Serious Discussion WHHLight - simplified application control for Windows Home and Pro.

[Parkinsond]

@Mods, thank you for combining (merging) @Parkinsond posts, I was going to say something about the 4-5 singular posts in a row. Same with yesterday and about 4-5 separate links posted one after the other that were merged. I'm not attacking you Parkinsond, but it would be nice if at times you waited 15- 30 minutes to "let the paint dry" on some of your thoughts, LOL, before posting one sentence replies and used multi-quote more often?

I am replying to posts on a thread of more than 30 pages long; how I am going to combine replies for posts on several pages?

 

[Jonny Quest]

I am replying to posts on a thread of more than 30 pages long; how I am going to combine replies for posts on several pages?

Use multi quote? And they were one after the other, as was thought by the Mod to combined, merger your replies above. As was yesterdays case of multiple links one after the other to prove your point. You can become defensive and always have a reason and excuse, rather than, "okay, thanks", or in letting it go Apologies, but maybe I need to let you go for awhile so I don't get myself so worked up about so little (maybe my issue ) and to not derail this thread anymore? Cheers

 

[Parkinsond]

Use multi quote? And they were one after the other, as was thought by the Mod to combined, merger your replies above. As was yesterdays case of multiple links one after the other to prove your point. You can become defensive and always have a reason and excuse, rather than, "okay, thanks", or in letting it go Apologies, but maybe I need to let you go for awhile so I don't get myself so worked up about so little (maybe my issue ) and to not derail this thread anymore? Cheers

I start reading 90+ pages thread, post by post, I find a post to reply, I reply, I do not know if I am going to reply againg for another post in a very long page or not.
I find another post 2 miles down in the page, I reply, and so on.

 

[Andy Ful]

So if the installer was blocked by both ASR rule and WDAC, turning off temporarly for installing will bypass WDAC (the installed app will launch as it is located in non-writable space) but not ASR rule (as this space is not excluded by default as in the case with WDAC)?

Yes.

Also this step could be blocked by "Block JavaScript or VBScript from launching downloaded executable content" ASR rule.

Yes, in the case of that concrete attack. But, not if the JScript only downloads the payload but uses PowerShell or another LOLBin to run it. I have seen such examples in the wild.

You mean the user double click the script or right click and run as admin, or just opening (or extracting) the archive will launch the script without user interaction with the script?

In both methods, user interaction is required.

 

[oldschool]

I start reading 90+ pages thread, post by post, I find a post to reply, I reply, I do not know if I am going to reply againg for another post in a very long page or not.
I find another post 2 miles down in the page, I reply, and so on.

It's still possible to multi-quote but some trial and error is needed until you get the hang of it.

 

[Parkinsond]

It's still possible to multi-quote but some trial and error is needed until you get the hang of it.

I will not risk losing focus on the precious content of CD and WHHL threads for multiquoting on replies divided on several pages; you will find too many fragmented replies (not multiquote) for useless posts all around.

 

[devjitdutta2025]

Has anyone come across this problem which I’ve been facing recently with ESET and WHHL. If I enable only WDAC and SS, the ESET context menu is displayed but the moment I toggle the SWH to ON, the ESET context menu disappears after a a reboot. Any help would greatly be appreciated @Andy Ful

 

[Andy Ful]

Has anyone come across this problem which I’ve been facing recently with ESET and WHHL. If I enable only WDAC and SS, the ESET context menu is displayed but the moment I toggle the SWH to ON, the ESET context menu disappears after a a reboot. Any help would greatly be appreciated @Andy Ful

Did you look at the SWH events?

 

[devjitdutta2025]

Did you look at the SWH events?

Yes I’ve looked at both WDAC and SWH events but nothing is blocked. I’m pretty sure that there is some conflict with ESET & the SWH part of WHHL since the problem shows in 2 different computers and I’ve spent more than a week trying to find out the solution and if WHHL and ESET are indeed to blame. It doesn’t happen with other AV’s like Mcafee or Norton or BD or K, only ESET.

