WildByDesign Posted April 17 Posted April 17 (edited) App Control Tray & Policy Manager (WildByDesign/WDACTrayTool: System Tray Tool for WDAC) This is likely my most powerful and featured creation with AutoIt. As always, I want to share and give back anything that I create in case it may benefit others. Features: system tray tool for managing App Control for Business (WDAC) policies GUI for managing App Control for Business (WDAC) policies scheduled tasks notifications auto dark-light mode for GUI and system tray built on GitHub Actions Screenshots: Includes: DarkMode UDF originally by @NoNameCode, updated by @argumentum libNotif by @matwachich ExtMsgBox by @Melba23 GUIListViewEx by @Melba23 TaskScheduler by @water XML by mLipok, Eltorro, Weaponx, drlava, Lukasz Suleja, oblique, Mike Rerick, Tom Hohmann, guinness, GMK Ownerdrawn status bar by @pixelsearch , including @Kafu, @Andreik, @argumentum _GUICtrlListView_SaveCSV by @guinness ModernMenuRaw by Holger Kotsch, @ProgAndy, @LarsJ Edited April 27 by WildByDesign Added includes for version 6 ioa747, argumentum and SOLVE-SMART 3
Solution WildByDesign Posted April 19 Author Solution Posted April 19 So I just had my very first โAha!โ moment is my AutoIt journey and it proved to be extremely beneficial. Beginner Level 2 unlocked! ๐ App Control Policy Manager was my first AutoIt GUI app. The underlying functionality and logic is extremely powerful and I am proud of that. However, the UI/UX is not its strong point. Problems: too many buttons and controls visible harder for me to resize and DPI scaling Goals: ensure policy ListView is main focal point as it should be move all button functions into menu bar move info from status label into status bar This would make sure that the policy ListView is the star of the show and with less distractions. It would also make it so much easier to deal with resizing and DPI scaling changes. Challenges: dark mode menu bar (success) dark mode status bar There was absolutely no way I was going to do this GUI transformation if I could not achieve a dark mode menu bar. Last night and this morning I was able to achieve a fully dark mode, beautiful menu bar. It was quick and easy to add my already existing functions to the menu items and everything is working. I am going to try to tackle the dark mode status bar later today. I am posting from my phone right now so I canโt share a current screenshot or code at the moment but I will later in the day. ioa747 and argumentum 2
WildByDesign Posted April 20 Author Posted April 20 Current working screenshot: When comparing the screenshot from the OP to this one, it is much less cluttered with buttons everywhere. The giant Current Policy Information label was able to be reduced into the status bar. dark mode menu bar complete dark mode status bar complete I realized that there were no perfect solutions to dark mode menu bar after searching the forums for a few days. The sub-classing methods looked pretty good but still left the "gripper" or "resizer" part in the buttom right corner as a different color which was no good. I ended up using the _GUICtrlSimpleStatusBar_* functions from MrCreatoR. I was able to fix it so that it resizes perfectly and I can also update the status content easily. argumentum 1
WildByDesign Posted April 27 Author Posted April 27 Thank you @pixelsearch and @argumentum for your recent help in getting me past my struggle with the ownerdrawn status bar. That was the last piece needed for my complete GUI rewrite and I was able to release version 6 this morning, compiled on GitHub Actions. If you have any desire to view the code or play with the compiled binaries (mainly AppControlPolicy.exe) to see how well the custom status bar functions in the running program, feel free. I am thankful and appreciative for your time and help. An interesting side effect: Everything got way faster, somehow. Rewriting the entire GUI somehow made everything a lot faster. Yay! The program does require Windows 11 though because App Control for Business (WDAC aka Windows Defender Application Control) requires Windows 11 and is on all SKUs. Link: Release App Control Tray and Policy Manager 6.0 ยท WildByDesign/WDACTrayTool By the way, the system tray tool component got a lot of improvements recently as well. argumentum and pixelsearch 2
