Ask Questions Here - ReHIPS Features & Unexpected Behaviors

Started by HJLBX, April 11, 2016, 01:56:50 AM

Previous topic - Next topic

HJLBX

Quote from: fixer on August 24, 2016, 12:42:59 PM
Actually command lines in shortcuts are a bit more complicated than just ordinary program paths with arguments. Some Control Panel items can be called through hardcoded GUIDs, more on these GUIDs can be found here https://msdn.microsoft.com/en-us/library/ee330741(v=vs.85).aspx , so for example (don't remember exactly, it's just a sample) something like
::{26EE0668-A00A-44D7-9371-BEB064C98683}\8\::{17CD9488-1228-4B2F-88CE-4298E93E0966}\pageDefaultProgram
is equivalent to
control.exe /name Microsoft.DefaultPrograms /page pageDefaultProgram
for ShellExecuteEx API.

I see most control panel applets are executed rundll32.exe using Shell32.dll, CONTROL_RUN -- including tray icons.

It's kinda funky since the tray icon (as a short-cut) isn't exposed in the Windows file system.

I was wondering if this is the reason why tray icons cannot be exposed in the isolated environment.

fixer

The biggest problem for isolated desktops is shell (explorer.exe by default). Shell is responsible for desktop, start menu, tray. And other programs usually communicate with shell via COM. So mostly it's not about icons, but about running another instance of shell or emulating shell, but doing it in a secure and compatible way.

shmu26

the windows process "wevtutil.exe" is always blocked
see log file
I clicked on one of the relevant entries in log, and I found that this process was indeed set by default to be blocked, so I set it to allow (hope that is the right thing to do...) because Windows tries again and again to run this process.
I am on Windows 10 pro x64 AU

aDVll

Quote from: shmu26 on August 28, 2016, 03:44:35 PM
the windows process "wevtutil.exe" is always blocked
see log file
I clicked on one of the relevant entries in log, and I found that this process was indeed set by default to be blocked, so I set it to allow (hope that is the right thing to do...) because Windows tries again and again to run this process.
I am on Windows 10 pro x64 AU
Yeah you are right wevtutil is not allowed by default to launch other programs so Fixer will have to check it out.
What exactly are you trying to do with office when this happens, print? WOI also use office but never had such an alert.

shmu26

I was not even trying to do anything, it just pops out of the blue.
maybe it is related to "officeclicktorun", it does weird things.
I have Office 2016

aDVll

Quote from: shmu26 on August 28, 2016, 04:15:46 PM
I was not even trying to do anything, it just pops out of the blue.
maybe it is related to "officeclicktorun", it does weird things.
I have Office 2016
Maybe it's click to run then but i don't have one around to test. I have the normal office 2016.

fixer

Thanks for your report, fixed, allowed it to create child processes.

shmu26

how to make that change on my ReHIPS settings?
sometimes I find the same windows processes listed in two or three places...

aDVll

Quote from: shmu26 on August 28, 2016, 05:43:02 PM
how to make that change on my ReHIPS settings?
sometimes I find the same windows processes listed in two or three places...
It's as many times as users you have + 1 for System. To change go in rehips settings, find wevtutil and change the setting to allow to execute program. That should fix it.

shmu26

just to clarify, it is the instance in syswow64 that needs to be allowed.
that's how it is on my system, at least

aDVll

Quote from: shmu26 on August 28, 2016, 06:45:15 PM
just to clarify, it is the instance in syswow64 that needs to be allowed.
that's how it is on my system, at least
Yeah that's what you are logs are saying.  ;)
C:\Windows\SysWOW64\wevtutil.exe

Umbra

Quote from: shmu26 on August 28, 2016, 05:43:02 PM
how to make that change on my ReHIPS settings?
sometimes I find the same windows processes listed in two or three places...

if you see a blocked process that shouldn't (because you know and are sure it is legit) , just open the log panel , click on the culprit process, it will open the rule so you can change it from "Block" to "Inspect children" or "Allow"

shmu26

I rebooted, and as soon as desktop appeared, I started up a process that should have been blocked by ReHIPS.
Not only was it not blocked, but it was not even terminated when ReHIPS loaded.
(After ReHIPS finished loading, I tried again to start up the process, and it was successfully blocked)
Is this expected behavior?

aDVll

Quote from: shmu26 on August 30, 2016, 11:45:27 AM
I rebooted, and as soon as desktop appeared, I started up a process that should have been blocked by ReHIPS.
Not only was it not blocked, but it was not even terminated when ReHIPS loaded.
(After ReHIPS finished loading, I tried again to start up the process, and it was successfully blocked)
Is this expected behavior?
Protection when you don't have lockdown mode enabled starts as soon as rehips gui loads. If you want it to always be on even on pc boot enable lockdown mode. In future versions this is improved and you have another option to have lockdown mode when gui is not started and out of lockdown mode when gui is running(to get alerts).

shmu26