Note to path-based anti-exe program users: recent Windows update adds another path to blacklist

One or more of the January 13, 2015 Windows updates on Windows 7 x64 resulted in a path within folder \Windows that is writable by everyone: C:\Windows\SysWOW64\Microsoft\Crypto\RSA\MachineKeys. Other operating systems might also be affected.

Member Minimalist noticed the same thing back in 2014 on Windows 8.1.

 

Thank you for the heads up, MrBrian. Windows 10 builds did not receive this update. However, I will run the audit when the new build comes out on the 21st and see if it has been affected. I will post here at the time if Windows 10 is affected.

 

It is taken care by AppGuard with no settings needed to be add/change. That system space folder is write protected from user space programs as well as from installed guarded apps.

 

You're welcome .

Also, here is the script that I use for auditing.

Auditing permissions of an admin account protected with UAC.

 

I run something similar. I run a check for groups Users, Authenticated users, Everyone and Interactive.

 

That can miss some cases though, for example ACLs with specific user accounts.

 

Which parameters do you use? I use administrator account (with UAC on max) and if I run that check for my account I get almost all folders listed. All of them are writable for my account sure, but only when I elevate my privileges.

 

Should be run/tested under a Standard (LUA) account for proper audit with this method. The reason why I know is because I have followed MrBrian's technique for quite some time now. Hopefully he will chime in here as well and confirm as well as suggest why that is necessary.

 

Setting up Standard account is too much just to check it up. I found out that I can use icacls.exe to get a list of objects with rules for my username.

 

WildByDesign is right that the method that I use works only for a standard account. A thread in post #4 lists a workaround for UAC-protected admin accounts (i.e. temporarily demote it to a standard account). The reason it doesn't work for a UAC-protected admin account is because of "split tokens."

 

Thanks, I thought it was something like that For now I settled down with this solution: check the drive to identify files and folders with permissions for my username and then check permissions for my account on identified files and folders.

 

None of the Win 7 x64 machines I have checked have that folder. I did install the latest updates. Do you know which update could be creating it?

 

I'm not sure. It's also possible that uninstallation and reinstallation of Avast Free Antivirus caused it.

 

Uninstalling Avast Free Antivirus creates this path. Sorry for the wrongful assumption.