Comments (10)
And when restart the explorer.exe and remove the Use strict CFG works fine, will record a video and attach to the issue
from harden-windows-security.
https://drive.google.com/file/d/1RUU428EVT-cbJyqmr7Gfj64lwDTm-yWf/view?usp=sharing
from harden-windows-security.
Thank you, I can remove Strict CFG for explorer.exe from process mitigations to fix this issue. I'd still really like to find out why I can't reproduce the issue in my tests
Can you please check this log to see if there is anything for explorer.exe?
you'll need to press the "Next page" button till you reach the last page and scroll down all the way to see the newest logs.
You might be able to generate logs when you launch explore.exe and visit the blank home page.
Will check it and attach here
from harden-windows-security.
I just created a quick PowerShell code that you can run and it will show you exploit protection event logs in real-time
$LastEventTime = Get-Date
# Comment this region if not using xml to specify event source and capture logic
#region XML-Loading
# For when QueryList isn't needed to be extracted
#$FilterXml = Get-Content -Path ".\Exploit Protection Events.xml" -Raw
# Load the XML content from a file or a string
$xml = [xml](Get-Content -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script\Exploit Protection Events.xml')
# Get the QueryList element using XPath
$queryList = $xml.SelectSingleNode('//QueryList')
# Convert the QueryList element to a string
$queryListString = $queryList.OuterXml
#endregion XML-Loading
while ($true) {
$Events = Get-WinEvent -FilterXml $queryListString -Oldest | Sort-Object -Property TimeCreated -Descending
<#
For When you don't use xml to specify the event source
$Events = Get-WinEvent -FilterHashtable @{
'LogName' = 'Microsoft-Windows-CodeIntegrity/Operational'
'ID' = 3077
} | Sort-Object -Property TimeCreated -Descending
#>
if ($Events) {
foreach ($Event in $Events) {
if ($Event.TimeCreated -gt $LastEventTime) {
Write-Host "`n##################################################" -ForegroundColor Yellow
$Time = $Event.TimeCreated
Write-Host "Found new event at time $Time"
$LastEventTime = $Time
Write-Host "Message: $($Event.Message)`n" -ForegroundColor Cyan
# Convert the event to XML
$Xml = [xml]$Event.toxml()
# Loop over the data elements in the XML
$Xml.event.eventdata.data | ForEach-Object -Begin {
# Create an empty hash table
$DataHash = @{}
} -Process {
# Add a new entry to the hash table with the name and text value of the current data element
$DataHash[$_.name] = $_.'#text'
} -End {
# Convert the hash table to a custom object and output it
[pscustomobject]$DataHash
}
Write-Host '##################################################' -ForegroundColor Yellow
}
}
}
Start-Sleep -Milliseconds 500
}
from harden-windows-security.
I try to run the script, but nothing is happening, I download the custom view and moved to the folder put in the Get-Content Path but are not showing anything, is normal? Also check event viewer too
I just import the Microsoft Defender Category in the machine with the build 22631.2338, but if need to do another step please tell me and I do here
from harden-windows-security.
That script assumes you ran the Miscellaneous category because that category automatically imports the custom views.
Those logs look normal.
I removed Strict CFG from process mitigations of explorer.exe
Next time you run the Microsoft Defender category, it will automatically be removed.
related PR: #116
Thanks again for reporting this, closing it as resolved. 🙂
from harden-windows-security.
Hi,
Thanks for reporting it. When you remove strict CFG and restart explorer.exe, does it work fine?
In the screenshot I see NTlite there...is your OS image modified by any chance?
I take exploit protection settings very seriously to make sure they are fully tested. I'm on the same build on physical machine, can't reproduce the issue..
from harden-windows-security.
The OS from my computer is not modified is just a build from uupdump and updated using windows update. The build from VM (Hyper-V) is modified a little, but not removing important components like defender and other stuff, just bloatware (apps).
My OS is the 22631.2338 not modified or anything edited using NTLite or other software.
22621.2283 bloatware removed with a little tweaks like hide search button, hide task view button and etc....
from harden-windows-security.
Thank you, I can remove Strict CFG for explorer.exe from process mitigations to fix this issue.
I'd still really like to find out why I can't reproduce the issue in my tests
Can you please check this log to see if there is anything for explorer.exe?
you'll need to press the "Next page" button till you reach the last page and scroll down all the way to see the newest logs.
You might be able to generate logs when you launch explore.exe and visit the blank home page.
from harden-windows-security.
https://drive.google.com/file/d/1RUU428EVT-cbJyqmr7Gfj64lwDTm-yWf/view?usp=sharing
Yup, it's clearly having issue with Strict CFG, ty
from harden-windows-security.
Related Issues (20)
- #Bypass the Windows Defender Checks (with 3rd Party AV) HOT 1
- [Bug]: Deploy Signed WDAC are not deploying in Windows Server HOT 13
- [Bug]: Differing compliance HOT 2
- [Bug]: Error on script execution HOT 1
- [Bug]: Edit-SignedWDACConfig not merging Supplemental Policies HOT 8
- [Bug]: Confirm-SystemCompliance error HOT 4
- [Bug]: Program 'sigcheck64.exe' failed to run: A certificate was explicitly revoked by its issuerAt HOT 2
- [Bug]: Device Guard block Windows Subsystem for Linux HOT 1
- [Bug]: File explorer displays black bar on devices after running hardening script HOT 8
- [Bug]: Optional Windows Features > Uninstalling Notepad (system) removes Notepad from Windows Sandbox HOT 2
- [Bug]: After running the script in full, windows defender shows "You don't have the proper permission to view the page" in the exclusions page HOT 6
- [Bug]: Running the script clears out all the entries in Controlled Folder Access Allow list HOT 2
- Suggested Solution for "Zotero missing from Word" HOT 5
- [Bug]: Error in "Untrusted Fonts" Category on Non-English Systems HOT 3
- [Bug]: Dropping the "Untrusted Font Blocking" setting HOT 1
- [Bug]: Allow Grace Period for OS Version Requirement Check HOT 5
- Smart App Control does not actually need Optional Diagnostic data to function, despite what Microsoft Docs say HOT 8
- [Bug]: HOT 3
- [Bug]: Azure VM, RDP getting logged off HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from harden-windows-security.