none
Does PackageInspector.exe Support 32 bit desktop app to create catalog files correctly??? RRS feed

  • Question

  • Hi Expertz,

    I have been working on creating catalog files for desktop app both 32 bit & 64 bit to make it run on windows 10 10240 and 1511 device guard enforced machine.

    steps:

    1> Run powershell ISE as admin

    1>start packageInspector.exe

    PackageInspector.exe start C: -path C:\dist4\TeamViewer_Setup_en.exe

    2> Install  the exe file manually.

    3> stop the packageInspector & create cat file & cdf file for the scan done

    PackageInspector.exe stop C: -name C:\dist4\catalogteamvwr.cat -cdfpath c:\dist4\teamvwr.cdf

    4> Sign the catalogteamvwr.cat with my Internal code signing CA cert

    C:\X64\signtool.exe sign /n  "dg" /fd sha256 /v C:\dist4\catalogteamvwr.cat

    5> Place the catalog file in device guard enforced machine whose SIPolicy.p7b doesnot allow any desktop app to install

    in location

    C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}

    6> the device does not show any warning message, but TeamViewer_Setup_en.exe does not show any sign of installation prompt

    7> I tried the above method for 64 -bit VLC vlc-2.2.4-win64.exe, it worked.

    So I am quite doubtful why 32 bit app is not installing & 64 bit app working with device guard UMCI

    Has packageinspector.exe any issue with 32 bit app like not able to create a proper catalog hash ???

    Anyone found this issue while working on it.??


     



    Friday, July 8, 2016 12:37 PM

Answers

  • Hi,

    Your post introduces a detailed process of creating catalog file, no problem, your measure is correct. The following link give a same process.

    Create a catalog file for unsigned apps

    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices

    However, as you can see, when we use PowerShell PackageInspector.exe command to make it, 32-bit app can’t be allowed, this behavior is expected, PackageInspector.exe doesn’t support 32 bit app, regardless on 32-bit or 64-bit machine, your test also prove this point.

    Regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com


    Monday, July 11, 2016 3:03 AM
    Moderator
  • Hi evryone,

    PackageInspector.exe works correctly only in Audit mode enabled

    I found that PackageInspector.exe support both 64 bit & 32 bit.

    While using packageInspector.exe , this must be kept in mind that the reference machine machine has to be running in device guard Audit mode policy. That way it will create correct catalog for both 64 bit & 32 bit app.


    • Marked as answer by Dhanraj B Monday, July 18, 2016 11:41 AM
    • Edited by Dhanraj B Thursday, July 21, 2016 4:55 AM
    Monday, July 18, 2016 11:41 AM

All replies

  • Hi,

    Your post introduces a detailed process of creating catalog file, no problem, your measure is correct. The following link give a same process.

    Create a catalog file for unsigned apps

    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices

    However, as you can see, when we use PowerShell PackageInspector.exe command to make it, 32-bit app can’t be allowed, this behavior is expected, PackageInspector.exe doesn’t support 32 bit app, regardless on 32-bit or 64-bit machine, your test also prove this point.

    Regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com


    Monday, July 11, 2016 3:03 AM
    Moderator
  • Hi Teemo Tang,

    yes

    I followed that link to get things done.

    So, it means that I won't be able to run 32 bit app on device guard even after I use signed catalog method. if that is so, its a disadvantage of device guard.

    Are you sure about that.??


    • Edited by Dhanraj B Monday, July 11, 2016 4:29 AM
    Monday, July 11, 2016 4:18 AM
  • Hi evryone,

    PackageInspector.exe works correctly only in Audit mode enabled

    I found that PackageInspector.exe support both 64 bit & 32 bit.

    While using packageInspector.exe , this must be kept in mind that the reference machine machine has to be running in device guard Audit mode policy. That way it will create correct catalog for both 64 bit & 32 bit app.


    • Marked as answer by Dhanraj B Monday, July 18, 2016 11:41 AM
    • Edited by Dhanraj B Thursday, July 21, 2016 4:55 AM
    Monday, July 18, 2016 11:41 AM
  • Hi Teemo Tang,

    What is the point in cataloging a temviewer or vlc in audit mode? You can install anything you want if Device Guard is running in audit mode. After the installation just creat a new code integrity policy with information from the logs and it will work in the future. So what is the whole point of packageinspector?

    Could you please clarify? It would be much appreciated.

    Thursday, February 16, 2017 12:23 PM
  • Hei Kyon,

    When you want to create a catalog for the application to run after the Device guard is enabled, you need to take a reference windows 10 machine, enable device guard in audit mode & before installing the specific application run the packageinspector.exe. 

    Saturday, February 18, 2017 4:29 AM
  • Hei Kyon,

    When you want to create a catalog for the application to run after the Device guard is enabled, you need to take a reference windows 10 machine, enable device guard in audit mode & before installing the specific application run the packageinspector.exe. 

    Hi Dhanraj

    Thank you for your reply. My understanding is that you can achieve the same result if you just take the reference machine, run it in audit mode, install the application, create a new CI Policy using information from the log and then merge that policy with your old policy. Maybe I am not understanding something correctly.  From a technical point of view what does packageinspector do?

    Monday, February 20, 2017 8:30 AM
  • This is how packageInspector.exe is used for device guard- to assist code Integrity Policy in this recent article

    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies

    Create catalog files

    The creation of a catalog file is a necessary step for adding an unsigned application to a code integrity policy.

    To create a catalog file, you use a tool called Package Inspector. You must also have a code integrity policy deployed in audit mode on the computer on which you run Package Inspector, because Package Inspector does not always detect installation files that have been removed from the computer during the installation process.

    Kyon This is what I understand from this article

    In addition to that my thought: it does take much time to create  the CI Policy than Catalog File  , so its a quick method to run an app in env like where Ci Policy is already enforced & cleverly you have already put the signer Rule within that Policy,,

    So every time you create a catalog for an application, you sign the catalog with that signer cert , & the app will run, you does not need to create the policy again & again


    • Edited by Dhanraj B Monday, February 27, 2017 12:57 PM
    • Proposed as answer by TestUser-Kyon Tuesday, March 7, 2017 9:50 AM
    Monday, February 27, 2017 12:43 PM