How to enable advanced logging for Software Restriction Policies

View previous topic View next topic Go down

How to enable advanced logging for Software Restriction Policies

Post by ssj100 on 22/7/2010, 14:14

Only just discovered this neat "trick" to enable detailed logging for Software Restriction Policies:
http://technet.microsoft.com/en-us/library/bb457006.aspx#EDAA

When creating rules or troubleshooting a machine displaying problems, an administrator may want a log of every software restriction policy evaluation. This can be done by enabling advanced logging.

To enable advanced logging:

Create the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers

String Value: LogFileName, <path to a log file>

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: How to enable advanced logging for Software Restriction Policies

Post by wat0114 on 2/9/2010, 16:17

LoBy wrote:Nice Find SSJ!!

Agreed! Knowing from first-hand experience how valuable a troubleshooting tool logging is with Applocker, this will provide the same for those encountering issues with SRP.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

View user profile

Back to top Go down

Re: How to enable advanced logging for Software Restriction Policies

Post by Sully on 2/9/2010, 21:02

ssj, I thought you would have known of this for at least 2 years now. I posted that in one of my many SRP type topics over at WS. (not that you had to know, just suprised you didn't).

btw, it has been a feature of PGS from its inception.
http://mrwoojoo.com/PGS/PGS_index.htm

Sul.

Sully
Member
Member

Posts : 13
Join date : 2010-05-16

View user profile

Back to top Go down

Re: How to enable advanced logging for Software Restriction Policies

Post by ssj100 on 3/9/2010, 00:15

Thanks guys. Sully, I've only been using SRP for just under 1 year (after discovering it existed a year ago and that it was already built into my system).

I've only been using advanced logging for testing purposes (it's not enabled on my REAL system, only in my VM) - for example, with advanced logging, I was able to confirm that SRP blocked DLL loading in these tests:
http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1303
http://ssj100.fullsubject.com/security-f7/dll-exploit-testing-t257.htm#2012

Yes, PGS is a very neat tool that, like SRP itself, also needs more limelight. I don't personally use it (I try to minimise the number of third party tools/programs on my system), but more "novice" users would greatly benefit from it.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: How to enable advanced logging for Software Restriction Policies

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum