Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

AMD1

Level 5
Verified
Aug 21, 2012
210
Hi,

Just giving WHHL a try to see how I get on with it so still on a learning curve.

Under WDAC events I have the following repeated block:

Event Id = 3077
Local Time: 2024/03/09 12:59:39
Attempted Path = C:\Windows\SysWOW64\wbem\WMIC.exe
Parent Process = C:\Program Files (x86)\AOMEI\AOMEI Backupper\7.3.3\ABService.exe
PolicyName = UserSpace Lock
UserWriteable = false

Unsure if/how to whitelist this or prevent repeated blocks ?

Thanks
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Under WDAC events I have the following repeated block:

Event Id = 3077
Local Time: 2024/03/09 12:59:39
Attempted Path = C:\Windows\SysWOW64\wbem\WMIC.exe
Parent Process = C:\Program Files (x86)\AOMEI\AOMEI Backupper\7.3.3\ABService.exe
PolicyName = UserSpace Lock
UserWriteable = false

Unsure if/how to whitelist this or prevent repeated blocks ?

Thanks

WMIC.exe is blocked by WDAC as recommended by Microsoft. It cannot be whitelisted.
WMIC.exe is/was a popular LOLBin that uses WMI infrastructure to bypass the AV and WDAC protection.
It is possible that AOMEI Backupper can work with blocked WMIC.exe, but I do not recommend using both WDAC and AOMEI.(y)
 

Digmor Crusher

Level 25
Verified
Top Poster
Well-known
Jan 27, 2018
1,431
Screenshot 2024-03-09 114441.png

So I guess the same applies here, I don't see any issues using Sync though. Do you recommend not using WDAC and Sync as well?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
View attachment 282023
So I guess the same applies here, I don't see any issues using Sync though. Do you recommend not using WDAC and Sync as well?

The block is related to the Sync taskbar and not to the synchronization processes. So the block is probably unimportant.
 

AMD1

Level 5
Verified
Aug 21, 2012
210
WMIC.exe is blocked by WDAC as recommended by Microsoft. It cannot be whitelisted.
WMIC.exe is/was a popular LOLBin that uses WMI infrastructure to bypass the AV and WDAC protection.
It is possible that AOMEI Backupper can work with blocked WMIC.exe, but I do not recommend using both WDAC and AOMEI.(y)

Thanks Andy
 

AMD1

Level 5
Verified
Aug 21, 2012
210
Still getting to grips with WHHL and recently had the following block triggered when I attempted to fix VSS via my backup program:

Event[0]:
Event Id = 865
Local Time: 2024/03/18 17:49:08
EventRecordID = 62875
Execution ProcessID = '14980' ThreadID='12148'
UserID='S-1-5-21-464157410-1965187014-947272154-1001'
Attempted Path = c:\vssfix.bat
Description: Default Level SRP block

Need some help to whitelist this process if thats the recommended solution?

Fot the time being I disabled SWH and then re-enabled once I had run the Fix VSS again.

Thanks in advance for any help in this matter.
 
Last edited by a moderator:
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Need some help to whitelist this process if thats the recommended solution?

You have two methods to whitelist that BAT file:
  1. Whitelist by hash.
  2. Whitelist by path.
1710787542395.png
 
  • Like
Reactions: vtqhtr413

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
If I attempt to browse to c:\vssfix.bat it is not there even after I enable show hidden windows folders and unsure where to browse to whitelist by hash ?

That .bat is probably somewhere in your backup application.
 
  • Like
Reactions: vtqhtr413

pxxb1

Level 10
Verified
Well-known
Jan 17, 2018
483
Andy@Ful

Should not SWH WHH have its own frame like CD and H_C on the head site at Github instead of being an item IN H_C. Now they are not seen to people who go to the sight and therefore are unknown to many. Whenever i link people to the site i have to explain what to do on it because these mentioned items are sort of hidden.

That seems to me to be the logical way since they are standalone programs, or are they not!?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
How can Whhlight (Super Safe Setup) protect from exploits?

I wrote in the WDAC help that it is robust against exploits. It is not the same as protecting from exploits. I meant that even if something would be exploited, the attack could be stopped anyway. Exploits often use temporary files dropped to the user's Temp folder, and such an attack vector can be blocked in the Super_Safe setup. One of many examples can be abusing OLE objects in MS Office documents.
The default WDAC settings allow executables dropped there, so one can consider using additional anti-exploit protection (for example tools included in the WHHLight package).
 

pxxb1

Level 10
Verified
Well-known
Jan 17, 2018
483
Because it is logical if one does not care much about popularity.

Edit.
To make it popular, one should create a good website with a forum. But, marketing is not attractive to me.:sleep:

With that logic they all might as well be put in 1 frame instead of the 4 that exists now ;).
 
  • Like
Reactions: Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top