Windows Pro owner? Use Software Restriction Policies!Got a surprise on Windows 10 Home (64 bits), With Basic User as default level you are allowed to run programs from task bar which are in user folders.
Seems that the reg files I posted work OK. Despite bad performance results of WD on AV-Comparatives, I hardly notice a difference (cold startup of Chrome takes 0.1 seconds longer, repetative startups are the same with or without WD). So with UAC blocking unsigned elevation, SRP blocking user space execution, WD controlled folder access and WD exploit protection, i frankly my dear don't see a need for third party security software.
Controlled Folder Access turned ON. Allowed one application c:\z\alternatestreamview.exe (blocked normally by default deny SRP <--- Hard_Configurator).@Andy Ful
Yes I know about the shortcuts (links plus easy run as admin is why I like default level Standard User) .
But the surprising part was that I could run APC.exe from the (Albelli Photobook Creator) from C:\Users\ymsna\AppData\Local\Albelli Fotoboeken) folder, while any other program is blocked trying to run from that folder. I copied APC.exe to another folder and SRP blocked it.
So it seems that we have a possible scoop here: when you allow a program in Controlled Folder Access, it bypasses SRP.
Could you ALLOW a program to Controlled Folder Access (see picture) and check whether it bypasses BASIC USER and DISALLOWED?
View attachment 172429
It seems that you have the file path (not folder path):But the surprising part was that I could run APC.exe from the (Albelli Photobook Creator) from C:\Users\ymsna\AppData\Local\Albelli Fotoboeken) folder, while any other program is blocked trying to run from that folder. I copied APC.exe to another folder and SRP blocked it.
View attachment 172429
Yes in Secure Folder Access, not SRP, thanks for testing. Some unexpected results mhh.It seems that you have the file path (not folder path):
in SRP whitelist. So, APC.exe can run from this path but no other EXE. Also, all EXEs (APC.exe too) are blocked by SRP in other folders (in User Space).
I still have the impression that you have some non-standard settings. SRP in Windows 7 are the same as in Windows 8+, and different from Windows Vista. From Windows 7+ there is a very little difference between Basic User and Disallowed, Default Security Levels. The difference is visible when dealing with shortcuts. I do not try to force you, but please try this (assuming that you are using Admin Account, not SUA):Yes in Secure Folder Access, not SRP, thanks for testing. Some unexpected results mhh.
When UAC was introduced (Vista), I could set internet facing applications to run as basic user. Running them in Basic User box, prevented them to elevate, In Windows 7 that behavior changed (they were allowed to elevate). In Windows 7 running Firefox as basic user, allows FF to run from taskbar and start menu. When you navigate to FF with Windows Explorer and click to execute FF, Windows shows the "SRP' prompt (Admin prevented ....). In Window 8.1 this behavior changed (Basic user same as default deny). So it looks that first Secure Folders implementation has some unexpected by results/
Hard_Configurator uses SRP with Default Security Level set to Basic User, but also uses some Disallowed/Unrestricted rules to stop shortcuts from executing EXE files from the User Space. Without those additional rules, the Default Security Level set to Basic User causes the loophole = shortcut can execute EXE file in the User Space that is not whitelisted.Well I removed and added the registry keys, nothing strange there.
Just to check we are not cross talking and misunderstanding, you tested the following scenario (on Windows10 64 bits)
1. Set your SRP to basic user
2. No (allow) rule for APC.exe
3. Only default rules (%ProgramW6432%, %ProgramFiles(x86)%, %ProgramFiles%, %SystemRoot%)
4. Enable Controlled Folder Access
5. Allow apc.exe