Software Policy: use Software Restriction Policies on any Windows edition (free)

Discussion in 'other anti-malware software' started by MrBrian, Jan 26, 2014.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    In the softwarepolicy.ini config file you would need to add it under [CustomPolicies] section. Ensure that you have =1 after each. You would want to temporarily Unlock the policy for installation.

    Would look something like this:
    Code:
    [CustomPolicies]
    C:\Users\{your-user-name}\Downloads\Notepad2.exe=1 ; change according to where you have it extracted or installed
    *Notepad2.exe=1 ; this would allow Notepad2.exe to run from any location, but less secure as malware could use same file name to get by
    If it's installed within Program Files directories, default policy rules should allow it anyways and no need to add.

    Now as far as what you are saying with regards to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe registry location, I honestly don't believe that Software Policy program utilizes that or changes/deletes that. I assume that you are using the Notepad2 installer which gives the option to change the built-in notepad.exe to use Notepad2.exe instead. Unfortunately I am not very familiar with Notepad2 or replacing system programs with custom programs. So hopefully someone else can assist you in this regard.
     
  2. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    305
    Location:
    router
    thank you for replay.
    yes i use installer,installer add this key to registry
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe]
    "Debugger"="\"C:\\Program Files\\Notepad2\\Notepad2.exe\" /z"

    sofirst installed notepad2 then i launch Software Policy this key will deleted.i go to registry and i can not find this.hope
    someone have Experience on this
     
  3. iwrconsultancy

    iwrconsultancy Registered Member

    Joined:
    Dec 21, 2014
    Posts:
    1
    Image File Execution is used by SRP when programs are launched as a limited-rights user, and entries are cleared when you unlock if LimitedApps=1 or 0, but not 2. In principle you can still use IFE for debugging but must accept that the debug settings may disappear if you Unlock.

    To clarify one other point, when using v1.2 on Windows 7/8, it is advised to either turn off UAE and use SRP's own limited apps mechanism, or else have UAE on but remove the MLSoftwarePolicyTrayApplet startup shortcut. Either will stop the elevation prompt appearing at each startup. The tray applet need not be running for the policy to apply, but it is necessary for the timed auto-relock function to work, so don't forget to manually relock after installing stuff.

    v2 starts the tray applet as limited process which asks for elevation when a policy change is requested. This overcomes the UAE compatibility issue. Note that v2 is very new though, whereas v1.2 is well tested and stable. We're not using v2 on any client sites yet.

    HTH.
     
  4. kerykeion

    kerykeion Registered Member

    Joined:
    Jun 30, 2010
    Posts:
    275
    Location:
    Philippines
    Welcome to Wilders @iwrconsultancy! It's nice to see you here.

    Just to give feedback, I'm currently testing V2 on my machine, and it seems to work as intended -- though only within a Standard User Account (I think the limited apps section of the config file needs admin rights?). I'm using the default rules, with some customizations on allowed folders to run .exe on.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Welcome to Wilders :).

    FYI to others: UAE = UAC = User Account Control.

    I use the free version of RunasRob to stop UAC elevation prompts from appearing at startup (works with standard users too).
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    Welcome to Wilders Security Forums, iwrconsultancy. It's always a pleasure when developers come by.

    I think that with v1.2, a lot of users use Scheduled Tasks with the 'Run with highest privileges' option to avoid UAC prompt on startup and still receive tray functionality. I like the way that v2 uses a separate executable for the initial tray that does not request elevation until the user decides to make changes. So far v2 works great (testing on Windows 10 64-bit previews) here. No issues thus far.

    Thank you for embracing open source with your excellent programs.
     
  7. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    305
    Location:
    router
    thank you for explain
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    Minor update: http://sourceforge.net/projects/softwarepolicy/files/

     
  9. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    761
    Corrected, Chrome can't open with SRP, anyone else having this problem? I had to delete chrome.exe from the policy for it to work.
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    Are you referring to running Chrome with limited rights? Personally, I have never utilized the integrated DropMyRights functionality of this Software Policy program. I'm not so sure that would be necessary with Chrome anyway since it's quite secure already by design.
     
  11. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    761
    Yes, that's it.
     
  12. Chrome does not run when using drop my rights or simular. It does not has much benefits when using UAC. Drop my rights was nice when on XP running admin.
     
  13. drache

    drache Registered Member

    Joined:
    Dec 10, 2014
    Posts:
    5
    I used to use SRP on my XP-based system years ago and was delighted to be able to do so again on Windows 7 HP (x64). I'm currently using v2.0r1 paired with a standard user account.

    I've got a question, if anyone here can help me out.

    When you click the tray applet icon for the first time you must click on "Open Policy Controls". Then the UAC window shows up and you enter your credentials in order to alter the settings. However, after this is done it seems I have free reign to alter the softwarepolicy.ini file whenever I want through the tray menu. Wouldn't it weaken the SRP if I, as a limited user, can alter the .ini at any moment without further prompt? The only workaround I found was to close the tray applet, unless this is the proper way to proceed - you alter the .ini settings and then close the tray applet. Does anyone know if it is the inteded behavior or not?

    Thanks.
     