argumentum Posted April 27 Posted April 27 (edited) I know that I don't have the proper setup but AppControlPolicy.au3 : "C:\Users\Administrator\Downloads\WDACTrayTool-6.0\WDACTrayTool-6.0\AppControlPolicy.au3" (1087) : ==> Array variable has incorrect number of subscripts or subscript dimension range exceeded.: Global $CurrentPolicyStatus = $sVDriverStatus & " | " & $sSACStatus & " | " & $aPolicyStatus[1] & " | " & $aPolicyStatus[2] Global $CurrentPolicyStatus = $sVDriverStatus & " | " & $sSACStatus & " | " & $aPolicyStatus[1] & " | " & ^ ERROR and AppControlTray.au3 did not show while insisting with : Get-CimInstance : Provider load failure At line:1 char:1 + Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsof ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (root\Microsoft\...n32_DeviceGuard:String) [Get-CimInstance], CimException + FullyQualifiedErrorId : HRESULT 0x80041013,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand Much of coding is "how would all this work if the user ... " better known as beta testing So yes, the first thing to do is to announce your program is running and that it can be closed or, some quick review to make sure it can run before any announcement, or something that will not produce either a crash and/or hanging of the program. Will it run with Win11 home, or Win Seven, or god knows. Is the service that makes all this work loaded and should I quit or offer to enable it ?, should I make a watchdog in the tray to make sure that is reenabled ?, should I ... it's a head scratcher, I know. But you are writing this to help users and those can be clueless, very clueless Ok, I'll see if I find the prerequisites and install it in the test PC. Edited April 27 by argumentum WildByDesign 1 Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
argumentum Posted April 27 Posted April 27 On 4/27/2025 at 11:48 AM, WildByDesign said: The program does require Windows 11 though because App Control for Business (WDAC aka Windows Defender Application Control) requires Windows 11 and is on all SKUs. Expand Where do I get that from ?, How do I install it in my "Win 11 argumentum edition" ? Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
WildByDesign Posted April 27 Author Posted April 27 On 4/27/2025 at 12:59 PM, argumentum said: Much of coding is "how would all this work if the user ... " better known as beta testing So yes, the first thing to do is to announce your program is running and that it can be closed or, some quick review to make sure it can run before any announcement, or something that will not produce either a crash and/or hanging of the program. Will it run with Win11 home, or Win Seven, or god knows. Is the service that makes all this work loaded and should I quit or offer to enable it ?, should I make a watchdog in the tray to make sure that is reenabled ?, should I ... it's a head scratcher, I know. But you are writing this to help users and those can be clueless, very clueless Expand This is all valuable feedback that you've provided and I really appreciate it. Clearly, this shows to me that I need to have more error control in certain scenarios and, of course, provide some indication of these failures. I suppose first I should ensure that the using is running the right OSBuild or higher. I will also need to try to expect other situations. I've got a lot to do with this and definitely will proceed carefully.
WildByDesign Posted April 27 Author Posted April 27 On 4/27/2025 at 1:19 PM, argumentum said: Where do I get that from ?, How do I install it in my "Win 11 argumentum edition" ? Expand As long as you have one of the newer versions of Windows 11 within the last 2 years or so, it will automatically come with policies already installed by default. It does require lots of PowerShell and will detect and use either PowerShell 7.x but if not, it will default to Windows PowerShell which is already installed by default in all Windows versions. So you do not need to install newer PowerShell.
