none
AppLocker & SearchProtocolHost.exe RRS feed

  • Question

  • I have enabled the Default Rule to allow all files for Administrators yet I see events from AppLocker that it blocked access to the file SEARCHPROTOCOLHOST.EXE for the User account SYSTEM which should not be the case.

    I even tried adding a Publisher Rule to allow all files from Microsoft and it still appeared.

    Is this a bug?

    Thursday, May 16, 2019 3:43 PM

All replies

  • Hi,

    Information of event id 8004: <File name> was not allowed to run.

    Access to <file name> is restricted by the administrator. Applied only when the Enforce rules enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.

    Configure an AppLocker policy for enforce rules: 

    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules

    Best regards,

    Yilia 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, May 17, 2019 6:19 AM
    Moderator
  • My rules are being enforced, since I see other rules which are being allowed and others which are blocked. It's only specific EXE files which are being blocked, and only for the SYSTEM account. running as another Admin solves the problem.
    Sunday, May 19, 2019 5:18 AM
  • Hi,

    The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions. In my opinion, the system account has no privilege because you enabled the Default Rule to allow all files for Administrators group.

    For your reference: https://support.microsoft.com/en-ae/help/120929/how-the-system-account-is-used-in-windows

    Best regards,

    Yilia 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 23, 2019 5:35 AM
    Moderator
  • of course i enabled the default rule! That's why i posted the question in the first place.

    Also, if you look at the documentation for AaronLocker, he states there that there is a bug that they are still researching where AppLocker blocks files, even though they are allowed:

    Files are blocked when they shouldn’t be

    On rare occasions, AppLocker blocks a file that it should allow, and the event data incorrectly reports the file as not signed. In addition, AppLocker caches the incorrect result indefinitely and never allows the file to run. This is because of a bug that is still being researched. Two workarounds are described here.

    Workaround 1: One workaround is to copy the file to a new name in the same directory, delete the original file, then rename the copy to the original name. These steps invalidate the cached result for that file, so the next time the file is referenced, AppLocker will reevaluate it and most likely do so correctly.

    Example:

    OneDrive fails to start. AppLocker event log reports an error with TELEMETRY.DLL and shows the file as not signed. Error information captured with Get-AppLockerEvents.ps1:

    GenericPath   : %LOCALAPPDATA%\MICROSOFT\ONEDRIVE\17.3.6816.0313\TELEMETRY.DLL

    GenericDir    : %LOCALAPPDATA%\MICROSOFT\ONEDRIVE\17.3.6816.0313

    OriginalPath  : %OSDRIVE%\USERS\TOBY\APPDATA\LOCAL\MICROSOFT\ONEDRIVE\17.3.6816.0313\TELEMETRY.DLL

    FileName      : TELEMETRY.DLL

    FileType      : DLL

    PublisherName : -

    ProductName   :

    BinaryName    :

    FileVersion   :

    Hash          : 0xB2FD0EC99D98D89CEB30C45D47F5418AA70CCCF78FC22CC3EABEF6F6E67AA17A

    UserSID       : S-1-5-21-3841777977-1772892211-860544140-1002

    UserName      : DESKTOP-L0DMFHV\Toby

    MachineName   : DESKTOP-L0DMFHV

    EventTime     : 2018-06-25T09:46:18.7067597

    PID           : 3476

    EventType     : Error

    However, Test-AppLockerPolicy says that current policy should allow the file: 

    PS C:\> Test-AppLockerPolicy -PolicyObject (Get-AppLockerPolicy -Effective) -Path "C:\Users\Toby\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\Telemetry.dll" | Format-List *

    FilePath       : C:\Users\Toby\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\Telemetry.dll

    PolicyDecision : Allowed

    MatchingRule   : Microsoft OneDrive (partial): Signer/product rule for O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US/MICROSOFT ONEDRIVE

    Implement the workaround:

    copy .\Telemetry.dll .\Workaround.file

    del .\Telemetry.dll

    ren .\Workaround.file Telemetry.dll

    Workaround 2. The second workaround is to disable AppLocker’s caching of “unsigned” results. Note however that this may cause performance degradation. To disable the result caching, configure the following registry value, and then reboot the computer:

    [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Appid]

    "IgnoreCacheUnsignedFiles"=dword:00000001

    I tried the above 2nd workaround but it didn't help. The first wasn't practical for the SearchProtocolHost.exe file which is a System file and owned by the Trusted Installer.

    Microsoft - please help!

    Thursday, May 23, 2019 5:46 AM
  • Hi,

    We can use Windows 10 built-in feedback hub (type feedback hub in search box) to give Microsoft a valuable feedback and I am going to submit this case to Microsoft via our channel. 

    Thanks for your understanding.

    Best regards,

    Yilia 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 10, 2019 2:37 AM
    Moderator