none
Applocker Issues Creating Rule for Screensaver File

    Question

  • Currently our organization has a batch file that runs at login, it copies a SCR file and all images (JPEG) into the computers C:\System32 folder.  We then have a group policy that forces the specified screensaver.  We are converting over to using applocker and currently running in Audit mode to ensure we have as seamless of a transition as possible when we switch to enforce.  That being said the one event that keeps popping as "was allowed to run but would have been prevented from running if the AppLocker Policy were enforced" is the screensaver.scr file that is located in the computers system32 folder.  Please note this is showing in the Applocker "EXE and DLL" Audit logs.  I tried creating a new rule (both manual and automatic) to add the specified file (by file hash or publisher) but it will only allow me to add EXE or COM file types.  Short of creating a rule that allows everything in the System32 directory to run (which I am not going to do for security vulnerability reasons) how do I get my screensaver SCR file to be allowed run using applocker?
    Tuesday, September 22, 2015 4:20 PM

Answers

  • Hi novaman,

    You are right. This thread has been moved three times, it will spend so much time. We suggest you re-post this case to Windows server forum.

    Thank you for your understanding.

    Best Regard,

    Jim

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Monday, September 28, 2015 6:59 AM

All replies

  • Hi novaman,

    Thank you for your question.

    By this issue, we suggest you redirect this case to the following forum:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?category=Windowsserver

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.

    Best Regard,

    Jim

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Friday, September 25, 2015 5:54 AM
  • Can this thread be moved?  The moderators have already moved it around 3 times....
    Friday, September 25, 2015 4:11 PM
  • Hi novaman,

    You are right. This thread has been moved three times, it will spend so much time. We suggest you re-post this case to Windows server forum.

    Thank you for your understanding.

    Best Regard,

    Jim

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Monday, September 28, 2015 6:59 AM
  • I encountered this issue as well:

    Get-AppLockerFileInformation C:\Windows\System32\scrnsave.scr | New-AppLockerPolicy

    "WARNING: Rules cannot be created for the following files: %SYSTEM32%\SCRNSAVE.SCR"

    I found someone else was having the same trouble: http://blog.cluris.com/2012/07/inconsistent-identification-of.html

    This KB states the files will be blocked, and that you should make explicit path rules if the files are needed. You don't however need to white-list the whole system32 directory, though even if you did, that's protected by admin rights anyway. With admin rights, you could simply turn off AppLocker. Also worth noting Applocker offers to create "default rules" for you, and one of those white-lists the whole windows directory (including system32 of course)

    What did you end up doing with your deployment?


    Mike Crowley | MVP
    My Blog -- Baseline Technologies




    • Proposed as answer by Mike Crowley Monday, October 19, 2015 7:22 PM
    • Edited by Mike Crowley Monday, October 19, 2015 8:27 PM
    Monday, October 19, 2015 7:15 PM
  • Moved the screen saver files to their own directory and white listed it.  Then used a GP to point the machines to look to the new location of the SCR file...

    -Jimmy Senior IT Analyst II

    Monday, October 19, 2015 8:27 PM