Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Andy Ful]

I vaguely recall seeing something about avoiding group policy configuration in forum threads or help files. Can I set up group policy while using WHHLight (SWH, SS, WDAC, CD, FH, DAE) on the system?

Group Policies (GPO) work on Windows Pro and some other editions (not on Windows Home). You can apply policies via GPO, but I recommend doing it only once in the beginning, running WHHLight (SWH or H_C) next, and then restarting Windows. Applying any new policy via GPO automatically turns OFF SRP used in WHHLight (SWH or H_C). You must turn it ON by running WHHLight (SWH or H_C). Generally, I do not recommend using GPO due to this incompatibility:

If one wants to use GPO, it is better to also use AppLocker via GPO instead of WHHLight, SWH, or H_C.

 

[Andy Ful]

@rashmi,

Here is an example of SWH/Powershell block due to Constrained Language mode that can be whitelisted:

In the above example, the script Download_SystemNetWebClient.ps1 used the command New-Object, which is forbidden in Constrained Language. Other commands in this script were allowed.
The block will be avoided after adding the script file path "C:\Users\andrz\xxxxxxxxxxxxxxxxxxxxxx\Download_SystemNetWebClient.ps1" to the SWH whitelist. Only the script paths related to the Constrained Language (Error ID = CannotCreateTypeConstrainedLanguage) can be whitelisted. All other PowerShell blocks in the SWH <PowerShell> events cannot be whitelisted, like CmdLines blocked by Constrained Language or scripts blocked by PowerShell execution policies.

 

[rashmi]

Group Policies (GPO) work on Windows Pro and some other editions (not on Windows Home). You can apply policies via GPO, but I recommend doing it only once in the beginning, running WHHLight (SWH or H_C) next, and then restarting Windows. Applying any new policy via GPO automatically turns OFF SRP used in WHHLight (SWH or H_C). You must turn it ON by running WHHLight (SWH or H_C). Generally, I do not recommend using GPO due to this incompatibility:

All my systems have both Windows 11 Home and Pro digital licenses. I don't use any Pro features except some group policies, which I can perform with registry tweaks. Do you think the Home Edition would be better overall, including security, if I don't use Pro features?

@rashmi,

All other PowerShell blocks in the SWH <PowerShell> events cannot be whitelisted, like CmdLines blocked by Constrained Language or scripts blocked by PowerShell execution policies.

For example, how would I override a CmdLine block by Constrained Language? Switch off SWH?

I reverted to a clean system image and installed WHHLight Tools. I remember WDAC blocking/logging "detect.dll" when running Hard Disk Sentinel Portable, but now the logs show:
Attempted Path = Data Name='File Name'>

 

[Andy Ful]

All my systems have both Windows 11 Home and Pro digital licenses. I don't use any Pro features except some group policies, which I can perform with registry tweaks. Do you think the Home Edition would be better overall, including security, if I don't use Pro features?

There is no significant difference. Windows PRO has some advantages, like Windows Sandbox.

For example, how would I override a CmdLine block by Constrained Language? Switch off SWH?

Yes, you have to temporarily switch OFF SWH.

I reverted to a clean system image and installed WHHLight Tools. I remember WDAC blocking/logging "detect.dll" when running Hard Disk Sentinel Portable, but now the logs show:
Attempted Path = Data Name='File Name'>

Is something blocked?

 

[rashmi]

Is something blocked?

Here is the log.

Event[0]:
Event Id = 3077
Local Time: 2025/04/30 09:44:02
Attempted Path = Data Name='File Name'>
Parent Process = C:\RashApps\hdsentinel_pro_portable\HDSentinel.exe
PolicyName = UserSpace Lock
UserWriteable = false

In my previous WHHLight tries, the "Attempted Path" always showed the "detect.dll" path.

 

[Andy Ful]

Here is the log.

