Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Andy Ful]

You mean, if does not contain PowerShell CmdLine, WDAC would allow to run?

Yes.

 

[Andy Ful]

The CMD or BAT script that contains the PowerShell CmdLines blocked by WDAC (SRP/AppLocker) can still run after some script modifications. Simply, the blocked PowerShell CmdLines must be moved to PS1 scripts, while invoking those PS1 scripts from CMD or BAT script (instead of blocked PowerShell CmdLines). Next, all those scripts must be stored in the whitelisted location.

Post edited.

 

[Parkinsond]

The CMD or BAT script that contains the PowerShell CmdLines blocked by WDAC (SRP/AppLocker) can still run after some script modifications. Simply, the PowerShell content must be moved to PS1 scripts, while invoking those PS1 scripts from CMD or BAT script (instead of PowerShell CmdLines). Next, all those scripts must be stored in the whitelisted location.

WDAC blocked media palyer classic - black edition installer from runing in user space.
When transferred to whitelisted Program files folder, it is still blocked!

 

[Andy Ful]

WDAC blocked media palyer classic - black edition installer from runing in user space.
When transferred to whitelisted Program files folder, it is still blocked!

Can you post the blocked event?

 

[Parkinsond]

Can you post the blocked event?

 

[Parkinsond]

View attachment 288445

This is the last one in event viewer, but this concens when tried to run in user space.
Event view has no mention about trial to run from the whitelisted Program files or Windows folders.

 

[Andy Ful]

This is the last one in event viewer, but this concens when tried to run in user space.
Event view has no mention about trial to run from the whitelisted Program files or Windows folders.

Please post the events from WHHLight (use Event button).

 

[Parkinsond]

This is the last one in event viewer, but this concens when tried to run in user space.
Event view has no mention about trial to run from the whitelisted Program files or Windows folders.

I think I was also blocked in the whitelisted Program files because it tried to load something in user temp file

 

[Andy Ful]

I think I was also blocked in the whitelisted Program files because it tried to load something in user temp fileView attachment 288446

Yes, that is right. You applied a custom WDAC Whitelist where the Temp folder in the user profile is removed from the WDAC Whitelist. The default WDAC Whitelist avoids such blocks by whitelisting this folder.
It is not necessary to copy the installer into %ProgramFiles%. You can use the Explorer context menu to choose "Run By SmartScreen" (the first block will disappear).

 

[piquiteco]

Spoiler: oldschool

Highly doubtful, unless there's some new tweak, otherwise SAC will be disabled after restart, as you can see from above posts.

You can reset while keeping files and some settings, and then you can enable it. That's what I did and it's the easiest way I know. So no need to do a clean install or a reset that wipes everything unless you really want to.

Thanks a lot for the info @oldschool I don't think I'm going to format or reinstall Windows 11 just because of Smart App Control, I thought @Andy Ful had created some tool that activates Smart App Control without having to reset Windows 11 so I asked if it was possible. It seems that the only way to activate Smart App Control is to reset Windows 11.

Spoiler: Andy Ful

I have just re-tested the extended reg tweak I posted a few years ago, and it works on my fresh updated Windows 24H2. I am not sure if it will work on all machines.

One has to use the CMD from the recovery environment to modify the offline registry. It is easy for people who already know it (takes about one minute), but caution is required because:

1. The recovery environment has its own Windows system (usually placed on disk X: ).
2. Regedit in the Recovery environment shows the Registry related to the Windows Recovery system (usually placed on disk X: ) and not the Registry related to the "normal" Windows system.
3. Recovery environment CMD is totally different from Safe Mode CMD (different Windows systems are used).
4. If the "normal" Windows system is installed on disk C:, it can be seen in the recovery environment as C:, D:, E:, etc.. For example, on my computer, it is E:.
5. A mistake can brick your system.

I assume that the offline system is visible in the recovery environment as C: (if not, then another letter must be used like D:, E:, F:, etc.).
It is necessary to load the offline System Registry Hive from "C:\Windows\System32\config" to "HKEY_LOCAL_MACHINE\xxxxx" (I used xxxxx as the name of the new key where the offline System Hive is loaded) and set the following keys:

HKEY_LOCAL_MACHINE\xxxxx\SYSTEM\CurrentControlSet001\Control\CI\Policy
VerifiedAndReputablePolicyState = 2

HKEY_LOCAL_MACHINE\xxxxx\SYSTEM\CurrentControlSet001\Control\CI\Protected
VerifiedAndReputablePolicyStateMinValueSeen = 2

After unloading the "xxxxx" Hive and restarting Windows, the SAC is set in Security Center to Evaluation mode and can be changed to ON.

Edit 1.
This tip is only for advanced (and careful) users. Please use it in the virtual machine until you are certain that it is applied as intended. A mistake can spoil your system.

Edit 2.
Post updated (added some more information about Windows Recovery Environment).

Thanks for your attention @Andy Ful, although your instructions are very detailed, I don't think I'll be able to do this whole procedure because it's out of my jurisdiction, I'll probably get lost when I dig deep into the registry. Although I have a backup image of Windows 11, in case there is a problem, in this case and just restore this backup myself, I do not believe that I will not be able to activate Smart App Control in Windows 11 this way. I wanted to keep M.Defender on Windows 11 without installing third-party antivirus, that was my intention. For now I'll keep MD + Hard Configurator and the M.Defender settings I'll keep on High. If you have any other tips on how I can further strengthen security in MD, I'd appreciate it.