Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Hard_Configurator - Windows Hardening Configurator
Message
<blockquote data-quote="Andy Ful" data-source="post: 588328" data-attributes="member: 32260"><p><strong>Advanced SRP logging (Verbose trace logging of SRP).</strong></p><p></p><p>Windows Event Log is useful when EXE, MSI, and (or) script files are blocked, but sometimes the information about DLLs blocked by SRP is required. So, we can activate Verbose trace logging of SRP by changing the Registry:</p><p></p><p>HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\CodeIdentifiers</p><p>LogFileName</p><p>Value REG_SZ</p><p>c:\Log_Path\SRP.log</p><p></p><p>Now, the info about all processes, that <strong>were run with Administrative Rigthts</strong>, is written to the file SRP.log. This can be used to identify the problems with blocked DLLs, when ‘SRP Transparent Enabled’ is set to ‘Include DLLs’. You have to run the blocked application with "Run As Administrator" or "Run As SmartScreen" (bypassing SRP), and then look which User Space DLLs are in the log.</p><p>For example, if ‘EagleGet Downloader’ is "Run As Administrator" the log shows the below User Space entries:</p><p></p><p>EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\util.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}</p><p>EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\CrashRpt.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}</p><p>EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\libcurl.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}</p><p>EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\sqlite3.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}</p><p>EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\zlib.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}</p><p>EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\SSLEAY32.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}</p><p>EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\LIBEAY32.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}</p><p>EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\ssl.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}</p><p>EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\sslQuery.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}</p><p>EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\dl.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}</p><p>EagleGet.exe (PID = 4704) identified D:\Portable\EagleGet_\EGMonitor.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}</p><p>EGMonitor.exe (PID = 5240) identified \??\D:\Portable\EagleGet_\util.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}</p><p>EGMonitor.exe (PID = 5240) identified \??\D:\Portable\EagleGet_\sqlite3.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}</p><p>EGMonitor.exe (PID = 5240) identified \??\D:\Portable\EagleGet_\dl.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}</p><p>(I removed numerous entries related to DLLs from C:\Windows\System32 folder).</p><p><em><strong></strong></em></p><p><em><strong>All the above DLLs and the file EGMonitor.exe must be whitelisted too.</strong></em></p><p>(If you are lazy, then D:\Portable\EagleGet_\*.dll wildcard path entry will be sufficient).</p><p></p><p>Another example, when NoVirusThanks ‘dllexplorer_setup.exe’ is "Run As SmartScreen", then the User Space entries in the log will look like:</p><p></p><p>dllexplorer_setup.exe (PID = 5236) identified C:\Users\Admin\AppData\Local\Temp\is-PPQV9.tmp\dllexplorer_setup.tmp as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}"</p><p></p><p>So, we know that dllexplorer_setup.exe is using dllexplorer_setup.tmp to execute in temporary folder ‘C:\Users\USERNAME\AppData\Local\Temp\is-ASDAD.tmp\’.</p><p>Now, dllexplorer_setup.tmp can be whitelisted, and the program can be run normally, without using Administrative Rights.</p><p></p><p>The original SRP.log has numerous entries related to DLLs from C:\Windows\System32 and other System Space locations, so it's not easy to find a few entries from User Space. In the new Hard_Configurator version, I will add the option to filter from this log only scripts and User Space DLLs.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 588328, member: 32260"] [B]Advanced SRP logging (Verbose trace logging of SRP).[/B] Windows Event Log is useful when EXE, MSI, and (or) script files are blocked, but sometimes the information about DLLs blocked by SRP is required. So, we can activate Verbose trace logging of SRP by changing the Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\CodeIdentifiers LogFileName Value REG_SZ c:\Log_Path\SRP.log Now, the info about all processes, that [B]were run with Administrative Rigthts[/B], is written to the file SRP.log. This can be used to identify the problems with blocked DLLs, when ‘SRP Transparent Enabled’ is set to ‘Include DLLs’. You have to run the blocked application with "Run As Administrator" or "Run As SmartScreen" (bypassing SRP), and then look which User Space DLLs are in the log. For example, if ‘EagleGet Downloader’ is "Run As Administrator" the log shows the below User Space entries: EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\util.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\CrashRpt.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\libcurl.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\sqlite3.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\zlib.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\SSLEAY32.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\LIBEAY32.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\ssl.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\sslQuery.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} EagleGet.exe (PID = 4704) identified \??\D:\Portable\EagleGet_\dl.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} EagleGet.exe (PID = 4704) identified D:\Portable\EagleGet_\EGMonitor.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} EGMonitor.exe (PID = 5240) identified \??\D:\Portable\EagleGet_\util.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} EGMonitor.exe (PID = 5240) identified \??\D:\Portable\EagleGet_\sqlite3.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} EGMonitor.exe (PID = 5240) identified \??\D:\Portable\EagleGet_\dl.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302} (I removed numerous entries related to DLLs from C:\Windows\System32 folder). [I][B] All the above DLLs and the file EGMonitor.exe must be whitelisted too.[/B][/I] (If you are lazy, then D:\Portable\EagleGet_\*.dll wildcard path entry will be sufficient). Another example, when NoVirusThanks ‘dllexplorer_setup.exe’ is "Run As SmartScreen", then the User Space entries in the log will look like: dllexplorer_setup.exe (PID = 5236) identified C:\Users\Admin\AppData\Local\Temp\is-PPQV9.tmp\dllexplorer_setup.tmp as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}" So, we know that dllexplorer_setup.exe is using dllexplorer_setup.tmp to execute in temporary folder ‘C:\Users\USERNAME\AppData\Local\Temp\is-ASDAD.tmp\’. Now, dllexplorer_setup.tmp can be whitelisted, and the program can be run normally, without using Administrative Rights. The original SRP.log has numerous entries related to DLLs from C:\Windows\System32 and other System Space locations, so it's not easy to find a few entries from User Space. In the new Hard_Configurator version, I will add the option to filter from this log only scripts and User Space DLLs. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
