Applocker and scripts

I am quite a long time applocker users.
After some time I was noticing some scripts being blocked, like:

%OSDRIVE%\USERS\****\APPDATA\LOCAL\TEMP\SDIAG_107AD2D3-69E3-4250-BFA7-FCD61273BD08\TS_UNUSEDDESKTOPICONS.PS1

%OSDRIVE%\USERS\****\APPDATA\LOCAL\TEMP\SDIAG_107AD2D3-69E3-4250-BFA7-FCD61273BD08\TS_BROKENSHORTCUTS.PS1

I didn't really paid too much attention at that time.
I was just wondering did anyone applocker users have seen those errors?

I couldn't find those files as they don't exist anymore. (obvious with temp files...)

after some research I only found one site mentioning them and fixed it:

http://oostdam.info/index.php/faq/4...hell-for-repairs?tmpl=component&print=1&page=

google translate:
http://translate.google.co.uk/trans...hell-for-repairs?tmpl=component&print=1&page=


It appears to be maintenance scripts located in:
C: \ Windows \ Diagnostics

I auto generated script rules to that folder. They don't have publisher, so I had to make hash rules. (18 rules for more than 200 scipts )

After it I navigated to Task scheduler\Microsoft\Windows\Digastostics and manually run task.
Now I can see those scripts being allowed.
For some strange reason Windows copies them to temp folder and executes them there with Standard user privileges. (rule was hash rules, so I am sure they were the same files)
Obviously it gets blocked.

Anyone experienced it?

 

Hi Jav, I don't or can't use AppLocker since I'm on Pro but the diagnostics you mention are a scheduled task that runs every Sunday at 1:00 AM. Malware Defender halts them every Sunday morning until I manually allow them to run. I could set them to allow permanently but as you've pointed out, they get run as temp files from user space for some reason. I've researched at one time what the diagnostics do but can't remember now what I found. I've almost at one time disabled/deleted the task in scheduler but to this point I haven't.

 

Thank you.
So from my understanding you ate still manually allowing them?

 

Yes, I have to accept maybe 4 prompts from MD for completion of the diagnostics which last for about 20 seconds. I want to say the diagnostics are for future troubleshooting. I'm sorry that I can't remember for sure what it does and can't find a decent MS link for it at the moment. I'll keep looking for the one I found some time back.

 

Anyway, Thank you

 

I've experienced this also. Reference: http://www.zhacks.com/2010/03/31/wi...sing-or-disappeared-after-system-maintenance/.

Since I don't want Windows fixing these things anyway, I let AppLocker continue to block them.

 

How do you feel about just disabling the scheduled task?


Or would it be better to turn this off from within the Action Center?

 

If you want to stop just those two scripts from executing (which is what I want), just leave the AppLocker rules in place, or follow the instructions at the link in my last post about deleting, modifying, or moving TS_UnusedDesktopIcons.ps1 and TS_BrokenShortcuts.ps1. Doing either of what you suggested would also disable other checks.

 

Is there a list of what these other checks might be? More than likely, I probably wouldn't miss them but would like to know what they are checking/diagnosing

 

Look at the contents of C:\Windows\diagnostics\scheduled\Maintenance.

 

Thanks MB. I now can see that there are some that would need to be left available. With that in mind, I assume that we could do as the link you posted suggested for any of these within that folder?

 

Thank you guys.
After reading about them, I just left them allowed.

I don't like having icons on my desktop, so no harm from maintenance trying to clean up it

 

I think so yes, and you're welcome.