Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Parkinsond]

What does SAC give you over WDAC ? They seem to end up the same ?

They are very similar, with a couple of advantages for WDAC: can add exclusion and can make it strict by removing ISG dependency while creating the policy.
Unfortunately, WDAC policy wizard is not working for me anymore

 

[Victor M]

WDAC policy wizard is not working for me anymore

You can try Spynetgirl's App Control Manager. For one, it is a bit faster.

 

[Andy Ful]

What does SAC give you over WDAC ? They seem to end up the same ?

Although SAC uses WDAC-based policies, it cannot be fully replicated by WDAC and vice versa.
For example:

1. SAC allows by default PE files (EXE, DLL, etc.) that are signed with any valid certificates (the certificate does not have to be specified). WDAC cannot replicate this (you must explicitly include a concrete certificate in the policy).
2. SAC blocks by default some file types downloaded from the Internet (such as APPREF-MS, BAT, CMD, CHM, CPL, IMG, ISO, JS, JSE, LNK, MSC, MSP, REG, VBE, VBS, VDH, VHDX, and WSF). WDAC does not block scripts but can restrict their content (VBScript, JScript, PowerShell).

In WHHLight, I use SAC + SWH or WDAC light settings + SWH.
SWH can block far more file types than SAC.

WDAC Wizard and Spynetgirl's App Control Manager do not work on Windows Home. Managing WDAC on Windows Home requires another treatment, which I use in WHHLight.

 

[Parkinsond]

You can try Spynetgirl's App Control Manager. For one, it is a bit faster.

or WHHLight

 

[Parkinsond]

Although SAC uses WDAC-based policies, it cannot be fully replicated by WDAC and vice versa.
For example:

1. SAC allows by default PE files (EXE, DLL, etc.) that are signed with any valid certificates (the certificate does not have to be specified). WDAC cannot replicate this (you must explicitly include a concrete certificate in the policy).
2. SAC blocks by default some file types downloaded from the Internet (such as APPREF-MS, BAT, CMD, CHM, CPL, IMG, ISO, JS, JSE, LNK, MSC, MSP, REG, VBE, VBS, VDH, VHDX, and WSF). WDAC does not block scripts but can restrict their content (VBScript, JScript, PowerShell).

In WHHLight, I use SAC + SWH or WDAC light settings + SWH.
SWH can block far more file types than SAC.

WDAC Wizard and Spynetgirl's App Control Manager do not work on Windows Home. Managing WDAC on Windows Home requires another treatment, which I use in WHHLight.

While was using Windows 10, WDAC was actually blocking .cmd files from launching.
However, I do find WHHLight are much more easier solution; thank you for your innovations

 

[Andy Ful]

While was using Windows 10, WDAC was actually blocking .cmd files from launching.

It is impossible. WDAC can block cmd[.]exe, but cannot block (never blocked) *.cmd or *.bat scripts (SRP and AppLocker can do this).

App Control for Business feature availability

Compare App Control for Business and AppLocker feature availability.

learn.microsoft.com

 

[Parkinsond]

It is impossible. WDAC can block cmd[.]exe, but cannot block *.cmd or *.bat scripts.

I'm certain; it was just as enforcing script rules by Applocker.
Once you try to launch the cmd file as admin, it pops up for a fraction of second and then terminated.
That is why I always delay using WDAC until finish using my scripts after installing Windows.

 

[Andy Ful]

I'm certain; it was just as enforcing script rules by Applocker.
Once you try to launch the cmd file as admin, it pops up for a fraction of second and then terminated.
That is why I always delay using WDAC until finish using my scripts after installing Windows.

This behavior is common without blocking *.cmd scripts. You probably used Windows policy (or reg tweak) to disable CMD.
Similar behavior can be forced by blocking cmd[.]exe via WDAC or Exploit Protection.
The inability to block *.cmd and *.bat scripts (without blocking cmd[.]exe) is also documented by Microsoft:

App Control for Business feature availability

Compare App Control for Business and AppLocker feature availability.

learn.microsoft.com

 

[Parkinsond]

This behavior is common without blocking *.cmd scripts. You probably used Windows policy (or reg tweak) to disable CMD.
Similar behavior can be forced by blocking cmd[.]exe via WDAC or Exploit Protection.
The inability to block *.cmd and *.bat scripts (without blocking cmd[.]exe) is also documented by Microsoft:

App Control for Business feature availability

Compare App Control for Business and AppLocker feature availability.

learn.microsoft.com

This happens with WDAC when I unselect "disable enforcing script rules"; if selected, cmd file launches but in constrainded language mode.

 

[Andy Ful]

This happens with WDAC when I choose "enforce script rules"; if not selected, cmd file launches but in constrainded language mode.

Can you post the blocked event when the cmd file is restricted by Constrained Language? What is the event ID?
For PowerShell the event ID = 4100, for example:

 

[Parkinsond]

Can you post the blocked event when the cmd file is restricted by Constrained Language? What is the event ID?
For PowerShell the event ID = 4100, for example:

View attachment 288441

Currently, I'm not able to implement WDAC on Windows 11; WDAC wizard fails to create the policy file at the end.
In addition, multiple cip files in C:\Windows\System32\CodeIntegrity\CIPolicies\Active are undeletable.

 

[Parkinsond]

Can you post the blocked event when the cmd file is restricted by Constrained Language? What is the event ID?
For PowerShell the event ID = 4100, for example:

View attachment 288441

I have managed to apply WDAC using wizard by excluding recommended block rules!
When tested on cmd file, it was not blocked but launched in constrained language mode.
You are correct; but this was not the case when using WDAC on Windows 10; I'm dead sure.

 

[Victor M]

I think those cip files you listed are the default ones that existed before you made your own.

 

[Parkinsond]

I think those cip files you listed are the default ones that existed before you made your own.

Yes; most probably related to the disabled smart app control

 

[Andy Ful]

I have managed to apply WDAC using wizard by excluding recommended block rules!
When tested on cmd file, it was not blocked but launched in constrained language mode.
You are correct; but this was not the case when using WDAC on Windows 10; I'm dead sure.View attachment 288443

The picture is unrelated to *.cmd scripts. Can you post the script content?

 

[Parkinsond]

The picture is unrelated to *.cmd scripts. Can you post the script content?

It's MAS cmd script for digital license.

 

[Andy Ful]

It's MAS cmd script for digital license.

Can you post its content?
The picture shows information related to PowerShell.

 

[Parkinsond]

Can you post its content?
The picture shows information related to PowerShell.

Tried twice to past its copied content from notepad.
Every time trying to do so, MalwareTips page hangs!

 

[Andy Ful]

Tried twice to past its copied content from notepad.
Every time trying to do so, MalwareTips page hangs!

I know why you thought that the *.cmd script was restricted by WDAC. Your script probably contains the PowerShell CmdLine, which WDAC restricts via PowerShell Constrained Language. The script is not restricted directly, but indirectly via the content related to PowerShell.

 

[Parkinsond]

I know why you thought that the *.cmd script was restricted by WDAC. Your script probably contains the PowerShell CmdLine, which WDAC restricts via PowerShell Constrained Language.

You mean, if does not contain PowerShell CmdLine, WDAC would allow to run?