SRP Broke MS Edge in Creators Update

Discussion in 'other software & services' started by Zorak, May 13, 2017.

  1. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    181
    Location:
    Australian Capital Territory
    Just thought I'd give a heads-up to any other users of Software Restriction Policies out there. I found the recent Windows 10 Creators Update completely broke Microsoft Edge for me. After many hours of troubleshooting and a clean install of Windows, I finally traced the problem to the enforcement of restrictions on DLLs in my Software Restriction Policy.

    Despite having set the default rules to "Unrestricted" early on in my troubleshooting, Edge was still not functioning. It wasn't until I re-installed Windows and re-created my SRP that I found the problem. So I wasted 2 days of my life re-installing Windows when I didn't have to - Doh!!
     
  2. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,366
    You shouldn't blindly enable SRP policies in Windows - if you don't know what you're doing, your system may become unusable.

    I've not activated Applocker for that very reason.
     
  3. guest

    guest Guest

    use Appguard instead :p
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,118
    Location:
    Slovenia
    I've had similar problems with default rules on Windows 7 and some software (when DLL monitoring was enabled). When I replaced default rules with path rules (Windows, Program files and Program files x86 folders) the problem disappeared. Now whenever I use SRP, I remove default rules and add path rules instead and didn't encounter problems since.
     
  5. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    181
    Location:
    Australian Capital Territory
    Same here, I've never found the default path rules added when SRP is created to work properly. I've been using SRP with DLL Enforcement for more years than I care to remember and only ever had minor problems (Flash Player - I'm looking at you). Edge had been playing along perfectly well with my SRP before the Creators Update, so something either changed within Edge or SRP as a result of that update.

    What really puzzled me was that setting the global rule to "unrestricted" didn't help when troubleshooting. I'd always assumed that this effectively disabled SRP, but clearly this wasn't the case.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,118
    Location:
    Slovenia
    Setting it to unrestricted doesn't disable SRP rules entirely AFAIK. Block rules are still effective. When I want to be sure that SRP won't interfere (let's say when installing things), I set it to unrestricted and to non-admins enforcement only. Then I run installer elevated. It's easier than deleting block rules and then recreating them after install.
    Maybe in your case Edge tries to run something (or load dll) from blacklisted location?
     
  7. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,366
    Could be. I just enforce Smartscreen so I can block anything I think shouldn't run.
     
  8. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    181
    Location:
    Australian Capital Territory
    My SRP always applies to non-admins only and there are no other block rules in place, apart from some additional path rules (which I also removed during troubleshooting). I just need to run installers elevated and that is normally sufficient to install new software.

    Event Viewer shows no SRP violation warnings but it does show faulting DLLs, however they are being run from Windows/System Apps - which is an unrestricted location. No matter what I've tried, Edge will only run after Creators Update if there is no SRP set at all, or with SRP and no DLL Enforcement. If I find the time, I'll fire up Process Monitor and see if I can get to the bottom of it.
     
  9. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    181
    Location:
    Australian Capital Territory
    I've always relied on SRP as a security measure and to also protect the family computer from "click-happy" teenagers installing anything and everything. They've now left home, so would you consider Smartscreen to be a suitable replacement for SRP purely from a security point of view?
     
  10. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,366

    Smartscreen is an anti-executable like Voodooshield. Microsoft has Applocker as SRP but unfortunately, its only available on the Enterprise and Education editions.

    Smartscreen is more than sufficient protection on Windows 10. If you're really paranoid, you can lock down Windows with SRP.
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,154
    Location:
    Canada
    I've been using this in Win10 pro and it works when troubleshooting blocked dll's...

    -https://technet.microsoft.com/en-us/library/bb457006.aspx#EDAA
     
  12. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    181
    Location:
    Australian Capital Territory
    Thanks a lot for that @wat0114 looks very handy, I'll give it a try.

    I did 2 captures with Process Monitor - one with Edge working (no DLL Enforcement) and one with Edge not working (with DLL enforcement) - and neither one showed DLLs being used from restricted locations, so I'm still unable to understand why DLL Enforcement is now breaking Edge. Hopefully your advanced logging tip will reveal more! Thanks again.
     
  13. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    It's likely due to something I qualify as a *bug* in SRP. Some of the default rules use registry keys to get the paths. If you remove those 'reg' keys and add the *actual* file paths instead it should work like you would expect. I found this out while creating rules for my kids Win10 PC using SRP as I couldn't' use AppLocker on the PRO version there alongside SBIE. Those same default 'reg' based rules interfered with Windows Defender updates and AppX packaged apps. So far as I know they still haven't fixed this on newer builds.

