App Control Tray & Policy Manager (App Control for Business)

[WildByDesign]

App Control Tray & Policy Manager (WildByDesign/WDACTrayTool: System Tray Tool for WDAC)

This is likely my most powerful and featured creation with AutoIt. As always, I want to share and give back anything that I create in case it may benefit others.

Features:

• system tray tool for managing App Control for Business (WDAC) policies
• GUI for managing App Control for Business (WDAC) policies
• scheduled tasks
• notifications
• auto dark-light mode for GUI and system tray
• built on GitHub Actions

Screenshots:

 

Includes:

• DarkMode UDF originally by @NoNameCode, updated by @argumentum
• libNotif by @matwachich
• ExtMsgBox by @Melba23
• GUIListViewEx by @Melba23
• TaskScheduler by @water
• XML by mLipok, Eltorro, Weaponx, drlava, Lukasz Suleja, oblique, Mike Rerick, Tom Hohmann, guinness, GMK
• Ownerdrawn status bar by @pixelsearch , including @Kafu, @Andreik, @argumentum
• _GUICtrlListView_SaveCSV by @guinness
• ModernMenuRaw by Holger Kotsch, @ProgAndy, @LarsJ

Edited 12 hours ago by WildByDesign
Added includes for version 6

[WildByDesign]

So I just had my very first “Aha!” moment is my AutoIt journey and it proved to be extremely beneficial. Beginner Level 2 unlocked! 😄

App Control Policy Manager was my first AutoIt GUI app. The underlying functionality and logic is extremely powerful and I am proud of that. However, the UI/UX is not its strong point.

Problems:

• too many buttons and controls visible
• harder for me to resize and DPI scaling

Goals:

• ensure policy ListView is main focal point as it should be
• move all button functions into menu bar
• move info from status label into status bar

This would make sure that the policy ListView is the star of the show and with less distractions. It would also make it so much easier to deal with resizing and DPI scaling changes.

Challenges:

• dark mode menu bar (success)
• dark mode status bar

There was absolutely no way I was going to do this GUI transformation if I could not achieve a dark mode menu bar.
 

Last night and this morning I was able to achieve a fully dark mode, beautiful menu bar. It was quick and easy to add my already existing functions to the menu items and everything is working.

I am going to try to tackle the dark mode status bar later today.

I am posting from my phone right now so I can’t share a current screenshot or code at the moment but I will later in the day.

[WildByDesign]

Current working screenshot:

When comparing the screenshot from the OP to this one, it is much less cluttered with buttons everywhere. The giant Current Policy Information label was able to be reduced into the status bar.

• dark mode menu bar complete
• dark mode status bar complete

I realized that there were no perfect solutions to dark mode menu bar after searching the forums for a few days. The sub-classing methods looked pretty good but still left the "gripper" or "resizer" part in the buttom right corner as a different color which was no good.

I ended up using the _GUICtrlSimpleStatusBar_* functions from MrCreatoR. I was able to fix it so that it resizes perfectly and I can also update the status content easily.

[WildByDesign]

Thank you @pixelsearch and @argumentum for your recent help in getting me past my struggle with the ownerdrawn status bar. That was the last piece needed for my complete GUI rewrite and I was able to release version 6 this morning, compiled on GitHub Actions. If you have any desire to view the code or play with the compiled binaries (mainly AppControlPolicy.exe) to see how well the custom status bar functions in the running program, feel free. I am thankful and appreciative for your time and help.

An interesting side effect: Everything got way faster, somehow. Rewriting the entire GUI somehow made everything a lot faster. Yay!

The program does require Windows 11 though because App Control for Business (WDAC aka Windows Defender Application Control) requires Windows 11 and is on all SKUs.

Link: Release App Control Tray and Policy Manager 6.0 · WildByDesign/WDACTrayTool

By the way, the system tray tool component got a lot of improvements recently as well.

