Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Andy Ful]

I vaguely recall seeing something about avoiding group policy configuration in forum threads or help files. Can I set up group policy while using WHHLight (SWH, SS, WDAC, CD, FH, DAE) on the system?

Group Policies (GPO) work on Windows Pro and some other editions (not on Windows Home). You can apply policies via GPO, but I recommend doing it only once in the beginning, running WHHLight (SWH or H_C) next, and then restarting Windows. Applying any new policy via GPO automatically turns OFF SRP used in WHHLight (SWH or H_C). You must turn it ON by running WHHLight (SWH or H_C). Generally, I do not recommend using GPO due to this incompatibility:

If one wants to use GPO, it is better to also use AppLocker via GPO instead of WHHLight, SWH, or H_C.

 

[Andy Ful]

@rashmi,

Here is an example of SWH/Powershell block due to Constrained Language mode that can be whitelisted:

In the above example, the script Download_SystemNetWebClient.ps1 used the command New-Object, which is forbidden in Constrained Language. Other commands in this script were allowed.
The block will be avoided after adding the script file path "C:\Users\andrz\xxxxxxxxxxxxxxxxxxxxxx\Download_SystemNetWebClient.ps1" to the SWH whitelist. Only the script paths related to the Constrained Language (Error ID = CannotCreateTypeConstrainedLanguage) can be whitelisted. All other PowerShell blocks in the SWH <PowerShell> events cannot be whitelisted, like CmdLines blocked by Constrained Language or scripts blocked by PowerShell execution policies.

 

[rashmi]

Group Policies (GPO) work on Windows Pro and some other editions (not on Windows Home). You can apply policies via GPO, but I recommend doing it only once in the beginning, running WHHLight (SWH or H_C) next, and then restarting Windows. Applying any new policy via GPO automatically turns OFF SRP used in WHHLight (SWH or H_C). You must turn it ON by running WHHLight (SWH or H_C). Generally, I do not recommend using GPO due to this incompatibility:

All my systems have both Windows 11 Home and Pro digital licenses. I don't use any Pro features except some group policies, which I can perform with registry tweaks. Do you think the Home Edition would be better overall, including security, if I don't use Pro features?

@rashmi,

All other PowerShell blocks in the SWH <PowerShell> events cannot be whitelisted, like CmdLines blocked by Constrained Language or scripts blocked by PowerShell execution policies.

For example, how would I override a CmdLine block by Constrained Language? Switch off SWH?

I reverted to a clean system image and installed WHHLight Tools. I remember WDAC blocking/logging "detect.dll" when running Hard Disk Sentinel Portable, but now the logs show:
Attempted Path = Data Name='File Name'>

 

[Andy Ful]

All my systems have both Windows 11 Home and Pro digital licenses. I don't use any Pro features except some group policies, which I can perform with registry tweaks. Do you think the Home Edition would be better overall, including security, if I don't use Pro features?

There is no significant difference. Windows PRO has some advantages, like Windows Sandbox.

For example, how would I override a CmdLine block by Constrained Language? Switch off SWH?

Yes, you have to temporarily switch OFF SWH.

I reverted to a clean system image and installed WHHLight Tools. I remember WDAC blocking/logging "detect.dll" when running Hard Disk Sentinel Portable, but now the logs show:
Attempted Path = Data Name='File Name'>

Is something blocked?

 

[rashmi]

Is something blocked?

Here is the log.

Event[0]:
Event Id = 3077
Local Time: 2025/04/30 09:44:02
Attempted Path = Data Name='File Name'>
Parent Process = C:\RashApps\hdsentinel_pro_portable\HDSentinel.exe
PolicyName = UserSpace Lock
UserWriteable = false

In my previous WHHLight tries, the "Attempted Path" always showed the "detect.dll" path.

 

[Andy Ful]

Here is the log.

Event[0]:
Event Id = 3077
Local Time: 2025/04/30 09:44:02
Attempted Path = Data Name='File Name'>
Parent Process = C:\RashApps\hdsentinel_pro_portable\HDSentinel.exe
PolicyName = UserSpace Lock
UserWriteable = false

In my previous WHHLight tries, the "Attempted Path" always showed the "detect.dll" path.

Can you identify this event in the Windows Event Viewer? It looks like a blocked LOLBin from Microsoft Block List.

 

[rashmi]

Can you identify this event in the Windows Event Viewer? It looks like a blocked LOLBin from Microsoft Block List.

