Jump to content

Determine AppLocker mode?

clicked

By clicked,
in AutoIt General Help and Support

 Share

Recommended Posts

clicked Wayfarer

clicked

Posted
Posted

This is tangentially an AutoIt question. AppLocker can run in "Audit only" mode or "Enforce rules" mode. I can't find any scriptable way to determine this setting. The Powershell AppLockerPolicy Cmdlets are for checking files and rules, but not AppLocker mode. Is there a Windows API call or something that can determine this?

Link to comment
Share on other sites
Tripredacus Universalist

Tripredacus

Posted
Posted

What I would do is get a test system together, using a VM or whatever you want. Install 7 Enterprise. Create an AppLocker rule for something like calc.exe, run ProcMon and enable the Enforce Rules mode. Stop ProcMon and look for any registry entries it may have set for it. Otherwise, you can dig around in WMI to see if the setting is recorded there.

Twitter | MSFN | VGCollect
jBU1ixT.jpg

Link to comment
Share on other sites
clicked Wayfarer

clicked

Posted
  • Author
Posted

Thanks, those are good suggestions. It provoked me into a quick "applocker registry" and "applocker wmi" search, which produced nothing. So I guess if there is a way, and there may not be, it will involve digging around the hard way and find a visible setting that Windows changes for AppLocker enforcement, just like you suggest.

Link to comment
Share on other sites
clicked Wayfarer

clicked

Posted
  • Author
Posted (edited)

Of course! I looked around google for about 10 minutes before giving up and making my post. :rolleyes:

My comment didn't come over like I wanted it to. I actually didn't think of googling applocker registry settings or wmi, so I am grateful for your suggestion. Thanks again. Edited by clicked
Link to comment
Share on other sites
  • 3 weeks later...
careca Universalist

careca

Posted
Posted (edited)

May i add that all changes you have done in applocker will be saved under the registry key:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionGroup Policy Objects{009EA05A-7976-4BCE-B4ED-1CF105DB5402}MachineSoftwarePoliciesMicrosoftWindowsSrpV2

There are 3 more keys under this, they correspond to the exe, msi and script rules.

EDIT: fyi found this with the nice tool, RegFromApp, traces the changes made by a specific process.

When this doesn't work by some reason i use ProcessMonitor AKA ProcMon

Edited by careca
Spoiler

Renamer - Rename files and folders, remove portions of text from the filename etc.

GPO Tool - Export/Import Group policy settings.

MirrorDir - Synchronize/Backup/Mirror Folders

BeatsPlayer - Music player.

Params Tool - Right click an exe to see it's parameters or execute them.

String Trigger - Triggers pasting text or applications or internet links on specific strings.

Inconspicuous - Hide files in plain sight, not fully encrypted.

Regedit Control - Registry browsing history, quickly jump into any saved key.

Time4Shutdown - Write the time for shutdown in minutes.

Power Profiles Tool - Set a profile as active, delete, duplicate, export and import.

Finished Task Shutdown - Shuts down pc when specified window/Wndl/process closes.

NetworkSpeedShutdown - Shuts down pc if download speed goes under "X" Kb/s.

IUIAutomation - Topic with framework and examples

Au3Record.exe

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...