Guide | How To Software restriction Policies to Windows Home

The associated guide may contain user-generated or external content.

xpdx

New Member
Jan 2, 2016
5
Can anyone please explain this?

Antivirus scan for 5debfce0158cd2249ecea19f2ac9d686b7fca3f68319fb3e302708d62202808a at 2017-04-27 19:20:17 UTC - VirusTotal

SHA256: 5debfce0158cd2249ecea19f2ac9d686b7fca3f68319fb3e302708d62202808a
File name: softwarepolicy.exe
Detection ratio: 4 / 59
Analysis date: 2017-04-27

Bkav - W32.HfsAtITSTIL.514A 20170427
Qihoo-360 - HEUR/QVM10.1.0000.Malware.Gen 20170427
Rising - Trojan.Win32.Dynamer.bt (cloud:EntDEr4kHFC) 20170427
SentinelOne - static engine - malicious

Thank you.
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Got a surprise on Windows 10 Home (64 bits), With Basic User as default level you are allowed to run programs from task bar which are in user folders.

Seems that the reg files I posted work OK. Despite bad performance results of WD on AV-Comparatives, I hardly notice a difference (cold startup of Chrome takes 0.1 seconds longer, repetative startups are the same with or without WD). So with UAC blocking unsigned elevation, SRP blocking user space execution, WD controlled folder access and WD exploit protection, i frankly my dear don't see a need for third party security software.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Got a surprise on Windows 10 Home (64 bits), With Basic User as default level you are allowed to run programs from task bar which are in user folders.

Seems that the reg files I posted work OK. Despite bad performance results of WD on AV-Comparatives, I hardly notice a difference (cold startup of Chrome takes 0.1 seconds longer, repetative startups are the same with or without WD). So with UAC blocking unsigned elevation, SRP blocking user space execution, WD controlled folder access and WD exploit protection, i frankly my dear don't see a need for third party security software.
Windows Pro owner? Use Software Restriction Policies!
Windows Pro owner? Use Software Restriction Policies!
I solved this issue in Hard_Configurator.
.
Edit
The path to the TaskBar:
c:\Users\User_Name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\
The shortcut to the application is created here.
With Default Security Level = Basic User, the shortcuts can run executables from anywhere.
That behavior can be changed by explict Dissalowed rules for shortcuts or for executables.
 
Last edited:

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Andy Ful

Yes I know about the shortcuts (links plus easy run as admin is why I like default level Standard User) .

But the surprising part was that I could run APC.exe from the (Albelli Photobook Creator) from C:\Users\ymsna\AppData\Local\Albelli Fotoboeken) folder, while any other program is blocked trying to run from that folder. I copied APC.exe to another folder and SRP blocked it.

So it seems that we have a possible scoop here: when you allow a program in Controlled Folder Access, it bypasses SRP.

Could you ALLOW a program to Controlled Folder Access (see picture) and check whether it bypasses BASIC USER and DISALLOWED?

upload_2017-11-9_1-59-27.png
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful

Yes I know about the shortcuts (links plus easy run as admin is why I like default level Standard User) .

But the surprising part was that I could run APC.exe from the (Albelli Photobook Creator) from C:\Users\ymsna\AppData\Local\Albelli Fotoboeken) folder, while any other program is blocked trying to run from that folder. I copied APC.exe to another folder and SRP blocked it.

So it seems that we have a possible scoop here: when you allow a program in Controlled Folder Access, it bypasses SRP.

Could you ALLOW a program to Controlled Folder Access (see picture) and check whether it bypasses BASIC USER and DISALLOWED?

View attachment 172429
Controlled Folder Access turned ON. Allowed one application c:\z\alternatestreamview.exe (blocked normally by default deny SRP <--- Hard_Configurator).
Explorer, Total Commander, cmd.exe, and SoftMaker Office are not added to allowed applications in Controlled Folder Access.
.
Results of my test:
  1. Application added to allowed applications in Controlled Folder Access is still blocked by SRP.
  2. Application not allowed in Controlled Folder Access, ran elevated:
    • Cannot copy files to protected folders.
    • Cannot delete files from protected folders.
    • Opened documents are protected against modifications.
  3. Windows Explorer and Total Commander (ran as standard user):
    • Can copy files to protected folders.
    • Can delete files from protected folders.
  4. cmd.exe (ran as standard user or as administrator):
    • Cannot copy files to protected folders.
    • Cannot delete files from protected folders.
    • Opened documents are protected against modifications.
  5. Softmaker Office 2012 ran as standard user:
    1. Cannot copy files to protected folders.
    2. Files can be deleted from SoftMaker Office after accepting UAC prompt.
    3. Opened documents are protected against modifications.
I noticed a strange thing, that follows from the above. Softmaker Office 2012 ran as standard user could delete files (UAC prompt), but when ran elevated it could not. I would expect rather the opposite.
The second strange thing is that Total Commander ran as standard user could copy/delete files from protected folders. If so, then the ransomware will soon do it too (in theory).
It may be that Controlled Folder Access has some bugs, so it can behave somewhat different on different computers.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
But the surprising part was that I could run APC.exe from the (Albelli Photobook Creator) from C:\Users\ymsna\AppData\Local\Albelli Fotoboeken) folder, while any other program is blocked trying to run from that folder. I copied APC.exe to another folder and SRP blocked it.
...
View attachment 172429
It seems that you have the file path (not folder path):
C:\Users\ymsna\AppData\Local\Albelli Fotoboeken\APC.exe
in SRP whitelist. So, APC.exe can run from this path but no other EXE. Also, all EXEs (APC.exe too) are blocked by SRP in other folders (in User Space).
 