argumentum Posted April 27 Posted April 27 On 4/27/2025 at 1:21 PM, WildByDesign said: I suppose first I should ensure that the using is running the right OSBuild or higher. Expand I'd go for the AppBlocker service. Is it installed, and is it running. If is not installed then advise on how to install and a link to somewhere to read up about it. I'd use GitHub and either write a simple guide or have a set of links to read more about it. The reason for going after the components and not the OS, being that a gamer ( for example ), may have "Win 11 gamer edition" and the OS is the right one but the installation is stripped of core components, giving you ( the coder ), the notion that it should all work, but the fact is that it couldn't. On 4/27/2025 at 1:23 PM, WildByDesign said: As long as you have one of the newer versions of Windows 11 within the last 2 years or so, it will automatically come with policies already installed by default. Expand Ok, I know that AppBlocker comes with it but, is "App Control for Business" there too ?, How do I know/run it ? Am not with a standard windows account login. All my PCs are domain/screw it/UserName, type of setup. Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
argumentum Posted April 27 Posted April 27 oops do happen from time to time. Do use OnDebugMsgBox ( or a version of it ) to handle said WildByDesign 1 Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
argumentum Posted April 27 Posted April 27 On 4/27/2025 at 12:59 PM, argumentum said: Global $CurrentPolicyStatus = $sVDriverStatus & " | " & $sSACStatus & " | " & $aPolicyStatus[1] & " | " & ^ ERROR Expand quick and dirty fix: Global $topstatus9 = StringStripWS($topstatus8, $STR_STRIPLEADING + $STR_STRIPTRAILING + $STR_STRIPSPACES) & @CR & @CR & @CR & @CR & @CR & @CR & @CR & @CR & @CR & @CR & @CR & @CR WildByDesign 1 Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
WildByDesign Posted April 27 Author Posted April 27 On 4/27/2025 at 1:48 PM, argumentum said: may have "Win 11 gamer edition" and the OS is the right one but the installation is stripped of core components, giving you ( the coder ), the notion that it should all work, but the fact is that it couldn't Expand This is a very good point, people do love to strip stuff out and break things. I will code with this in mind from now on. Expect the unexpected, basically. On 4/27/2025 at 1:48 PM, argumentum said: I know that AppBlocker comes with it but, is "App Control for Business" there too ?, How do I know/run it ? Expand You know how Microsoft is famous for renaming their products over and over and over with silly names for no reason? This is the same WDAC (Windows Defender Application Control) which had a cool name and they simply renamed it to App Control for Business. This is not the same as AppLocker and does not specifically have a service. It uses a kernel-mode driver for enforcement. It is already installed on all Win11 machines to protect many things from EFI partition and so on. You can run System Information. (msinfo32 I believe) and near bottom of Summary should show App Control for Business status for kernel and for user mode. If your Win11 is a bit older it may show under another name but in same area of Summary. If it is not there in Summary at all, then it may very well be missing.
WildByDesign Posted April 27 Author Posted April 27 By the way, I donโt recommend adding or removing App Control policies without prior knowledge because the wrong policies can very easily brick Windows. If you get to a stage of wanting to try adding or removing policies, I can provide some safe policies that will not brick Windows. That is why, in the app, I prevent the user from removing built-in system policies. I put various safety mechanisms in place.
WildByDesign Posted April 27 Author Posted April 27 Also, if any .CIP files are in the following location: C:\Windows\System32\CodeIntegrity\CIPolicies\Active (Sorry iPhone has no Paste unformatted text option) That would mean for sure it is enabled.
argumentum Posted April 27 Posted April 27 On 4/27/2025 at 2:02 PM, WildByDesign said: This is not the same as AppLocker and does not specifically have a service. It uses a kernel-mode driver for enforcement. It is already installed on all Win11 machines to protect many things from EFI partition and so on. Expand hmm, thanks for the wake up call. AppLocker uses/used a service that needed to be running ( as far as I remember ). I don't have any antivirus or protection anywhere ( hence my many child humans windows ) On 4/27/2025 at 2:28 PM, WildByDesign said: Also, if any .CIP files are in the following location: C:\Windows\System32\CodeIntegrity\CIPolicies\Active That would mean for sure it is enabled. Expand They have "TrustedInstaller only" full access. Yes and no. Not sure. If they are kernel needed they ( the files ) are going to be there but not sure that ... anything. I'll install a Win11 pro and try there I am one of those gamers I was referring to Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
pixelsearch Posted April 27 Posted April 27 (edited) @WildByDesign imho, in AppControlPolicy.au3, you could replace 633 lines with 13 lines Original 633 lines... If $policycount = 0 Then ; line 378 ... EndIf ; line 1010 ...could be replaced with these 13 lines : Select Case $policycount = 0 Global $aWords[1][11] Case IsInt($policycount) And $policycount >= 1 And $policycount <= 32 Global $aWords[$policycount][11] For $i = 0 To $policycount - 1 For $j = 1 To 10 $aWords[$i][$j] = $arpol[$i*10 + $j] Next Next Case Else Global $aWords[1][11] = [["", "Error:", "Error " & $policycorrect & " &" & " Error " & $policycount, "", "", "", "", "", "", "", ""]] EndSelect For what it's worth, these 4 tests display what they should (if not mistaken), fingers crossed Edit: the 3rd test should probably be done like the following, still showing correctly an error, as $policycount is not an integer (in the script, its value = $policycorrect / 10) Edited April 27 by pixelsearch WildByDesign 1 "I think you are searching a bug where there is no bug... don't listen to bad advice."