 

[Andy Ful]

It doesn’t happen with other AV’s like Mcafee or Norton or BD or K, only ESET.

The issue is explained here:

Post in thread 'Hard_Configurator - Windows Hardening Configurator'

Dec 10, 2025

I think so, yes, but still nothimg in the log time-correlated with this, strange. I checked again.

You can remove the restriction for AppInstaller. ESET uses it for the context menu, but it is not signed by Microsoft (and blocked).

You can also set <Block AppIstaller> to ON2. In this setting, ESET's context menu should work in Explorer, but installing some apps from Microsoft Store will be restricted. The apps installed with GET method will be allowed (true Metro apps), but those with INSTALL method will be blocked.

• Andy Ful

• 
• 

Unfortunately, the AppInstaller cannot be tweaked in WHHLight.
Eset uses a separate EsetContextMenu.msix application, which is not signed by Microsoft. WHHLight blocks it.
So this Eset's feature is incompatible with SWH in WHHLight.

 

[Parkinsond]

Eset uses a separate EsetContextMenu.msix application, which is not signed by Microsoft. WHHLight blocks it.
So this Eset's feature is incompatible with SWH in WHHLight.

Can removing msix extension from the list of blocked files in WHHL fix the issue?

 

[devjitdutta2025]

SWH did not cause any issues with ESET. Is there any difference between SWH and the SRP in WHHL? Also if I use WHHL without the SWH part and only use SS & WDAC, will it provide better protection than SAC?

 

[Parkinsond]

without the SWH part

Will lose constrained language mode; I have had discussion with Andy yesterday asking for adding the script rule to WDAC component of WHHL.

 

[devjitdutta2025]

Will lose constrained language mode; I have had discussion with Andy yesterday asking for adding the script rule to WDAC component of WHHL.

I have powershell, wscript & cscript blocked by firewall. Is that enough?

 

[Parkinsond]

I have powershell, wscript & cscript blocked by firewall. Is that enough?

Also during the same discussion, according to Andy, no not enough; needs to be complemented by CLM.

 

[Andy Ful]

Can removing msix extension from the list of blocked files in WHHL fix the issue?

No. It is not blocked by SRP.

 

[Parkinsond]

I have powershell, wscript & cscript blocked by firewall. Is that enough?

"I've noticed that files that are currently located in C:\Windows, can be copied to alternative locations. So if a malicious script needed to utilize, for example, certutil.exe which is normally located at C:\Windows\System32\certutil.exe, they could just perform a "copy C:\Windows\System32\certutil.exe mynewcertutil.exe" and then call the new executable instead of the one in the System32 folder.

Is there a better way to prevent LoLbins from communicating on the network short of installing third party software (that includes sysmon)?"

 

[Andy Ful]

SWH did not cause any issues with ESET. Is there any difference between SWH and the SRP in WHHL? Also if I use WHHL without the SWH part and only use SS & WDAC, will it provide better protection than SAC?

Not for scripting. FirewallHardening restrictions are OK, but additional restrictions for PowerShell, Windows Script Host, and CMD can be recommended. I am unsure how good Eset's scripting protection is.

 

[devjitdutta2025]

Not for scripting. FirewallHardening restrictions are OK, but additional restrictions for PowerShell, Windows Script Host, and CMD can be recommended. I am unsure how good Eset's scripting protection is.

TBH I don’t trust the script protection of ANY AV. That’s why I used SWH with all my AV’s. Since SWH is discontinued, I switched to WHHL. @SeriousHoax since you have access to ESET forums, can you inform them about the issue? Although I highly doubt if Marcos would be of any help at all. It’s because of that guy I’ve decided not to renew ESET after my subscription expires (not to mention the lack of folder guard in IS). Until ESET can resolve the issue, I’ll live without hr context menu.

 

[Andy Ful]

Until ESET can resolve the issue, I’ll live without hr context menu.

I do not use context menu scans at all. However, such scans can sometimes be important, for example, when sharing files with other people.
I think that most scenarios can be covered via custom scans from the AV application.