Event[0]:
Event Id = 3077
Local Time: 2025/04/30 09:44:02
Attempted Path = Data Name='File Name'>
Parent Process = C:\RashApps\hdsentinel_pro_portable\HDSentinel.exe
PolicyName = UserSpace Lock
UserWriteable = false

In my previous WHHLight tries, the "Attempted Path" always showed the "detect.dll" path.

Can you identify this event in the Windows Event Viewer? It looks like a blocked LOLBin from Microsoft Block List.

 

[rashmi]

Can you identify this event in the Windows Event Viewer? It looks like a blocked LOLBin from Microsoft Block List.

I couldn't find the event in the Windows Event Viewer. I tried removing the portable apps folder from the whitelist and also tried reinstalling WHHLight, but I get the same log for HDSentinel.

The logs show the path for an installer and an installed program.

Event[21]:
Event Id = 3077
Local Time: 2025/04/30 09:33:58
Attempted Path = C:\Users\rashmi\Downloads\AntDM-x64.2.15.4-setup.exe
Parent Process = C:\Windows\explorer.exe
PolicyName = UserSpace Lock
UserWriteable = true

Event[22]:
Event Id = 3077
Local Time: 2025/04/30 09:27:55
Attempted Path = C:\Windows\System32\mshta.exe
Parent Process = C:\Program Files\Wondershare\PDFelement11\FileAssociation.exe
PolicyName = UserSpace Lock
UserWriteable = false

I have to restart the system twice for WHHLight, and it is reproducible on my system. I tried it thrice on a clean system image with the same outcome. After installing WHHLight, I switch on WDAC, add the portable apps folder to the whitelist, click apply and close, and restart the system. After the system restart, I open WHHLight, check the SWH menu, check the WDAC whitelist, and close the whitelist window with "X." Closing WHHLight asks me to restart the system. After the second restart, I perform the same steps, and WHHLight closes with no message.

 

[Andy Ful]

Event[21]:
Event Id = 3077
Local Time: 2025/04/30 09:33:58
Attempted Path = C:\Users\rashmi\Downloads\AntDM-x64.2.15.4-setup.exe
Parent Process = C:\Windows\explorer.exe
PolicyName = UserSpace Lock
UserWriteable = true

Event[22]:
Event Id = 3077
Local Time: 2025/04/30 09:27:55
Attempted Path = C:\Windows\System32\mshta.exe
Parent Process = C:\Program Files\Wondershare\PDFelement11\FileAssociation.exe
PolicyName = UserSpace Lock
UserWriteable = false

Both blocks are normal.

In the first case, Microsoft ISG does not trust the application installer. To install the application, you can use "Run By SmartScreen."
The Installer tries to add the Firewall rule by using scripts (BAT or VBS) in the user temp folder:

netsh advfirewall firewall add rule name="AntDM" dir=in action=allow program="C:\Program Files\Ant Download Manager (x64)\AntDM.exe" enable=yes

SWH script restrictions block this action. You can run this CmdLine from the CMD console if needed. I am not sure why Ant Download Manager uses scripts for this.

In the second case, WHHLight blocks the LOLBin Mshta (dangerous) via Microsoft Recommended Block List. I am not sure why PDFelement wants to use it (no HTA files in the installation folder). Blocking LOLBins cannot be whitelisted.

Edit.
The Mshta block can probably be ignored, because the FileAssociation.exe is used to fix the PDF file association (PDFelement will open PDF files by default). You can easily do this via the Explorer right-click context menu.

 

[rashmi]

Both blocks are normal.

I only posted them to show that the logs display the attempted path for installed programs. I'm unsure why the HDSentinel Portable's log is different now. Anyway, WHHLight Tools works well for me.

 

[Andy Ful]

I'm unsure why the HDSentinel Portable's log is different now.

That is how Microsoft ISG often works. The same behavior can be seen with Smart App Control. The untrusted executables (like "detect.dll") are analyzed (including Big Data from Microsoft cloud) and can become trusted after some time.