  14. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    Quite honestly, this recent version that included the feature enhancements for Standard Users and to deal with UAC accordingly is still quite fresh and so I'm not sure that the majority of us have thoroughly tested it yet. If I had to guess, I would assume that it is expected and they may have not found a better way to deal with that yet. But you're right, it could potentially open up a security risk. My personal suggestion would be to email the developers (http://iwrconsultancy.co.uk/contact) with the contact at the bottom of that page. They have generally be great when it comes to responding to email. Let them know your concern and also even if you have any suggestions on how they can better deal with that situation. I'm trying to think of ways other then closing the tray applet that would still make sense and be user friendly but can't think of anything at the moment.
     
  15. drache

    drache Registered Member

    Joined:
    Dec 10, 2014
    Posts:
    5
    Thank you, I'll mail them later.

    There's the AdminMenuPasswordLevel ("Require a password to unlock the policy or use admin-menu shortcuts") setting which locks the tray applet behind a password prompt, but it's not the usual UAC elevation prompt. I don't know if it's possible to implement another UAC prompt because, theorically, the user has already been elevated. To be honest, I don't feel very comfortable typing my admin password in a non UAC window.

    I'll check how version 1.2 operates.
     
  16. drache

    drache Registered Member

    Joined:
    Dec 10, 2014
    Posts:
    5
    Sorry to double-post but I couldn't edit the one above.

    It seems v1.2 operates the same way. The only difference is the UAC screen at start up. Other than that, the tray applet still allows you to freely edit softwarepolicy.ini or lock/unlock the system until you exit it through Power > Exit App or password protect it (more on this later).

    I understand it's a convenience, but what if the user forgets to exit and then needs to leave the computer for a second (e.g. pick up the phone in another room)? In the meantime someone could edit the.ini. Or maybe a roguish program could use the elevated applet to mess around the system or freely edit the .ini found in "C:\Windows\SoftwarePolicy". Which brings me to the next point.

    As I mentioned before, there's an option to password-protect, but it uses the system defined password instead of one unique to Software Policy. I don't know how it treats the authentication process, if it uses Windows built-in mechanisms to authorize access. There could be an option to set a password to be used only with Software Policy. Something like this: AdminMenuPasswordLevel could be set to "1=any password, 2=Admin-level password only, 3=Software Policy password only".

    Or maybe I'm just overthinking this. Still, I don't feel comfortable using the admin password in a non UAC prompt.

    I'll stick with 2.0r1 as it works fine and just close the applet whenever I'm done with lock/unlock, in the rare instances it's needed. Despite my wall of text I think Software Policy is an excellent solution for those of us who don't own a Pro/Ultimate version of Windows, but would like to deploy SRP on our systems.
     
  17. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I disabled auto start and only run it when I need to change settings. But maybe it's not for everyone.
     
  18. themorpethian

    themorpethian Registered Member

    Joined:
    May 6, 2006
    Posts:
    35
    Windows 10 SRP.

    I,ve been following this post with interest for a while and have done a few virtual tests on Windows 10 myself.

    Heres the thing, I have Windows 10 pro installed and this has Software Restriction Policies and Applocker installed.
    I've googled for days for an answer to these questions.

    1. When \ if you upgrade will Windows 10 still have these features enabled.
    2. Will my license I have already default to the home edition or will you be given one.

    This seems to be a grey area as seemingly microsoft is even willing to allow pirated version to upgrade.
    Anyone else thought about this!.

    If you don't get SRP and Applocker I,ve looking at the Beta version of Cryptoprevent here http://www.foolishit.com/vb6-projects/cryptoprevent/
    Even on the default settings there are hundreds of blocked rules automatically generated. It also has a policy manager and well Advanced settings that go way over my head.
    Could some egg head here with more Knowledge have a look and give us an honest opinion or review.

    Thanks in advance.
     
    Last edited: Apr 4, 2015
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @themorpethian: I don't know the answers to your questions offhand, but I would think that Software Policy (the software mentioned in this thread) will work on any edition of Windows 10, even if Software Restriction Policies and/or Applocker are not available.
     
  20. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    762
    Is there any way to use this without having to use a "login" password at Windows Startup... last I checked, probably 2 months ago, a password had to be set up for SP to effectively make use of the password prompt.
     
  21. themorpethian

    themorpethian Registered Member

    Joined:
    May 6, 2006
    Posts:
    35
    Thanks for the reply MrBrian.

    UPDATE: Tried Cryptoprevent on windows 10 with the Maximum Protection + Filtering, locked out of the VM Player machine.
     
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  23. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,296
    I had to delete my SRP rules because they blocked a Process Hacker update.

    File keep getting blocked. After some searching on the Internet, I had to tick the administrator settings box and run it in Windows XP Service Pack 3 compatibility mode to complete the update.

    What a pain!
     
  24. nezic

    nezic Registered Member

    Joined:
    Jul 7, 2013
    Posts:
    8
    Hi all,Simple software-restrictin Policy (StripMyRight) dos not reduce rights. I am using default settings on XP, does anyone know why?
     
  25. pcunite

    pcunite Registered Member

    Joined:
    Oct 22, 2009
    Posts:
    14
    Recently a family member received a new laptop with Windows 8 Home. Could someone post a working PGS.exe (Pretty Good Security) file link? Anyone have the latest 1.1.1.1?
     
Loading...