none
Applocker, Windows 10, audit warning PS1 script

    Question

  • Hi

    I have Windows 10 Computers with a default Applocker Script rules in a GPO in AUDIT mode.

    I see several warnings in the Applocker eventlog from all computers look like this:

    %OSDRIVE%\USERS\USERNAME\APPDATA\LOCAL\TEMP\WHDU3YAH.DXA.PS1 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

    The actual script files changes all the time and are not in the folder anymore when I check. Has anybody else seen this before?

    Wednesday, November 2, 2016 12:58 PM

All replies

  • > */%OSDRIVE%\USERS\USERNAME\APPDATA\LOCAL\TEMP\WHDU3YAH.DXA.PS1 was
     
    I'd suggest running process monitor with a filter for %temp% and check
    who creates/executes these scripts...
     
    • Proposed as answer by Todd Heron Wednesday, November 2, 2016 8:37 PM
    Wednesday, November 2, 2016 1:38 PM
  • I am just noticing this as well.  Did you ever figure this out?  I am thinking it is part of applocker but would like to be positive.  
    Thursday, February 2, 2017 1:29 AM
  • The appdata\local\temp\randomstring.ps1 files i see in my environment are created by App-V when syncing published apps on login, and are deleted when the process completes. 
    Tuesday, April 11, 2017 2:24 AM
  • We are in the same boat. I have the same .ps1 files being picked up by Applocker running in Audit Mode in %OSDRIVE%\USERS\UserName\APPDATA\LOCAL\TEMP\xxxxxxxxxx.PS1 and each relates to App-V - generally Sync-PublishingServer but not solely. SURELY this has to be something wrong with our setup and App-V shouldn't be running these scripts from the Local Temp folder.

    I removed the App-V client from PC just to be certain and the scripts stop.

    I am going to log a New Question under the App-V Forum as anticipate someone there may know a little more. Will post back here if I get any satisfactory answers.

    Wednesday, May 3, 2017 10:27 AM
  • Answer from other Thread "That's by design with Powershell version 5.0. We had the same issue and opened a support case for this some months ago.

    MS created a "fix" in Win 10 Creators Update. The behavior for the PS script generated on the fly has been adapted. They added a prefix to the PS script, so that we can add an AppLocker exclusion. We hoped for a better fix, but we need to live with it."

    Not ideal but it is what it is.

    Wednesday, May 3, 2017 1:14 PM
  • Nothing wrong with your setup. If you are set to refresh App-V applications on login, the app-v client runs a VBS script that launches a signed powershell script. Both are located in the installation folder of the App-V client. The signed powershell script generates a unique .ps1 file in the user's appdata\local\temp folder for each assigned App-V application that is needed on the system, and those files pull down the applications from the shared store.
    Wednesday, May 3, 2017 1:15 PM
  • > Answer from other Thread "That's by design with Powershell version 5.0. We had the same issue and opened a support case for this some months ago.

    Yes, they create a file containing "1" and try to run it. If it succeeds, they assume Applocker is NOT enabled. If it is blocked, PS5 switches to constrained language.

    Instead of creating a path rule, you could simply create a file containing just the number 1, then create a hash rule for it.

    Tuesday, May 9, 2017 8:39 AM
  • Thank you for this information.

    I created a .ps1 file that contained '1' as the only text. I then saved this and generated the hash (through applocker rule creation, under scripts) from that file however I still get the random string .ps1 being denied. 

    The random files are always named in the following format XXXXXXXX.XXX.psm1

    So always 8 characters then 3 then file format.

    Have I done something wrong?

    Wednesday, June 14, 2017 5:36 AM
  • > I created a .ps1 file that contained '1' as the only text.

    Encoding ASCII :-) File size when viewed with "dir" must be 1 Byte, no Cr/Lf afterwards.

    Wednesday, June 14, 2017 1:27 PM
  • It works for me.

    More info here: https://deploymentresearch.com/Research/Post/641/PSScriptPolicyTest-script-gets-blocked-by-AppLocker-in-the-event-log-Why-and-what-are-those-files

    Thanks for the info

    Wednesday, June 28, 2017 3:19 PM
  • I created a file in Notepad containing only the character "1" (without the quote) and saved it in the default ANSI format (ASCII is not available). I positively verified in the file property that the file length is 1 byte.

    I denied my account "Delete files" in his temp directory and directly grabbed the file from there :-)

    Type="SHA256"
    Data="0x6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b"

    Correct:
         <FileHashRule Id="a05dd722-59bb-4945-9120-b51c70b4d075" Name="Powershell Constrained Language AppLocker Testfile" Description="https://community.spiceworks.com/topic/1451109-srp-whitelist-causing-odd-behavior-in-powershell-v5" UserOrGroupSid="S-1-1-0" Action="Allow">
          <Conditions>
            <FileHashCondition>
              <FileHash Type="SHA256" Data="0x6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B" SourceFileName="cutiyvz2.ykt.ps1" SourceFileLength="1" />
            </FileHashCondition>
          </Conditions>
        </FileHashRule>

    BUT when launching PowerShell, I'm still in "Constrained" language mode and I can see an AppLocker event saying "... \APPDATA\LOCAL\TEMP\__PSSCRIPTPOLICYTEST_EUPMCRDD.HL2.PSM1 was prevented from running."

    Changing rules AFAIK requires a reboot.

    Thursday, June 29, 2017 8:13 AM