Applocker bug, is Windows 10 insecure by design?

Discussion in 'Windows 10' started by revertex, Oct 6, 2015.

  1. revertex

    revertex MDL Member

    May 30, 2010
    118
    45
    10
  2. zenithon

    zenithon MDL Novice

    Mar 31, 2015
    2
    1
    0
    #2 zenithon, Nov 8, 2015
    Last edited by a moderator: Apr 20, 2017
    I simply modified the registry key under HKLM\CurrentControlSet\Services\AppID dword Start value to 2 and it's started automatically ever since. Or in your case AppID and AppIDSvc, and just in case check under the key HKLM\CurrentControlSet01\Services. Also, relying on the Task Scheduler is tricky business because the permissions required aren't inherited by the caller which is usually some NT Service; instead it usually uses your account as the parent and SYSTEM may not have direct access.
    There might be a reason for the changes in startup due to Group Policy Objects and deployment solutions. Usually it's through adml and admx that contain the policies but I've seen other deployment options listed in the MS knowledge-base regarding AppLocker configurations and its limitations.
    Here is some code to import the values you wanted:
    Code:
    From a shell with elevated privileges
    reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppIDSvc" /v "Start" /t REG_DWORD /d "2" /f 
    Code:
    
    #Alternatively, paste the following to a reg file and import
    
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppIDSvc
    "Start"=dword:00000002
    There have been some system-wide anomalies I've observed from improper configuration or updates wreaking havoc, but this doesn't mean MS is negligent. It's usually up to the IT crowd to test and sort things out given the number of people affected; MS is probably thinking it is better to fix 20% of major problems affecting end-users in its targeted market. Until AI and cloud computing catch up and run simulations like in star trek the central focus will be on problems to be solved that affect the majority. I sympathize with your dilemma, but try to think of this as an opportunity to come up with different ways to make things work. I strive for a balance between security and convenience to avoid impeding innovation. The design aspect is more about maintaining system integrity and having suitable fallback options. So while some may consider an OS like Windows insecure by design, I see it as a balancing act. Considering trusting trust as an example it's true that security is as strong as its weakest link. The solution seems to be to encapsulate or sandbox and keep those we want out to stay out and mitigate leaks.

    I noticed you utilize a whitelisting approach in which case a HIPS or UTM product may alleviate your security concerns. Otherwise, a bit of tweaking with SRP or adding applications to a whitelist via group policy is also viable. Of course, rather than complicating matters I'd suggest you check your logs which can be seen in Event Viewer > AppLocker edb. If your SKU doesn't support AppLocker then I'd consider other options.
     
  3. revertex

    revertex MDL Member

    May 30, 2010
    118
    45
    10
    Sorry for resurrect this old post, I don't known why I didn't receive any notification.

    I use applocker solely in machines that are not members of a domain, and in that case it seems MS don't care much about get these things working.

    The registry key did the trick as expected, tried in several machines, all working without a hitch.

    I wonder why so few people use applocker.

    Thanks for the tip.