[Bug]: Use Strict CFG causing an issue in explorer.exe about harden-windows-security HOT 10 CLOSED

And when restart the explorer.exe and remove the Use strict CFG works fine, will record a video and attach to the issue

from harden-windows-security.

https://drive.google.com/file/d/1RUU428EVT-cbJyqmr7Gfj64lwDTm-yWf/view?usp=sharing

from harden-windows-security.

Thank you, I can remove Strict CFG for explorer.exe from process mitigations to fix this issue. I'd still really like to find out why I can't reproduce the issue in my tests

Can you please check this log to see if there is anything for explorer.exe?

you'll need to press the "Next page" button till you reach the last page and scroll down all the way to see the newest logs.

You might be able to generate logs when you launch explore.exe and visit the blank home page.

Will check it and attach here

from harden-windows-security.

I just created a quick PowerShell code that you can run and it will show you exploit protection event logs in real-time

$LastEventTime = Get-Date

# Comment this region if not using xml to specify event source and capture logic
#region XML-Loading

# For when QueryList isn't needed to be extracted
#$FilterXml = Get-Content -Path ".\Exploit Protection Events.xml" -Raw

# Load the XML content from a file or a string
$xml = [xml](Get-Content -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script\Exploit Protection Events.xml')

# Get the QueryList element using XPath
$queryList = $xml.SelectSingleNode('//QueryList')

# Convert the QueryList element to a string
$queryListString = $queryList.OuterXml

#endregion XML-Loading

while ($true) {
    $Events = Get-WinEvent -FilterXml $queryListString -Oldest | Sort-Object -Property TimeCreated -Descending
          
    <#
    For When you don't use xml to specify the event source

    $Events = Get-WinEvent -FilterHashtable @{
        'LogName' = 'Microsoft-Windows-CodeIntegrity/Operational'
        'ID'      = 3077
    } | Sort-Object -Property TimeCreated -Descending
#>

    if ($Events) {
        foreach ($Event in $Events) {
            if ($Event.TimeCreated -gt $LastEventTime) {
                
                Write-Host "`n##################################################" -ForegroundColor Yellow

                $Time = $Event.TimeCreated
                Write-Host "Found new event at time $Time"
                $LastEventTime = $Time

                Write-Host "Message: $($Event.Message)`n" -ForegroundColor Cyan

                # Convert the event to XML
                $Xml = [xml]$Event.toxml()

                # Loop over the data elements in the XML
                $Xml.event.eventdata.data | ForEach-Object -Begin {
                    # Create an empty hash table
                    $DataHash = @{}
                } -Process {
                    # Add a new entry to the hash table with the name and text value of the current data element
                    $DataHash[$_.name] = $_.'#text'
                } -End {
                    # Convert the hash table to a custom object and output it
                    [pscustomobject]$DataHash
                }
                Write-Host '##################################################' -ForegroundColor Yellow
            }
        }
    }
    Start-Sleep -Milliseconds 500
}

from harden-windows-security.

I try to run the script, but nothing is happening, I download the custom view and moved to the folder put in the Get-Content Path but are not showing anything, is normal? Also check event viewer too

I just import the Microsoft Defender Category in the machine with the build 22631.2338, but if need to do another step please tell me and I do here

from harden-windows-security.

That script assumes you ran the Miscellaneous category because that category automatically imports the custom views.
Those logs look normal.

I removed Strict CFG from process mitigations of explorer.exe
Next time you run the Microsoft Defender category, it will automatically be removed.

related PR: #116

Thanks again for reporting this, closing it as resolved. 🙂

from harden-windows-security.

Hi,
Thanks for reporting it. When you remove strict CFG and restart explorer.exe, does it work fine?

In the screenshot I see NTlite there...is your OS image modified by any chance?

I take exploit protection settings very seriously to make sure they are fully tested. I'm on the same build on physical machine, can't reproduce the issue..

from harden-windows-security.

The OS from my computer is not modified is just a build from uupdump and updated using windows update. The build from VM (Hyper-V) is modified a little, but not removing important components like defender and other stuff, just bloatware (apps).

My OS is the 22631.2338 not modified or anything edited using NTLite or other software.
22621.2283 bloatware removed with a little tweaks like hide search button, hide task view button and etc....

from harden-windows-security.

Thank you, I can remove Strict CFG for explorer.exe from process mitigations to fix this issue.
I'd still really like to find out why I can't reproduce the issue in my tests

Can you please check this log to see if there is anything for explorer.exe?

you'll need to press the "Next page" button till you reach the last page and scroll down all the way to see the newest logs.

You might be able to generate logs when you launch explore.exe and visit the blank home page.

from harden-windows-security.

https://drive.google.com/file/d/1RUU428EVT-cbJyqmr7Gfj64lwDTm-yWf/view?usp=sharing

Yup, it's clearly having issue with Strict CFG, ty

from harden-windows-security.