[argumentum]

I  know that I don't have the proper setup but AppControlPolicy.au3 :

"C:\Users\Administrator\Downloads\WDACTrayTool-6.0\WDACTrayTool-6.0\AppControlPolicy.au3" (1087) : ==> Array variable has incorrect number of subscripts or subscript dimension range exceeded.:
Global $CurrentPolicyStatus = $sVDriverStatus & "   |   " & $sSACStatus & "   |   " & $aPolicyStatus[1] & "   |   " & $aPolicyStatus[2]
Global $CurrentPolicyStatus = $sVDriverStatus & "   |   " & $sSACStatus & "   |   " & $aPolicyStatus[1] & "   |   " & ^ ERROR

and AppControlTray.au3 did not show while insisting with : 

Get-CimInstance : Provider load failure 
At line:1 char:1
+ Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsof ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (root\Microsoft\...n32_DeviceGuard:String) [Get-CimInstance], CimException
    + FullyQualifiedErrorId : HRESULT 0x80041013,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand

Much of coding is "how would all this work if the user ... " better known as beta testing
So yes, the first thing to do is to announce your program is running and that it can be closed or, some quick review to make sure it can run before any announcement, or something that will not produce either a crash and/or hanging of the program.

Will it run with Win11 home, or Win Seven, or god knows.
Is the service that makes all this work loaded and should I quit or offer to enable it ?, should I make a watchdog in the tray to make sure that is reenabled ?, should I ... it's a head scratcher, I know. But you are writing this to help users and those can be clueless, very clueless

Ok, I'll see if I find the prerequisites and install it in the test PC. 

Edited 11 hours ago by argumentum

[argumentum]

1 hour ago, WildByDesign said:

The program does require Windows 11 though because App Control for Business (WDAC aka Windows Defender Application Control) requires Windows 11 and is on all SKUs.

Where do I get that from ?, How do I install it in my "Win 11 argumentum edition" ?

[WildByDesign]

17 minutes ago, argumentum said:

Much of coding is "how would all this work if the user ... " better known as beta testing
So yes, the first thing to do is to announce your program is running and that it can be closed or, some quick review to make sure it can run before any announcement, or something that will not produce either a crash and/or hanging of the program.

Will it run with Win11 home, or Win Seven, or god knows.
Is the service that makes all this work loaded and should I quit or offer to enable it ?, should I make a watchdog in the tray to make sure that is reenabled ?, should I ... it's a head scratcher, I know. But you are writing this to help users and those can be clueless, very clueless

This is all valuable feedback that you've provided and I really appreciate it. Clearly, this shows to me that I need to have more error control in certain scenarios and, of course, provide some indication of these failures.

I suppose first I should ensure that the using is running the right OSBuild or higher. I will also need to try to expect other situations. I've got a lot to do with this and definitely will proceed carefully.

[WildByDesign]

2 minutes ago, argumentum said:

Where do I get that from ?, How do I install it in my "Win 11 argumentum edition" ?

As long as you have one of the newer versions of Windows 11 within the last 2 years or so, it will automatically come with policies already installed by default.

It does require lots of PowerShell and will detect and use either PowerShell 7.x but if not, it will default to Windows PowerShell which is already installed by default in all Windows versions. So you do not need to install newer PowerShell.

[argumentum]

15 minutes ago, WildByDesign said:

I suppose first I should ensure that the using is running the right OSBuild or higher.

I'd go for the AppBlocker service. Is it installed, and is it running.
If is not installed then advise on how to install and a link to somewhere to read up about it. I'd use GitHub and either write a simple guide or have a set of links to read more about it.
The reason for going after the components and not the OS, being that a gamer ( for example ), may have "Win 11 gamer edition" and the OS is the right one but the installation is stripped of core components, giving you ( the coder ), the notion that it should all work, but the fact is that it couldn't.

21 minutes ago, WildByDesign said:

As long as you have one of the newer versions of Windows 11 within the last 2 years or so, it will automatically come with policies already installed by default.

Ok, I know that AppBlocker comes with it but, is "App Control for Business" there too ?, How do I know/run it ?
Am not with a standard windows account login. All my PCs are domain/screw it/UserName, type of setup.

[argumentum]

oops do happen from time to time. Do use OnDebugMsgBox ( or a version of it ) to handle said 

[argumentum]

1 hour ago, argumentum said:

Global $CurrentPolicyStatus = $sVDriverStatus & "   |   " & $sSACStatus & "   |   " & $aPolicyStatus[1] & "   |   " & ^ ERROR

quick and dirty fix:

Global $topstatus9 = StringStripWS($topstatus8, $STR_STRIPLEADING + $STR_STRIPTRAILING + $STR_STRIPSPACES) & @CR & @CR & @CR & @CR & @CR & @CR & @CR & @CR & @CR & @CR & @CR & @CR

[WildByDesign]

5 minutes ago, argumentum said:

may have "Win 11 gamer edition" and the OS is the right one but the installation is stripped of core components, giving you ( the coder ), the notion that it should all work, but the fact is that it couldn't

This is a very good point, people do love to strip stuff out and break things. I will code with this in mind from now on. Expect the unexpected, basically.