I couldn't find the event in the Windows Event Viewer. I tried removing the portable apps folder from the whitelist and also tried reinstalling WHHLight, but I get the same log for HDSentinel.

The logs show the path for an installer and an installed program.

Event[21]:
Event Id = 3077
Local Time: 2025/04/30 09:33:58
Attempted Path = C:\Users\rashmi\Downloads\AntDM-x64.2.15.4-setup.exe
Parent Process = C:\Windows\explorer.exe
PolicyName = UserSpace Lock
UserWriteable = true

Event[22]:
Event Id = 3077
Local Time: 2025/04/30 09:27:55
Attempted Path = C:\Windows\System32\mshta.exe
Parent Process = C:\Program Files\Wondershare\PDFelement11\FileAssociation.exe
PolicyName = UserSpace Lock
UserWriteable = false

I have to restart the system twice for WHHLight, and it is reproducible on my system. I tried it thrice on a clean system image with the same outcome. After installing WHHLight, I switch on WDAC, add the portable apps folder to the whitelist, click apply and close, and restart the system. After the system restart, I open WHHLight, check the SWH menu, check the WDAC whitelist, and close the whitelist window with "X." Closing WHHLight asks me to restart the system. After the second restart, I perform the same steps, and WHHLight closes with no message.

 

[Andy Ful]

Event[21]:
Event Id = 3077
Local Time: 2025/04/30 09:33:58
Attempted Path = C:\Users\rashmi\Downloads\AntDM-x64.2.15.4-setup.exe
Parent Process = C:\Windows\explorer.exe
PolicyName = UserSpace Lock
UserWriteable = true

Event[22]:
Event Id = 3077
Local Time: 2025/04/30 09:27:55
Attempted Path = C:\Windows\System32\mshta.exe
Parent Process = C:\Program Files\Wondershare\PDFelement11\FileAssociation.exe
PolicyName = UserSpace Lock
UserWriteable = false

Both blocks are normal.

In the first case, Microsoft ISG does not trust the application installer. To install the application, you can use "Run By SmartScreen."
The Installer tries to add the Firewall rule by using scripts (BAT or VBS) in the user temp folder:

netsh advfirewall firewall add rule name="AntDM" dir=in action=allow program="C:\Program Files\Ant Download Manager (x64)\AntDM.exe" enable=yes

SWH script restrictions block this action. You can run this CmdLine from the CMD console if needed. I am not sure why Ant Download Manager uses scripts for this.

In the second case, WHHLight blocks the LOLBin Mshta (dangerous) via Microsoft Recommended Block List. I am not sure why PDFelement wants to use it (no HTA files in the installation folder). Blocking LOLBins cannot be whitelisted.

Edit.
The Mshta block can probably be ignored, because the FileAssociation.exe is used to fix the PDF file association (PDFelement will open PDF files by default). You can easily do this via the Explorer right-click context menu.

 

[rashmi]

Both blocks are normal.

I only posted them to show that the logs display the attempted path for installed programs. I'm unsure why the HDSentinel Portable's log is different now. Anyway, WHHLight Tools works well for me.

 

[Andy Ful]

I'm unsure why the HDSentinel Portable's log is different now.

That is how Microsoft ISG often works. The same behavior can be seen with Smart App Control. The untrusted executables (like "detect.dll") are analyzed (including Big Data from Microsoft cloud) and can become trusted after some time.

 

[Parkinsond]

I use the fresh updated Windows 11 24H2 (Pro and Home editions) build 26100.3915.
After the Windows restart, the tweak is removed - the registry key is set to 0, and the SAC OFF setting is recovered in the Security Center.
It seems that in Windows 11 IoT Enterprise LTSC, the tweak can work differently.

Update: After reinstalling Windows 11 Ent IoT LTSC yesterday, the tweak did not work.

 

[piquiteco]

@Andy Ful Can't you activate Smart App Control in Windows 11 without reinstalling or formatting? I know you can edit it in the registry and leave it activated, but does it deactivate over time? Isn't it possible to keep it activated?

 

[oldschool]

Isn't it possible to keep it activated?

Highly doubtful, unless there's some new tweak, otherwise SAC will be disabled after restart, as you can see from above posts.

You can reset while keeping files and some settings, and then you can enable it. That's what I did and it's the easiest way I know. So no need to do a clean install or a reset that wipes everything unless you really want to.

 

[Parkinsond]

Highly doubtful, unless there's some new tweak, otherwise SAC will be disabled after restart, as you can see from above posts.