Last edited:
  • Like
Reactions: XhenEd

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
It seems that you have the file path (not folder path):
C:\Users\ymsna\AppData\Local\Albelli Fotoboeken\APC.exe
in SRP whitelist. So, APC.exe can run from this path but no other EXE. Also, all EXEs (APC.exe too) are blocked by SRP in other folders (in User Space).
Yes in Secure Folder Access, not SRP, thanks for testing. Some unexpected results mhh.

When UAC was introduced (Vista), I could set internet facing applications to run as basic user. Running them in Basic User box, prevented them to elevate, In Windows 7 that behavior changed (they were allowed to elevate). In Windows 7 running Firefox as basic user, allows FF to run from taskbar and start menu. When you navigate to FF with Windows Explorer and click to execute FF, Windows shows the "SRP' prompt (Admin prevented ....). In Window 8.1 this behavior changed (Basic user same as default deny). So it looks that first Secure Folders implementation has some unexpected by results/
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Yes in Secure Folder Access, not SRP, thanks for testing. Some unexpected results mhh.

When UAC was introduced (Vista), I could set internet facing applications to run as basic user. Running them in Basic User box, prevented them to elevate, In Windows 7 that behavior changed (they were allowed to elevate). In Windows 7 running Firefox as basic user, allows FF to run from taskbar and start menu. When you navigate to FF with Windows Explorer and click to execute FF, Windows shows the "SRP' prompt (Admin prevented ....). In Window 8.1 this behavior changed (Basic user same as default deny). So it looks that first Secure Folders implementation has some unexpected by results/
I still have the impression that you have some non-standard settings. SRP in Windows 7 are the same as in Windows 8+, and different from Windows Vista. From Windows 7+ there is a very little difference between Basic User and Disallowed, Default Security Levels. The difference is visible when dealing with shortcuts. I do not try to force you, but please try this (assuming that you are using Admin Account, not SUA):
  1. Run APC.exe and check its integrity level. If it is running for sure as standard user then the below points are necessary to reset SRP settings.
  2. Disable SRP using gpedit.exe - those policy settings can interfere with Hard_Configurator settings.
  3. Delete the registry key: HKLM\Software\Policies\Microsoft\Windows\Safer
  4. Delete the registry key: HKCU\Software\Policies\Microsoft\Windows\Safer
  5. Install and run Hard_Configurator, next press <Recommended SRP> from the main window.
  6. Press <Whitelist By Path> to see if the file path of APC.exe is on the White List (Hard_Configurator can automatically add some autoruns to the White List).
  7. Restart the system.
Next, you can test again the behavior of APC.exe. It should be blocked (if not whitelisted by SRP).
I installed Abelli Photo Book, it has now the new vendor (Bonusprint), turned on Controlled Folder Access and added the APC.exe path to allowed applications. All worked normally. SRP blocked APC.exe and when whitelisted by file path (from Hard_Configurator) I could run it and had access to protected folders.
If the above curation will not help, then I would be very surprised.:)
 
  • Like
Reactions: oldschool

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
There is a simpler method to check the impact of Controlled Folder Access to SRP. Simply remove the APC.exe from allowed applications in Controlled Folder Access, restart the system and check if APC.exe is now blocked by SRP. If it is not, then deactivate Controlled Folder Access, restart, and check APC again.:)
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Well I removed and added the registry keys, nothing strange there.

Just to check we are not cross talking and misunderstanding, you tested the following scenario (on Windows10 64 bits)
1. Set your SRP to basic user
2. No (allow) rule for APC.exe
3. Only default rules (%ProgramW6432%, %ProgramFiles(x86)%, %ProgramFiles%, %SystemRoot%)
4. Enable Controlled Folder Access
5. Allow apc.exe

Thanks
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Well I removed and added the registry keys, nothing strange there.

Just to check we are not cross talking and misunderstanding, you tested the following scenario (on Windows10 64 bits)
1. Set your SRP to basic user
2. No (allow) rule for APC.exe
3. Only default rules (%ProgramW6432%, %ProgramFiles(x86)%, %ProgramFiles%, %SystemRoot%)
4. Enable Controlled Folder Access
5. Allow apc.exe

Thanks
Hard_Configurator uses SRP with Default Security Level set to Basic User, but also uses some Disallowed/Unrestricted rules to stop shortcuts from executing EXE files from the User Space. Without those additional rules, the Default Security Level set to Basic User causes the loophole = shortcut can execute EXE file in the User Space that is not whitelisted.
Did you try deactivating Controlled Folder Access, as I posted in my previous post? That would be the simplest way to check the impact of Controlled Folder Access on SRP.:)
See you later I must go out.:)
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Andy Ful
Thx for explaining :) everything works as intended. I thought we were cross talking (at least I did), so now I am on the same as you again,
 
  • Like
Reactions: Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top