Re: What program is used to write events to the event log??????
BillMadison_at_nospam.com
Date: 02/24/04
- Next message: Kevin: "Critical Update (KB828026)"
- Previous message: daryla: "shareing XP Pro folders in a workgroup problem"
- In reply to: Roger Abell [MVP]: "Re: What program is used to write events to the event log??????"
- Next in thread: Roger Abell: "Re: What program is used to write events to the event log??????"
- Reply: Roger Abell: "Re: What program is used to write events to the event log??????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 Feb 2004 18:22:55 +0000
Roger,
I have done some further testing and have come up empty. The result when importing the exported
registry files is that while apparently the restrictions are aplied...you can't see them in the mmc
editor.
That to me is not acceptable since I have to be able to see the settings in future when I have to
make adjustments.
The thing is...when making new path rules these settings get written to a temporary branch in the
registry in two locations ( the "GROUP POLICY OBJECTS")
[HKEY_USERS\***insert ADMIN SID here***\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
These directories disappear when you do a logoff and log back on. The only reference to these
settings that remains are the ones in the HKEY local Machine.
I have also tried exporting the entire group policy objects directory from both these registry
locations without duplicate entries and importing them in a new install, logging of and logging back
on and still I dont see these entries.
If MS didn't include or can provide some way in which admins can exported "path rules" then that
means that which each new install you have to manually add them and that is ....YAWN....a very
tedious affair.
So if you or anyone else knows some MS programmers or such and contact them about this issue I will
have to let this slip for a while.
They can hardly expect me to install file/registry watchers and such to monitor dll access, file
creation, file deletion, registry key creation, accessing stamps and GOD knows whatever action is
taken from the moment you click apply when creating a new path rule.
Kind Regards,
J
On Tue, 24 Feb 2004 01:26:06 -0700, "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote:
>Hi J,
>
>I believe that the event logging functionality is implemented as
>a part of services.exe
>It may be that part of one of the mechanisms that may be used
>to get an event message into the logs is what is actually blocked.
>
>You have gone about as far in trying to decipher how Safer is
>persisting its settings as have I to date. I have seen as of yet
>no references that detail how to export Safer settings so that
>they are transportable, but I have searched, and have seen this
>asked a few times (in NGs frequented by MS staff) with no answer.
>I would be interested in your further experiments, as it has been
>on my to-do (but not of urgent need) list.
>
>Regards,
>Roger
>
>
><BillMadison@nospam.com> wrote in message
>news:bagl30hqcsuvhu73n0s7qd2gimjp3ttqtq@4ax.com...
>> Hi All,
>>
>> Been testing software restriction policies on virtual PC for the last
>couple a days and have
>> encountered a minor problem.
>>
>> I have now created a deny all exe policy with certain "allow only exe's"
>that windows needs in
>> normal operation.
>> The problem however is that in a normal user account everything works ok
>but for one
>> issue....whenever there is an exe being started it normally writes this
>event to the event log so as
>> admin you can see what program or exe it was that was about to get
>started.
>> After applying my restrictions I now don't see these events in my log
>anymore so that means that one
>> exe is being denied from writing to the log.
>>
>> Now my question ofcourse,...what exe or program is used to write these
>events to the event log?
>>
>> Also, a few days ago I posted a question about wether these policies could
>be exported...the
>> question remained unanswered then but I have now found a way to do it
>(maybe....)
>>
>> The thing is, these policies get written to three different parts of the
>registry
>>
>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy
>>
>Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifie
>rs]
>>
>>
>[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifier
>s]
>>
>> [HKEY_USERS\***insert ADMIN SID
>here***\Software\Microsoft\Windows\CurrentVersion\Group Policy
>>
>Objects\LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifie
>rs]
>>
>> So, normally you would think that by exporting these and reimporting them
>in a default install would
>> be sufficient for these policies to be applied on a new installation.
>Would I be correct in that
>> assumption????
>>
>> I noticed that each path rule I created has an unique GUID associated with
>it but when using the
>> search function it can only be found in the registry at the three above
>mentioned registry branches.
>> Does this then mean that they will work on a new machine when importing
>them since no other
>> reference of these GUIDs can be found on the system.
>> I even searched my harddrive to all files with a text containing one of
>these gui's to see if there
>> would be a place where windows stores these GUID's as a reference and also
>came up empty. Maybe they
>> are just created as GUIDS for the sole purpose of creating a unique string
>each time under these
>> registry keys but thats only my logical conclusion to this and I could
>ofcourse be wrong.
>>
>> Anyway, thats about all I wanted to ask for now,...and as always I hope
>someone who has read this
>> till the end and can provide some more details then I would be much
>obliged.
>>
>> Kind Regards,
>> J
>>
>
- Next message: Kevin: "Critical Update (KB828026)"
- Previous message: daryla: "shareing XP Pro folders in a workgroup problem"
- In reply to: Roger Abell [MVP]: "Re: What program is used to write events to the event log??????"
- Next in thread: Roger Abell: "Re: What program is used to write events to the event log??????"
- Reply: Roger Abell: "Re: What program is used to write events to the event log??????"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
