Jump to content
Sign in to follow this  
clicked

Determine AppLocker mode?

Recommended Posts

clicked

This is tangentially an AutoIt question. AppLocker can run in "Audit only" mode or "Enforce rules" mode. I can't find any scriptable way to determine this setting. The Powershell AppLockerPolicy Cmdlets are for checking files and rules, but not AppLocker mode. Is there a Windows API call or something that can determine this?

Share this post


Link to post
Share on other sites
Tripredacus

What I would do is get a test system together, using a VM or whatever you want. Install 7 Enterprise. Create an AppLocker rule for something like calc.exe, run ProcMon and enable the Enforce Rules mode. Stop ProcMon and look for any registry entries it may have set for it. Otherwise, you can dig around in WMI to see if the setting is recorded there.

  • Like 1

Share this post


Link to post
Share on other sites
clicked

Thanks, those are good suggestions. It provoked me into a quick "applocker registry" and "applocker wmi" search, which produced nothing. So I guess if there is a way, and there may not be, it will involve digging around the hard way and find a visible setting that Windows changes for AppLocker enforcement, just like you suggest.

Share this post


Link to post
Share on other sites
Tripredacus

Thanks, those are good suggestions. It provoked me into a quick "applocker registry" and "applocker wmi" search, which produced nothing.

Of course! I looked around google for about 10 minutes before giving up and making my post. :rolleyes:

Share this post


Link to post
Share on other sites
clicked

Of course! I looked around google for about 10 minutes before giving up and making my post. :rolleyes:

My comment didn't come over like I wanted it to. I actually didn't think of googling applocker registry settings or wmi, so I am grateful for your suggestion. Thanks again. Edited by clicked

Share this post


Link to post
Share on other sites
clicked

Solved,

Just export the policy as XML. The XML file contains an indication of audit-only or enforcement for each policy type (exe, dll, script, installer).

Share this post


Link to post
Share on other sites
careca

May i add that all changes you have done in applocker will be saved under the registry key:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionGroup Policy Objects{009EA05A-7976-4BCE-B4ED-1CF105DB5402}MachineSoftwarePoliciesMicrosoftWindowsSrpV2

There are 3 more keys under this, they correspond to the exe, msi and script rules.

EDIT: fyi found this with the nice tool, RegFromApp, traces the changes made by a specific process.

When this doesn't work by some reason i use ProcessMonitor AKA ProcMon

Edited by careca
  • Like 1

Spoiler

Paster - Main function is to paste text, but has more functions. (No longer mantained, switched to String Trigger)

Renamer - Rename files and folders, remove portions of text from the filename etc.

GPO Tool - Export/Import Group policy settings.

MirrorDir - Synchronize/Backup/Mirror Folders

BeatsPlayer - Music player.

Params Tool - Right click an exe to see it's parameters or execute them.

String Trigger - Triggers pasting text or applications or internet links on specific strings.

Inconspicuous - Hide files in plain sight, not fully encrypted.

Regedit Control - Registry browsing history, quickly jump into any saved key.

Time4Shutdown - Write the time for shutdown in minutes.

Power Profiles Tool - Set a profile as active, delete, duplicate, export and import.

Firefox Profile Backup - Backup/restore previously saved profile.

Finished Task Shutdown - Shuts down pc when specified window/Wndl/process closes.

NetworkSpeedShutdown - Shuts down pc if download speed goes under "X" Kb/s.

IUIAutomation - Topic with framework and examples

Au3Record.exe

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×