none
device guard in audit mode blocks dll load? RRS feed

  • Question

  • I was under the assumption, based on the LOB section of the device guard deployment doc

    https://technet.microsoft.com/en-us/library/mt463091(v=vs.85).aspx

    that device guard in audit mode will not block code execution, but only log violations in the Windows CodeIntegrity section of Events Viewer with text like:

    "{description of code integrity event}...  However, due to code integrity auditing policy, the image was allowed to load."

    Subsequent to initial policy scan, device guard has allowed me to install 2 apps which generate a number of code integrity events; this was allowed due to device guard being in audit mode
    However, I attempted to install an audio player named foobar2000, and it appears device guard blocked the app from loading a couple of DLL's - zlib1.dll and shellext64.dll. I have successfully installed this app under Windows 10 not running device guard.

    Event Viewer details:

    Log Name:      Microsoft-Windows-CodeIntegrity/Operational
    Source:        Microsoft-Windows-CodeIntegrity
    Date:          10/3/2015 5:16:24 AM
    Event ID:      3033
    Task Category: (1)
    Level:         Error
    Keywords:     
    User:          DESKTOP-B0VK1BD\username
    Computer:      DESKTOP-B0VK1BD
    Description:
    Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\foobar2000\foobar2000.exe) attempted to load \Device\HarddiskVolume3\Program Files (x86)\foobar2000\zlib1.dll that did not meet the Enterprise signing level requirements.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-CodeIntegrity" Guid="{4EE76BD8-3CF4-44A0-A0AC-3937643E37A3}" />
        <EventID>3033</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>1</Task>
        <Opcode>111</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2015-10-03T12:16:24.722040200Z" />
        <EventRecordID>110</EventRecordID>
        <Correlation />
        <Execution ProcessID="7068" ThreadID="5796" />
        <Channel>Microsoft-Windows-CodeIntegrity/Operational</Channel>
        <Computer>DESKTOP-B0VK1BD</Computer>
        <Security UserID="S-1-5-21-2952197959-1199841044-3225321744-1001" />
      </System>
      <EventData>
        <Data Name="FileNameLength">64</Data>
        <Data Name="FileNameBuffer">\Device\HarddiskVolume3\Program Files (x86)\foobar2000\zlib1.dll</Data>
        <Data Name="ProcessNameLength">69</Data>
        <Data Name="ProcessNameBuffer">\Device\HarddiskVolume3\Program Files (x86)\foobar2000\foobar2000.exe</Data>
        <Data Name="RequestedPolicy">2</Data>
        <Data Name="ValidatedPolicy">1</Data>
        <Data Name="Status">3221227013</Data>
      </EventData>
    </Event>
    Saturday, October 3, 2015 12:42 PM

Answers

  • Hi skipkrasch,

    I found the error message for a normal symptom of the audit mode should be "did not meet the Windows signing level requirements".
    According to your error messages, it is "do not meet the Enterprise signing level requirements". Have you deployed any related group policy except the device guard?

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Monday, October 5, 2015 5:52 AM
    Moderator

All replies

  • Hi skipkrasch,

    I found the error message for a normal symptom of the audit mode should be "did not meet the Windows signing level requirements".
    According to your error messages, it is "do not meet the Enterprise signing level requirements". Have you deployed any related group policy except the device guard?

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Monday, October 5, 2015 5:52 AM
    Moderator
  • Hi MeipoXu,

    As far as I know, the only policy I deployed was device guard. Is there a way to audit what group group policy might have been deployed?

    Regards, Skip

    Tuesday, October 6, 2015 2:17 PM
  • Hi skipkrasch,

    " Is there a way to audit what group group policy might have been deployed?"
    We could open an administrator command line and run "gpresult /r /z >gpresult.txt" to check the gp result.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, October 8, 2015 6:41 AM
    Moderator
  • Hello MeipoXu,

    A long delay replying - I had to wait for the threshold release to get audit guard updated due to an issue where it would not go into audit mode once I had added a few apps and scanned.

    Anyway, the issue remains:

    Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files (x86)\foobar2000\foobar2000.exe) attempted to load \Device\HarddiskVolume3\Program Files (x86)\foobar2000\zlib1.dll that did not meet the Enterprise signing level requirements.

    So, below is the output of running "gpresult /r /z >gpresult.txt". I am not seeing what might cause the Enterprise signing requirement, as opposed to windows.


