5

We have an issue with dynamic creation of applocker rules at startup. We are using local GPO on windows 7. Domain GPO is not an option in the project.

In our case we use a powershellscript to import applocker rules at system startup.

The problem is that the rules doesn't take effect before the system has been live for approximately 2 minutes. After that, we can lock/unlock as we want to on the fly.

I have checked that the AppIDSvc service is set to autostart, and I can see that it is running. I have also checked the services it depends on. They autostart too (not auto delayed) I don't see any errors in eventlog.

Can anyone tell me if there is a command to use to force an update? I have tried the gpudate without any luck... Have also tried to restart the applocker service.

Hope to hear from someone soon.

Here is a code sample to lock down calculator for the local user "abc" - just as an example.

Lock:

Import-Module AppLocker

$id = [guid]::NewGuid()
$tmpFileName = "c:\temp\temp.xml"
$appPath = "C:\Windows\system32\calc.exe"
$identity = "abc"
$objUser = New-Object System.Security.Principal.NTAccount($identity)
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$identitySid = $strSID.Value

"<AppLockerPolicy Version=""1"">
        <RuleCollection Type=""Exe"" EnforcementMode=""Enabled"">
            <FilePathRule Id=""$id"" Name=""temp-$appPath"" Description=""Denies access to $appPath"" UserOrGroupSid=""$identitySid"" Action=""Deny"">
                <Conditions>
                    <FilePathCondition Path=""$appPath"" />
                </Conditions>
            </FilePathRule>
        </RuleCollection>
</AppLockerPolicy>" | out-file $tmpFileName

Set-AppLockerPolicy -XMLPolicy $tmpFileName -Merge
Remove-Item $tmpFileName

Unlock:

Import-Module AppLocker

$tmpFileName = "c:\temp\temp.xml"
$appPath = "C:\Windows\system32\calc.exe"

[xml]$ruleXml = Get-AppLockerPolicy -Local -XML
$ruleNode = $ruleXml.SelectSingleNode("//FilePathRule[@Name='temp-$appPath']")

if ($ruleNode -ne $null)
{
    [void]$ruleNode.ParentNode.RemoveChild($ruleNode)
    $ruleXml.Save($tmpFileName)
    Set-AppLockerPolicy -XMLPolicy $tmpFileName
    Remove-Item $tmpFileName
}

Kind regards, Morten

Morten Louw Nielsen
  • 51
  • 2
  • You are sure that the script doesn't generate any errors on execution? Have you tried piping it's output to some file? - both `STDERR` and `STDOUT`. – Davor Josipovic Jun 16 '13 at 07:41
  • Yes. I as trying to run it in the Powershell ISE, and it doesn't report any errors. Also, when the two minutes has passed, the rules are applied. It smells like a service configured to start auto delayed - but I think I went through all the relevant ones... – Morten Louw Nielsen Jun 16 '13 at 15:37
  • @MortenLouwNielsen Did you ever find a solution to this? – Lasse Christiansen Oct 21 '20 at 06:30

0 Answers0