New
#11
I haven't played with SRPs either, but I found this below that may help.
https://docs.microsoft.com/en-us/win...ction-policies
I haven't played with SRPs either, but I found this below that may help.
https://docs.microsoft.com/en-us/win...ction-policies
I dug a little bit more into SRPs and unfortunately they are pretty much useless. The best you can do is deny access based on the hash of a file. What good can that do :)
So going back to this suggestion:
This is the only working solution I can do some restrictions with.
So quick question to you. How do I know what was blocked? Otherwise it just shows the message box that something was blocked.
In the AppLocker I could go to the Event Viewer and see what process was blocked.
OK, I'll need to re-phrase it. So I added some process names to that list. Stuff like:
mmc.exe
explorer.exe
srvchost.exe
...
etc.
But then, for instance, I was adding a network printer and it gave me a dialog box that that action was blocked by the administrator. So how do I know which process was blocked (that is not yet on my list, so I can add it)?
In other words, how do I run it in an "audit" mode?
I'm not aware of an audit mode for this other than knowing what process runs what you were trying to open.
Most likely, this was for mmc.exe.
mmc.exe is for the snap-in console. It has nothing to do with network printers.
Too bad, Microsoft dropped the ball on this one too. Damn, such a great idea but such a bad implementation. (Typical MSFT.)
BTW. Several hours later and I got it. (It was rundll32.exe. They use it to start all kinds of control panel windows.) So now I have 50 other processes to learn this manual way