to be a corrupt game install but at the time being I thought it had to do with H_C. I didn't really wanted to run powershell I just wanted a working game and the powershell error was the only hint I got.
Sorry can't explain it any better.
Anyway thanks for all the kind help :)
 
Last edited:
  • Like
Reactions: simmerskool, Andy Ful, shmu26 and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,131
Freki123 said:
For me it was: I wanted to play a game > whitelisted stuff > the game still wouldn't start (only the launcher client). Read the error log >saw powershell stuff (which is above my skill level and I didn't want to mess it up) > gave up and asked for help/ideas.
In hindsight it seemed to be a corrupt game install but at the time being I thought it had to do with H_C. I didn't really wanted to run powershell I just wanted a working game and the powershell error was the only hint I got.
Sorry can't explain it any better.
Anyway thanks for all the kind help :)
Click to expand...
You are welcome. :giggle:
Please, do not hesitate to ask, because this thread is also for learning. Anyway, your problem is interesting for two reasons:
  1. Something tried to run PowerShell.
  2. I have never seen this blocked PowerShell script on my machine, although such behavior is common in Enterprises which use SRP or Applocker.
 
  • Like
Reactions: Tiny, simmerskool, stefanos and 6 others
stefanos

stefanos

Level 28
Verified
Top Poster
Well-known
Oct 31, 2014
1,712
Problem with ran by smart screen. Any help??
214345
 
  • Like
Reactions: shmu26 and oldschool
stefanos

stefanos

Level 28
Verified
Top Poster
Well-known
Oct 31, 2014
1,712
oldschool said:
Was H_C installed and enabled in your OneKey system image? What settings are you using in H_C?

Have you made any changes to firewall settings? Any other security apps installed?
Click to expand...
no

Andy Ful said:
Use ConfigureDefender :
ADMIN: SMARTSCREEN For Explorer set to Warn (or Block).(y)
Click to expand...
I tried all Andy. I am 5 hours to the laptop . Nothing :mad: :mad:
Look the PRTSC ..##### is crazy
214349
214350
214351


Anyway i will test the Panda free tomorow and after the infection, that is sure :) other one time clean install and i will see .
 
  • Like
Reactions: Andy Ful, shmu26 and oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,131
Last edited:
  • Like
  • Thanks
Reactions: Gandalf_The_Grey, stefanos, harlan4096 and 3 others
stefanos

stefanos

Level 28
Verified
Top Poster
Well-known
Oct 31, 2014
1,712
Andy Ful said:
You have set it to User but you should set to Warn (or Block). That should help to use RunBySmartScreen. Microsoft probably changed something in SmartScreen and it is an issue only after the fresh install, because the old settings are absent. I will investigate it.
Click to expand...
I did that too. I did everything I could think of making it work. Nothing.

I thought I found Why does not work.
Old version windows 10 regedit
214352


My regedit after clean install
214354
 
  • Like
Reactions: oldschool, Andy Ful, shmu26 and 1 other person
stefanos

stefanos

Level 28
Verified
Top Poster
Well-known
Oct 31, 2014
1,712
shmu26 said:
What happens if you enable it in group policy?Smart screen works. The program not work
Click to expand...

214355

Here is the smart screen on my regedit

Andy Ful said:
You have set it to User but you should set to Warn (or Block). That should help to use RunBySmartScreen. Microsoft probably changed something in SmartScreen and it is an issue only after the fresh install, because the old settings are absent. I will investigate it.
Click to expand...

Microsoft sure changed something in SmartScreen and it is an issue.
 
  • Like
Reactions: oldschool, Andy Ful and shmu26
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,131
stefanos said:
I did that too. I did everything I could think of making it work. Nothing.

I thought I found Why does not work.
Old version windows 10 regedit
View attachment 214352

My regedit after clean install
View attachment 214354
Click to expand...
When you run H_C then it automatically adds the right registry value (if the value is absent):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SmartScreenEnabled = Prompt
So, if you are using RunBySmartScreen via H_C (set <Run As SmartScreen> = "Standard User"), then there should be no issue.
If it is anyway, then let me know, please.

Edit
You can test easily on any EXE file if SmartScreen is triggered. Simply turn off the Internet connection for a while and run the EXE file via "Run As SmartScreen" or "Run By SmartScreen" from the right-click Explorer context menu. You should see the SmartScreen prompt that SmartScreen cannot connect to SmartScreen filter.
 
Last edited:
  • Like
Reactions: simmerskool, oldschool, silversurfer and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,131
@stefanos,
I can guess that the issue was with the standalone RunBySmartScreen, which does not add the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SmartScreenEnabled = Prompt
This can be an issue on a fresh installation of the new Windows 10 versions. Those versions skip this registry key on a fresh installation. It is added only when the user changes the SmartScreen settings to Block or Off.
So, it seems that I have to add the ability to correct this also in RunBySmartScreen standalone version.
Anyway using ConfigureDefender to set SmartScreen to Warn or Block (but not to User) also solves this issue.
Thanks for testing. Be safe.:giggle:(y)
 
  • Like
  • Thanks
Reactions: ForgottenSeer 85179, simmerskool, oldschool and 4 others
stefanos

stefanos

Level 28
Verified
Top Poster
Well-known
Oct 31, 2014
1,712
After 2 clean install windows 10 without install anything
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer SmartScreen I can not see the value smart screen. And i have not run by smart screen at axplorer. When i try to install it come the message The smartScreen is disabled. Please enable it to make use of Run by Smartscreen. But SmartScreen if i run one unknown file working.
214357
 
  • Like
Reactions: oldschool, shmu26, harlan4096 and 2 others

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
255
Views
17,349
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
22,036
Hard_Configurator Tools
South Park
South Park
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
489
General Security Discussions
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top