Is it safe to run installers as admin? If they were malicious, would not this offer them more control of the OS?
WHHLight - simplified application control for Windows Home and Pro.
- Thread starter Andy Ful
- Start date
- Featured
Last edited:
Anyway, something is wrong. After successful execution, WDAC should flag this file as reputable.
Today, I also tested a few files via "Run as administrator". All were blocked as well when run normally.
If it is necessary, I can share some blocked files for testing.
Today, I also tested a few files via "Run as administrator". All were blocked as well when run normally.
If it is necessary, I can share some blocked files for testing.
Last edited:
WDAC can remember the successful execution in the past, so my result can be different (I used CIS in some tests). So, I used HexEdit and changed one byte in the installer to break the positive reputation in WDAC ISG (the certificate was broken).
Next, I executed the modified installer normally. I saw the standard SmartScreen alert and chose to run the file. It was blocked by Defender's ASR rule:
I chose to unblock it in ASR rules and ran again - the installer was blocked by WDAC.
I ran the installer via "Run as Administrator" from the Explorer right-click menu - still blocked by WDAC.
Next, I executed the modified installer normally. I saw the standard SmartScreen alert and chose to run the file. It was blocked by Defender's ASR rule:
I chose to unblock it in ASR rules and ran again - the installer was blocked by WDAC.
I ran the installer via "Run as Administrator" from the Explorer right-click menu - still blocked by WDAC.
Does this certificate you changed have anything to do with that vulnerability discovered in CIS? BTW, thanks for WHHLight, it's working perfectly. Vivaldi was crashing because I was forgetting to apply the exclusions. I like WHHLight better than H_C because of its simplicity and because it's easier to check the logs in WHHLight's main GUI. Thanks for the support.
No, it was a simple change in the file content outside the reserved area for the Authenticode.
WDAC continues to block the installer here. I could execute it with Run as administrator; the installer extraction would start, which I would then cancel. I extracted the installer with portable 7Zip; WDAC allowed the MSI installer. Deleted the extracted folder. I then tried running the EXE installer using Run as administrator, as I wanted to allow the extraction and see what would happen. Now, WDAC blocks it; the extraction doesn't start, i.e., no extraction window.
Before posting this comment, I tried again, and WDAC allowed the installer.
Yes, share with me the blocked files for testing.
So, sometimes the installer is allowed, and often it is blocked. What other security do you use?
An example of a blocked application:
Unpack the application, navigate to "net9.0", "net8.0", or "net4" subfolder, and run ReportGenerator.exe.
An example of a blocked application:
Unpack the application, navigate to "net9.0", "net8.0", or "net4" subfolder, and run ReportGenerator.exe.
Last edited:
On a clean system snapshot, I was testing WHHLight. Anyway, it seems okay. WDAC successfully blocked ReportGenerator.exe when I tried to run it as an administrator.
@Andy Ful,
WHHLight's GitHub page states:
"SWH resets some policies used in the Hard_Configurator or WHH full version: Block Desktop and Downloads folders (OFF), Block LOLBins (OFF), Restrict elevation of executables (OFF), Disable Windows Script Host (OFF), Disable execution of 16-bit processes (ON), Hide 'Run as administrator' option (OFF), Enforce shell extension security (OFF), Run As SmartScreen (OFF), Enable MSI elevation (OFF), UAC Secure Credential Prompting (OFF)."
Can you explain a bit in the WHHLight context?
WHHLight's GitHub page states:
"SWH resets some policies used in the Hard_Configurator or WHH full version: Block Desktop and Downloads folders (OFF), Block LOLBins (OFF), Restrict elevation of executables (OFF), Disable Windows Script Host (OFF), Disable execution of 16-bit processes (ON), Hide 'Run as administrator' option (OFF), Enforce shell extension security (OFF), Run As SmartScreen (OFF), Enable MSI elevation (OFF), UAC Secure Credential Prompting (OFF)."
Can you explain a bit in the WHHLight context?
Yes, I can. What exactly?
H_C has some settings that are absent in WHHLight (unrelated to WDAC). When you use H_C and run WHHLight, the SWH restores Windows defaults for those settings, and only the settings controllable in SWH will survive.
For example, the below alert can be seen for the H_C Windows_10_Recommended_Enhanced profile:
Post simplified and updated.
Last edited:
That's what I was trying to say. Does "absent" suggest WHHLight lacks those settings, or do other features provide that protection? For instance, I get Block Desktop/Downloads folders and Run as admin (OFF), but Block LOLBins (OFF)?
Yes. However, the info on the WHHLight website was outdated according to "Block Desktop and Downloads folders (OFF)" (the correct info is in the WHHLight manual). I corrected the info today. This option was initially in the WHH full version and was absent in previous versions of WHHLight and H_C. Currently, it is included in WHHLight as * User Folders *. It is not included in H_C because most profiles already block EXE/MSI files in UserSpace.
Last edited:
So we confirmed that WDAC blocks as it should. But it is still interesting, why it blocked something that should not be blocked.
It seems that something impeded WDAC ISG from getting a positive reputation from the Microsoft cloud for the CIS installer. In such a case (broken Internet connection, software conflict, etc.) WDAC simply blocks the file.
This issue made your system even more secure, but also more inconvenient.
Using PowerShell code can be restricted by several ASR rules, for example:
Block Adobe Reader from creating child processes
Block executable content from email client and webmail
Block execution of potentially obfuscated scripts
Block Office communication application from creating child processes
Block process creations originating from PSExec and WMI commands
Use advanced protection against ransomware
Yes, in the early WHHLight versions and WHH full version, I used the WDAC policy without ISG. It blocked any EXE file in UserSpace, except Microsoft-signed.
I adopted ISG only after Microsoft hardened WDAC against DLL hijacking.
Yes, WDAC functions as intended. It was unusual since it's an old and signed file. What was particularly intriguing was that WDAC continued to block the file the following day. However, when I attempted to run the EXE again after extracting it and testing the MSI installer, WDAC permitted it.
When I:
WHHL V2.0.0.2
- Switch SWH ON
- Set PowerShell Restrictions to 2 (PowerShell.exe)
- Switch SWH OFF
- Switch SWH ON
WHHL V2.0.0.2
You may also like...
-
-
Testing Windows Hybrid Hardening (new hardening application).
- Started by Andy Ful
- Replies: 253
-
Windows 11 Home OEM + Office 2021 Pro Plus OEM Bundle €23.80- Started by Brownie2019
- Replies: 4
-
Soft Organizer Pro from Chemtable for Free - Uninstall applications- Started by BigWrench
- Replies: 9
-
Windows 11 25H2/24H2 get 1000 Hz+ refresh rate support, File Explorer improvements, and more- Started by Parkinsond
- Replies: 9