Tutorial Windows Pro owner? Use Software Restriction Policies!

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,368
Have you tried to remove all files in "CiPolicies\Active" folder?
Yes.
It seems that also WDAC does not work after the SAC is turned off (from Evaluation or ON mode).
I removed all SAC policies from the "Active" folder (Trusted Installer privileges are required) and applied my own policy. The WDAC policy that works well on Windows 10, does not work at all on clean installed Windows 11 with 2020 update and SAC turned OFF.
The same WDAC policy and SRP work well on Windows 11 with 2020 update, when upgrading from Windows 10.
 

oldschool

Level 72
Verified
Top Poster
Well-known
Mar 29, 2018
6,130
Thanks for posting your SRP test results. (y)

@Furyo Yes, I read the entire docs. But of course M$ doesn't document any changes, breakages, etc. to SRP in light of the introduction of SAC, other than adding it to the Deprecated list years ago. So now we have broken SRP, complex WAC and experimental SAC. I'll continue to use Defender along with the rest of the plebes.
 
  • Like
Reactions: Vasudev

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,368
So now we have broken SRP, complex WAC and experimental SAC.
We have now broken SRP and WDAC. For now, both do not work on clean installed Windows 11 with 2020 update. When SAC is On or set to Evaluate mode, one cannot replace SAC policies with custom WDAC policies. After turning OFF the SAC, WDAC does not work just like SRP (tested on Windows Pro).
 
Last edited:

WhiteMouse

Level 4
Verified
Well-known
Apr 19, 2017
170
Yes.
It seems that also WDAC does not work after the SAC is turned off (from Evaluation or ON mode).
I removed all SAC policies from the "Active" folder (Trusted Installer privileges are required) and applied my own policy. The WDAC policy that works well on Windows 10, does not work at all on clean installed Windows 11 with 2020 update and SAC turned OFF.
The same WDAC policy and SRP work well on Windows 11 with 2020 update, when upgrading from Windows 10.
Do you use .cip or .bin with Group Policy? When I used .bin with GPO, it didn't work but then I switched to .cip and just copied that file to \Active and it works properly.
 
  • Like
Reactions: simmerskool

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,368
Do you use .cip or .bin with Group Policy? When I used .bin with GPO, it didn't work but then I switched to .cip and just copied that file to \Active and it works properly.
I use .cip policy in \Active directory.

Do you use a clean installation of Windows 11 with the latest update and SAC set to Evaluate or OFF?

If SAC is ON then it runs on WDAC, but you cannot change the policies. If I correctly recall, even if you will use your own WDAC policy file - the SAC policies in EFI should override your WDAC policies.
 

WhiteMouse

Level 4
Verified
Well-known
Apr 19, 2017
170
I use .cip policy in \Active directory.

Do you use a clean installation of Windows 11 with the latest update and SAC set to Evaluate or OFF?

If SAC is ON then it runs on WDAC, but you cannot change the policies. If I correctly recall, even if you will use your own WDAC policy file - the SAC policies in EFI should override your WDAC policies.
Yes, I use a clean installation of Windows 11, SAC is Evaluation -> Off.
I haven't tested this (will do it later), but if SAC is on and you put another base policy inside that folder, both can co-exist. A file must be allowed by both policy to be able to run. That's how multiple WDAC policies work.
 
  • Like
Reactions: oldschool

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,368
Yes, I use a clean installation of Windows 11, SAC is Evaluation -> Off.
I haven't tested this (will do it later), but if SAC is on and you put another base policy inside that folder, both can co-exist. A file must be allowed by both policy to be able to run. That's how multiple WDAC policies work.
If I correctly recall, in my tests this did not work. Adding custom multiple policies did not change anything.
Of course, that worked on Windows 10.
 

WhiteMouse

Level 4
Verified
Well-known
Apr 19, 2017
170
If I correctly recall, in my tests this did not work. Adding custom multiple policies did not change anything.
Of course, that worked on Windows 10.
It works on my computer. The funny thing is IVPN blocked by my custom policy, but Windows thought it blocked by SAC. After I removed my custom policy, IVPN launched with no issues.
 

Attachments

  • 493574395793.png
    493574395793.png
    16.6 KB · Views: 35
  • Like
Reactions: oldschool
F

ForgottenSeer 95367

But of course M$ doesn't document any changes, breakages, etc. to SRP in light of the introduction of SAC
Microsoft could have broken it deliberately or even not even know that it broke it. With these builds it is hard to know. A quick look online about 22H2 and it is evident that it is a troublesome release with multiple problems.

The Big M is keenly aware that if it tampers with legacy, those that use legacy will be alienated from adopting W11. WDAC remains in a wonky state of usability and functionality, and is not close to being a proper replacement for SRP. Far too many organizations use the legacy SRP for M$ to abruptly cast SRP down the disposal pipe.
 
  • Like
Reactions: oldschool
F

ForgottenSeer 95367

It works on my computer. The funny thing is IVPN blocked by my custom policy, but Windows thought it blocked by SAC. After I removed my custom policy, IVPN launched with no issues.
It would be nice if you translated what the notification says. The only other person here at MT that can read it is @show-Zi.
 