You can reset while keeping files and some settings, and then you can enable it. That's what I did and it's the easiest way I know. So no need to do a clean install or a reset that wipes everything unless you really want to.

Reset is a pain; re-install is faster.

 

[Andy Ful]

@Andy Ful Can't you activate Smart App Control in Windows 11 without reinstalling or formatting? I know you can edit it in the registry and leave it activated, but does it deactivate over time? Isn't it possible to keep it activated?

I have just re-tested the extended reg tweak I posted a few years ago, and it works on my fresh updated Windows 24H2. I am not sure if it will work on all machines.

One has to use the CMD from the recovery environment to modify the offline registry. It is easy for people who already know it (takes about one minute), but caution is required because:

1. The recovery environment has its own Windows system (usually placed on disk X: ).
2. Regedit in the Recovery environment shows the Registry related to the Windows Recovery system (usually placed on disk X: ) and not the Registry related to the "normal" Windows system.
3. Recovery environment CMD is totally different from Safe Mode CMD (different Windows systems are used).
4. If the "normal" Windows system is installed on disk C:, it can be seen in the recovery environment as C:, D:, E:, etc.. For example, on my computer, it is E:.
5. A mistake can brick your system.

I assume that the offline system is visible in the recovery environment as C: (if not, then another letter must be used like D:, E:, F:, etc.).
It is necessary to load the offline System Registry Hive from "C:\Windows\System32\config" to "HKEY_LOCAL_MACHINE\xxxxx" (I used xxxxx as the name of the new key where the offline System Hive is loaded) and set the following keys:

HKEY_LOCAL_MACHINE\xxxxx\SYSTEM\CurrentControlSet001\Control\CI\Policy
VerifiedAndReputablePolicyState = 2

HKEY_LOCAL_MACHINE\xxxxx\SYSTEM\CurrentControlSet001\Control\CI\Protected
VerifiedAndReputablePolicyStateMinValueSeen = 2

After unloading the "xxxxx" Hive and restarting Windows, the SAC is set in Security Center to Evaluation mode and can be changed to ON.

Edit 1.
This tip is only for advanced (and careful) users. Please use it in the virtual machine until you are certain that it is applied as intended. A mistake can spoil your system.

Edit 2.
Post updated (added some more information about Windows Recovery Environment).

 

[oldschool]

I have just re-tested the extended reg tweak I posted a few years ago, and it works on my fresh updated Windows 24H2. I am not sure if it will work on all machines.

One has to use the CMD from the recovery environment to modify the offline registry. It is easy for people who already know it (takes about one minute), but caution is required because:

Caution required because most users won't know how, or want to risk attempting this method, which means that the tweak essentially no longer works.

 

[Andy Ful]

Caution required because most users won't know how, or want to risk attempting this method, which means that the tweak essentially no longer works.

Most users should not try it. A better way would be to reset the system.
However, using the recovery environment with offline registry editing is relatively safe and easy for Administrators.

 

[Victor M]

What does SAC give you over WDAC ? They seem to end up the same ?

 

[oldschool]

What does SAC give you over WDAC ?

SAC is WDAC Lite. They aren't equal.

 

[oldschool]

@Victor M You might want to check this.

SpyNetGirl

All Cyber security posts ranging from Application Control for Business to GitHub repository and everything in between.

spynetgirl.github.io

What Are The Different Ways to Use App Control in Windows?¶​

Windows includes a feature called Smart App Control. It acts as a fully automated Application Control system for your device. Being fully automated means it cannot be manually configured or overridden. Smart App Control leverages the Microsoft Intelligent Security Graph, which utilizes AI and advanced technologies to assess whether a file or program is safe to execute.

For those seeking more granular control, the AppControl Manager offers a highly intuitive graphical interface. It allows you to create detailed policies, specifying which files or programs are permitted to run. Policies can be defined using various criteria within the XML format. For example, you can create rules to block all files from running in a particular folder or allow only files signed with a specific certificate, effectively blocking unsigned or differently signed files. AppControl Manager provides a comprehensive suite of tools to manage and configure App Control on your system. With all functionalities built directly into the app, it eliminates the need to switch between different tools or interfaces, making the process seamless and efficient.

App Control is deeply integrated into Windows core and a component known as Code Integrity is mainly responsible for enforcing App Control policies that we create. It runs very early during the system boot, ensuring tight policy enforcement from the very beginning.