Crapplocker screw up ??

So I had applocker enabled for a while but then decided to disable it for a while to try out other security options. I just tried to install an app I wanted to try (desktop notes program, clean on VT). I am not allowed to install the program. I have tried various ways to get applocker to allow this install this app but am not able.

I was just able to install a different program recently. It appears the main difference between the two programs is that applocker will not allow a program without a digital signature to be installed. The program allowed to be installed had a digital signature while the one applocker denied did not have a DS.

How do I get my system back to where I can install this app which does not have a digital signature?

Please do not remind me a million times about it not being wise to install an app that lacks a valid digital signature. I realize what I am doing is not the smartest install ever. But for now I just need my computer back to the pre-applocker status.

Thanks in advance for any help.

 

Did you keep the default rules that allow Administrators to run anything? If you kept them, you should be able to install by right-click and choose 'Run as administrator'.

 

MrBrian, I'm thinking acr has deleted or possibly altered those administrator Path rules. acr, you've never really made it clear how you're AppLocker config is set up and whether or not you decided to run as administrator, so it's hard to help. You haven't posted any screenshots of your rules, nor of your AppLocker log results when problems occur. AppLocker works exactly as it should based on the way the user has configured the rules. There's no buggy behavior whatsoever that I've ever noticed, not once.

Possibly what's currently happening to you is the application you're trying to install is already installed with a version that is digitally signed and has a Publisher rule assigned to it, so it is not allowing the current version because of its lack of a digital signature. Just my guess, but as MrBrian points out the default allow all path rule for admins should allow it to install.

 

When I right click there is no "run as admin". With some installers I have there is a "run as admin" but not this one.

 

It's a .MSI file then I assume? I have one specific folder where a limited user can both execute from and write to, for such purposes as this. Make such a rule, then run your .MSI from there.

 

I'm running as admin and always have. I have now tried applocker with rules enforced and as audit only. But I am unable to install this app no matter how I try to configure applocker. I'd like to just disable applocker. Actually I thought before that if I just deleted off all the rules and had none enforced that applocker would essentially not be enabled.

 

You may need an msi rule for your "Admin" named administrator account. I have found that the default rules for the "Built-in" administrator account is not enough.

 

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Msi.Package\shell\runas\command]
@=hex(2):22,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,\
73,00,69,00,65,00,78,00,65,00,63,00,2e,00,65,00,78,00,65,00,22,00,20,00,2f,\
00,69,00,20,00,22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00


Put the above in a .reg file and merge and that will enable the right click "Run as Admin" option for .msi files.

 

"By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced."

Temporarily disable the Application Identity Service or add the user account (Admin-PC\Admin) to AppLocker Allow.

 

forgot about just disabling the service- thanks for pointing that out. I decided to go with another sticky note program.

FWIW- I tried creating a rule by path and hash but after doing so I was still unable to install the program. Could there be a "higher" rule in applocker that does not allow non-digitally signed installs nomatter what I set up for installer rules?

I guess I kinda like the applocker as admin set up, better than most other things I have tried. It just takes a bit getting used to.