  • HaHa
Reactions: oldschool

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,368
It works on my computer. The funny thing is IVPN blocked by my custom policy, but Windows thought it blocked by SAC. After I removed my custom policy, IVPN launched with no issues.
Interesting. Could you post here the XML file of your custom policy?
Do you use Windows Home or Pro?
I assume that you use a clean installation of Windows 11 with the 2022 update and SAC is turned ON.
From your post, it follows that your .cip policy is in the \Active folder together with 6 policy files of SAC.
 
  • Like
Reactions: simmerskool

WhiteMouse

Level 4
Verified
Well-known
Apr 19, 2017
170
Interesting. Could you post here the XML file of your custom policy?
Do you use Windows Home or Pro?
I assume that you use a clean installation of Windows 11 with the 2022 update and SAC is turned ON.
From your post, it follows that your .cip policy is in the \Active folder together with 6 policy files of SAC.
I use Windows 11 Education, converted WindowsDefault_Enforced.xml to .cip and my answer is yes for everything below the second question.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,368
I use Windows 11 Education, converted WindowsDefault_Enforced.xml to .cip and my answer is yes for everything below the second question.
After some experiments, I managed to spoil the SAC protection. Windows Security Center shows that SAC is ON, but I can run anything I want. The files are checked by SAC and violate code integrity, but SAC does not block them. It thinks that policies are in auditing mode. I deleted all SAC policies and applied my custom policy very similar to the base policy of SAC, but with a different GUID.

1664484474827.png


1664484520714.png


To skirt around SAC, the Trusted Installer privileges are required. The binary policy file was not configured to audit mode and normally blocks executables.
A similar effect can be forced by removing SAC policies (no WDAC/SAC policies at all). In this case, Event Log does not log CodeIntegrity events.
 
Last edited:

WhiteMouse

Level 4
Verified
Well-known
Apr 19, 2017
170
I didn't trust the On/Off button in Windows Security. I had a file that's guarantee blocked by SAC to test it and confirmed SAC was On before applied DefaultWindows_Enforced.

And did you restart the computer after turned SAC on btw?
 
F

ForgottenSeer 95367

After some experiments, I managed to spoil the SAC protection. Windows Security Center shows that SAC is ON, but I can run anything I want. The files are checked by SAC and violate code integrity, but SAC does not block them. It thinks that policies are in auditing mode. I deleted all SAC policies and applied my custom policy very similar to the base policy of SAC, but with a different GUID.

View attachment 269633

View attachment 269634

To skirt around SAC, the Trusted Installer privileges are required. The binary policy file was not configured to audit mode and normally blocks executables.
A similar effect can be forced by removing SAC policies (no WDAC/SAC policies at all). In this case, Event Log does not log CodeIntegrity events.
@Andy Ful doing the testing that Microsoft should be doing itself.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,368
Today I have repeated my tests (Windows 11 Home ver 22H2 Insider OS build 25201.1000):
  1. Turn Off the Internet connection.
  2. Start from the snapshot SAC ON.
  3. Run suspicious application = blocked with SAC alert. Check Event Log, blocked events logged (Id=3033 and 3077). Event Log also logs that the 4 policies were refreshed and activated (Id=3099). One of these policies is {d2bda982-...}.cip (Windows Driver Policy) which is absent in the "\Active" directory.
  4. Rename all policies in the "\Active" directory (reboot).
  5. Run suspicious application = allowed. Check Event Log, events not logged (reboot).
  6. Restore the names of original policies in the "\Active" directory (reboot).
  7. Run suspicious application = blocked with SAC alert. Check Event Log, blocked events logged.
So it is possible to enable/disable SAC without turning it OFF in the Security Center. I tested this with a disabled Internet connection. So some more tests are required.
I do not recommend this method on the real system, because it is not documented by anyone. (y)

Post updated.
When making a backup and restoring the policies (by copying them from the backup) the file permissions can be changed (lowered), so one has to do it by preserving NTFS file permissions. It is easier to rename the policies without removing them. In my test, I added the "B" letter at the front of the policy name.
 
Last edited:
F

ForgottenSeer 95367

Today I have repeated my tests (Windows 11 Home ver 22H2 Insider OS build 25201.1000):
  1. Turn Off the Internet connection.
  2. Start from the snapshot SAC ON.
  3. Run suspicious application = blocked with SAC alert. Check Event Log, blocked events logged (Id=3033 and 3077). Event Log also logs that the 4 policies were refreshed and activated (Id=3099). One of these policies is {d2bda982-...}.cip (Windows Driver Policy) which is absent in the "\Active" directory.
  4. Rename all policies in the "\Active" directory (reboot).
  5. Run suspicious application = allowed. Check Event Log, events not logged (reboot).
  6. Restore the names of original policies in the "\Active" directory (reboot).
  7. Run suspicious application = blocked with SAC alert. Check Event Log, blocked events logged.
So it is possible to enable/disable SAC without turning it OFF in the Security Center. I tested this with a disabled Internet connection. So some more tests are required.
I do not recommend this method on the real system, because it is not documented by anyone. (y)

Post updated.
When making a backup and restoring the policies (by copying them from the backup) the file permissions can be changed (lowered), so one has to do it by preserving NTFS file permissions. It is easier to rename the policies without removing them. In my test, I added the "B" letter at the front of the policy name.
Put in "\Active" directory both:
1. Original.cip
2. Re-named.cip
:ROFLMAO:
 
  • Like
Reactions: BryanB

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top