 

7 minutes ago, argumentum said:

I know that AppBlocker comes with it but, is "App Control for Business" there too ?, How do I know/run it ?

You know how Microsoft is famous for renaming their products over and over and over with silly names for no reason? This is the same WDAC (Windows Defender Application Control) which had a cool name and they simply renamed it to App Control for Business.

This is not the same as AppLocker and does not specifically have a service. It uses a kernel-mode driver for enforcement. It is already installed on all Win11 machines to protect many things from EFI partition and so on.

You can run System Information. (msinfo32 I believe) and near bottom of Summary should show App Control for Business status for kernel and for user mode. If your Win11 is a bit older it may show under another name but in same area of Summary. If it is not there in Summary at all, then it may very well be missing.

[WildByDesign]

By the way, I don’t recommend adding or removing App Control policies without prior knowledge because the wrong policies can very easily brick Windows. If you get to a stage of wanting to try adding or removing policies, I can provide some safe policies that will not brick Windows.

That is why, in the app, I prevent the user from removing built-in system policies. I put various safety mechanisms in place. 

[WildByDesign]

Also, if any .CIP files are in the following location: C:\Windows\System32\CodeIntegrity\CIPolicies\Active

(Sorry iPhone has no Paste unformatted text option)

That would mean for sure it is enabled.

[argumentum]

21 minutes ago, WildByDesign said:

This is not the same as AppLocker and does not specifically have a service. It uses a kernel-mode driver for enforcement. It is already installed on all Win11 machines to protect many things from EFI partition and so on.

hmm, thanks for the wake up call. AppLocker uses/used a service that needed to be running ( as far as I remember ).
I don't have any antivirus or protection anywhere ( hence my many child humans windows  )

3 minutes ago, WildByDesign said:

Also, if any .CIP files are in the following location: C:\Windows\System32\CodeIntegrity\CIPolicies\Active That would mean for sure it is enabled.

They have "TrustedInstaller only" full access. Yes and no. Not sure. If they are kernel needed they ( the files ) are going to be there but not sure that ... anything.

I'll install a Win11 pro and try there  
I am one of those gamers I was referring to  

[pixelsearch]

@WildByDesign imho, in AppControlPolicy.au3, you could replace 633 lines with 13 lines

Original 633 lines...

If $policycount = 0 Then ; line 378
    ...
EndIf ; line 1010

...could be replaced with these 13 lines :

Select
    Case $policycount = 0
        Global $aWords[1][11]
    Case IsInt($policycount) And $policycount >= 1 And $policycount <= 32
        Global $aWords[$policycount][11]
        For $i = 0 To $policycount - 1
            For $j = 1 To 10
                $aWords[$i][$j] = $arpol[$i*10 + $j]
            Next
        Next
    Case Else
        Global $aWords[1][11] = [["", "Error:", "Error " & $policycorrect & " &" & " Error " & $policycount, "", "", "", "", "", "", "", ""]]
EndSelect

For what it's worth, these 4 tests display what they should (if not mistaken), fingers crossed

Edit: the 3rd test should probably be done like the following, still showing correctly an error, as $policycount is not an integer (in the script, its value = $policycorrect / 10)

 

Edited 8 hours ago by pixelsearch

[WildByDesign]

7 hours ago, pixelsearch said:

imho, in AppControlPolicy.au3, you could replace 633 lines with 13 lines

This is fantastic. Thank you. I remember writing those 633 lines out about a year ago when I first started with AutoIt. I was thinking "there must be a better way to do this".

I didn't even know how to do any kind of For loops at the time. But the great thing is now I can easily expand with this to support more than 32 policies. I haven't tested it yet but I will try it later tonight and run it through so real policy setups. This is incredible.

EDIT: After some solid testing, this seems perfect. I haven't ran into any issues with it. I'm assuming that I can increase the number 32 if I need to support more policies, is that correct?

Edited 1 hour ago by WildByDesign

[pixelsearch]

2 hours ago, WildByDesign said:

I'm assuming that I can increase the number 32 if I need to support more policies, is that correct?

It sure is, 13 lines will remain 13 lines, no matter the number of policies.
One line could even be shorter (the Case Else line)

Global $aWords[1][11] = [["", "Error:", "Error " & $policycorrect & " &" & " Error " & $policycount]]