    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=23251&p=122896&hilit=SRP dll#p122892
    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=23251&p=122896&hilit=SRP dll#p122896
     
    Last edited: May 17, 2017
  14. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    181
    Location:
    Australian Capital Territory
    Hi @syrinx, thanks for your input. I don't use Registry Path Rules, only discrete Path Rules, however in mechbgon's "classic" SRP set-up guide he also mentions the need to unrestrict the Program Files\Windows Apps path in Windows 8, even when Program Files itself is already an unrestricted path. So I previously tried unrestricting several other likely locations contained within already restricted paths, but this still didn't prevent Edge from crashing :thumbd:
     
  15. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    181
    Location:
    Australian Capital Territory
    Using @wat0114's advanced logging tip confirms what Process Monitor reported ie. no DLLs are being restricted by my SRP, yet Edge will still not work with DLL restrictions enforced :confused:

    This is now becoming more of an intellectual exercise however, as I have started to like using Chrome as my browser - thanks MS for ensnaring me further into Google's tentacles! I would still like to get to the bottom of it though.
     
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,118
    Location:
    Slovenia
    Did you try to see if logging is working - adding restrict rules that will block dll loading and checking if log entry is actually created?
     
  17. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    181
    Location:
    Australian Capital Territory
    Hmmm, you're right. Seems the log is only recording unrestricted events. Tried to record a blocked DLL and a blocked EXE and neither one showed up, even though the blocked EXE threw up an Event Viewer warning. However there were hundreds of unrestricted events recorded in the log.

    So I'm still left with the Process Monitor results, which show that Edge does NOT rely on DLLs from restricted locations. What am I missing here?? :doubt:
     
  18. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    The ones you added might be but what I was saying is that when the default SRP rules are first created they are done so with the use of the Registry Key Paths instead of the File paths. Removing those and adding the others fixed the blocking of dlls from these paths which should not have been blocked to start with.
    eg:
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% should be changed to the file based path C:\Windows
    and
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProgramFilesDir%

    It really does sound the same to me but then I can't inspect your system to be sure. Maybe it's not related at all...
     
  19. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,118
    Location:
    Slovenia
    Personally I would try and remove all block rules (if you didn't already). If Edge runs OK, I would compare allowed events in log to allowed events when those rules were present (and Edge didn't run) and try to find difference. If there is no block rules present then I'm out of ideas.
     
  20. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,366

    Why bother? I mean isn't Edge already running sandboxed? Enforcing DLL restriction rules seem like overkill.
     
  21. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    181
    Location:
    Australian Capital Territory
    I agree and I did reply when @Minimalist suggested this earlier, that I always change those default entries to Path Rules.

    I have compared with and without block rules, I've even removed all block rules and set the default Security Level to Unrestricted. Its as if Edge sees that DLL Enforcement has been selected and just refuses to run. As far as being out of ideas - I think that makes two of us!

    I'm not trying to apply DLL rules just to Edge - it is a system wide setting that applies to either everything or nothing. If I could identify the "restricted" DLLs that Edge is supposedly tripping up on, then I could just unblock them.


    Thank you all for your input so far, but the weekend is approaching and my wife has a shopping list of tasks for me to perform, but I may re-visit the problem again when I get some time. I have seen on another forum (less knowledgeable than here!) that SRP had caused a similar problem. It would be nice to know whether anyone else here can replicate the problem though.
     
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,154
    Location:
    Canada
    Hi @Zorak,

    normally I don't run Edge but with my SRP enforcement set to all software files, Edge also breaks for me, with no Disallowed entries whatsoever in the log file. Like you, I've no idea what the problem is either :confused:
     
  23. Zorak

    Zorak Registered Member

    Joined:
    Jan 2, 2010
    Posts:
    181
    Location:
    Australian Capital Territory
    Thanks a lot @wat0114 for confirming that I'm not just imagining things :thumb:

    As I mentioned earlier, I'm actually quite liking Chrome now I've started using it. However I wanted Edge for the ability to cast media to our DVR and TV, but wouldn't you know it - that is now broken in Creators Update too! :mad:
     
  24. reldel

    reldel Registered Member

    Joined:
    Aug 14, 2007
    Posts:
    27
    Location:
    Felton, DE, USA
    I don't know what the answer is to the problem is either. I do know that I have been a fulltime user of SRP since Windows 7, used it on Windows 8 and 8.1 and now on 10. I never had an issue on Windows 10 with Edge and SRP until I began running Insider versions of Creators Update. If I tried to install pre-released versions of CU insider overtop of the Anniversary Update build (with SRP already built but turned off for Insider install), Edge would not even seem to install properly. Edge would been totally broken, it might open for ten seconds and then crash. During the brief time it would be open, I could see there were no tabs, no favorites bar etc.. After perhaps five attempts installing Insider versions over several months with no solution, I tried deleting my Software Restriction Policy BEFORE trying to install CU overtop of the Anniversary Update, bingo, after the install Edge worked as expected. I then built a totally new Software Restriction Policy from the ground up and Edge continued to work.
     
  25. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I finally got around to trying to reproduce this on a Win10 CU based VM and I can say that from what I've seen there may not be anything we can do in order to fix this on our end when using SRP/wDLL rules. Like you all have already noted before I didn't see anything being disallowed due to rules {even path based ones in place of the default reg based ones}. Edge would just 'sit there' for a bit then close by itself. It really did sound similar before but I would still like to apologize for pressing the Path rule solution as it really did sound similar to me [before I finally tested it].
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.