WildByDesign Posted April 27 Author Posted April 27 (edited) On 4/27/2025 at 3:54 PM, pixelsearch said: imho, in AppControlPolicy.au3, you could replace 633 lines with 13 lines Expand This is fantastic. Thank you. I remember writing those 633 lines out about a year ago when I first started with AutoIt. I was thinking "there must be a better way to do this". I didn't even know how to do any kind of For loops at the time. But the great thing is now I can easily expand with this to support more than 32 policies. I haven't tested it yet but I will try it later tonight and run it through so real policy setups. This is incredible. EDIT: After some solid testing, this seems perfect. I haven't ran into any issues with it. I'm assuming that I can increase the number 32 if I need to support more policies, is that correct? Edited April 27 by WildByDesign pixelsearch 1
pixelsearch Posted April 27 Posted April 27 On 4/27/2025 at 8:57 PM, WildByDesign said: I'm assuming that I can increase the number 32 if I need to support more policies, is that correct? Expand It sure is, 13 lines will remain 13 lines, no matter the number of policies. One line could even be shorter (the Case Else line) Global $aWords[1][11] = [["", "Error:", "Error " & $policycorrect & " &" & " Error " & $policycount]] WildByDesign 1 "I think you are searching a bug where there is no bug... don't listen to bad advice."
WildByDesign Posted April 28 Author Posted April 28 On 4/27/2025 at 12:59 PM, argumentum said: and AppControlTray.au3 did not show while insisting with : Get-CimInstance : Provider load failure At line:1 char:1 + Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsof ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (root\Microsoft\...n32_DeviceGuard:String) [Get-CimInstance], CimException + FullyQualifiedErrorId : HRESULT 0x80041013,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand Expand If you don't mind me asking, what version of Windows and what edition? eg. Windows 11 24H2 Pro, Home Edition, etc. I'm trying to get an understand as to why that would fail completely. It's possible that it requires Pro or higher but that is why I am asking. Also, is that error contained in the STDOUT output? If yes, then I can certainly handle that part better based on the output.
argumentum Posted April 28 Posted April 28 On 4/28/2025 at 11:20 AM, WildByDesign said: ...if you don't mind me asking, what version of Windows and what ... Expand ..and WTF !!! ?, ok Say you have 160 processes at boot time but you remember is supposed to be 60 or less, so..., you tweak it ( or get it tweaked by someone that spends all their free time making it a science ) and you end up with a PC that boots and, that's it. Then you can have a PC that is the closest to a WinPE you could ever have, and that's what I use in some places. Back to coding. A coder ( you or me or anyone ) should code with the expectation that a service or process or framework is there or not by checking said service or process or framework. Not by "oh is 24H2 and it comes with ..." because, surprise !!!, it ain't there. Or, is there but !, that's not the way it should be. So yes, it sucks. Then you learn the hard way that you can not trust the return of anything and start checking on every return for errors that as unexpected as they may be, could happen Let it be a lesson to you young boy !, and code as if nothing works and your code survives anyway because, @WildByDesign is the best is ever been ! Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now