    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    c 2016 Microsoft Corporation. All rights reserved.
    Created on 12/13/2015 at 8:33:28 AM
    RSOP data for MA-DESKTOP\mandrews on MA-DESKTOP : Logging Mode
    ---------------------------------------------------------------
    OS Configuration:            Standalone Workstation
    OS Version:                  10.0.10586
    Site Name:                   N/A
    Roaming Profile:             N/A
    Local Profile:               C:\Users\mandrews
    Connected over a slow link?: No

    COMPUTER SETTINGS
    ------------------
       
        Last time Group Policy was applied: 12/13/2015 at 8:31:14 AM
        Group Policy was applied from:      N/A
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        MA-DESKTOP
        Domain Type:                        <Local Computer>
        Applied Group Policy Objects
        -----------------------------
            N/A
        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)
        The computer is a part of the following security groups
        -------------------------------------------------------
            System Mandatory Level
            Everyone
            BUILTIN\Users
            NT AUTHORITY\SERVICE
            CONSOLE LOGON
            NT AUTHORITY\Authenticated Users
            This Organization
            BDESVC
            BITS
            CertPropSvc
            DcpSvc
            dmwappushservice
            DoSvc
            DsmSvc
            Eaphost
            IKEEXT
            iphlpsvc
            LanmanServer
            lfsvc
            MSiSCSI
            NcaSvc
            NetSetupSvc
            RasAuto
            RasMan
            RemoteAccess
            RetailDemo
            Schedule
            SCPolicySvc
            SENS
            SessionEnv
            SharedAccess
            ShellHWDetection
            UsoSvc
            wercplsupport
            Winmgmt
            wlidsvc
            wuauserv
            XboxNetApiSvc
            LOCAL
            BUILTIN\Administrators
           
        Resultant Set Of Policies for Computer
        ---------------------------------------
            Software Installations
            ----------------------
                N/A
            Startup Scripts
            ---------------
                N/A
            Shutdown Scripts
            ----------------
                N/A
            Account Policies
            ----------------
                N/A
            Audit Policy
            ------------
                N/A
            User Rights
            -----------
                N/A
            Security Options
            ----------------
                N/A
                N/A
            Event Log Settings
            ------------------
                N/A
            Restricted Groups
            -----------------
                N/A
            System Services
            ---------------
                N/A
            Registry Settings
            -----------------
                N/A
            File System Settings
            --------------------
                N/A
            Public Key Policies
            -------------------
                N/A
            Administrative Templates
            ------------------------
                N/A

    USER SETTINGS
    --------------
       
        Last time Group Policy was applied: 12/13/2015 at 8:31:20 AM
        Group Policy was applied from:      N/A
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        MA-DESKTOP
        Domain Type:                        <Local Computer>
       
        Applied Group Policy Objects
        -----------------------------
            N/A
        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)
        The user is a part of the following security groups
        ---------------------------------------------------
            None
            Everyone
            Local account and member of Administrators group
            BUILTIN\Administrators
            Performance Log Users
            BUILTIN\Users
            NT AUTHORITY\INTERACTIVE
            CONSOLE LOGON
            NT AUTHORITY\Authenticated Users
            This Organization
            Local account
            LOCAL
            NTLM Authentication
            High Mandatory Level
           
        The user has the following security privileges
        ----------------------------------------------
            Bypass traverse checking
            Manage auditing and security log
            Back up files and directories
            Restore files and directories
            Change the system time
            Shut down the system
            Force shutdown from a remote system
            Take ownership of files or other objects
            Debug programs
            Modify firmware environment values
            Profile system performance
            Profile single process
            Increase scheduling priority
            Load and unload device drivers
            Create a pagefile
            Adjust memory quotas for a process
            Remove computer from docking station
            Perform volume maintenance tasks
            Impersonate a client after authentication
            Create global objects
            Change the time zone
            Create symbolic links
            Increase a process working set
        Resultant Set Of Policies for User
        -----------------------------------
            Software Installations
            ----------------------
                N/A
            Logon Scripts
            -------------
                N/A
            Logoff Scripts
            --------------
                N/A
            Public Key Policies
            -------------------
                N/A
            Administrative Templates
            ------------------------
                N/A
            Folder Redirection
            ------------------
                N/A
            Internet Explorer Browser User Interface
            ----------------------------------------
                N/A
            Internet Explorer Connection
            ----------------------------
                N/A
            Internet Explorer URLs
            ----------------------
                N/A
            Internet Explorer Security
            --------------------------
                N/A
            Internet Explorer Programs
            --------------------------
                N/A

    Sunday, December 13, 2015 4:43 PM