S
S_Tobias
Hi,
I'm working with Windows Device Guard (WDAC) to create a Code Integrity Policy.
To create a policy I use the New-CIPolicy Cmdlet.
In the documentation it says:
>To create a policy that includes user mode executables (applications), when you run New-CIPolicy, include the -UserPEs option.
(Grundlegendes zu WDAC-Richtlinien Regeln und-Datei Regeln (Windows 10) - Windows security)
I'm now wondering, what is defined as a "user mode executable"?
From a OS perspective I know there is something like the user mode and the kernel mode.
Is the -UserPEs option related to that?
As far as I can see, "kernel" files are added as "SIGNINGSCENARIO_DRIVERS" and "user" files to the "SIGNINGSCENARIO_WINDOWS" section in the CI Policy.
Example from a C:\Windows\system32 policy:
SIGNINGSCENARIO_DRIVERS:
* C:\Windows\System32\aadjcsp.dll
* C:\Windows\System32\AdaptiveCards.dll
* C:\Windows\System32\win32k.sys
SIGNINGSCENARIO_WINDOWS:
* C:\Windows\System32\aadauthhelper.dll
* C:\Windows\System32\aadcloudap.dll
* C:\Windows\System32\AgentService.exe
I know there is a IMAGE_FILE_SYSTEM flag in the PE characteristics, but I could not find the flag in any of the listed files.
(PE Format - Win32 apps)
I could also not find any obvious difference in the PE header.
Can any one explain what exactly is defined as a "kernel" and what as "user" application and how this is determined based on the given PE file.
Best regards,
Tobias
Continue reading...
I'm working with Windows Device Guard (WDAC) to create a Code Integrity Policy.
To create a policy I use the New-CIPolicy Cmdlet.
In the documentation it says:
>To create a policy that includes user mode executables (applications), when you run New-CIPolicy, include the -UserPEs option.
(Grundlegendes zu WDAC-Richtlinien Regeln und-Datei Regeln (Windows 10) - Windows security)
I'm now wondering, what is defined as a "user mode executable"?
From a OS perspective I know there is something like the user mode and the kernel mode.
Is the -UserPEs option related to that?
As far as I can see, "kernel" files are added as "SIGNINGSCENARIO_DRIVERS" and "user" files to the "SIGNINGSCENARIO_WINDOWS" section in the CI Policy.
Example from a C:\Windows\system32 policy:
SIGNINGSCENARIO_DRIVERS:
* C:\Windows\System32\aadjcsp.dll
* C:\Windows\System32\AdaptiveCards.dll
* C:\Windows\System32\win32k.sys
SIGNINGSCENARIO_WINDOWS:
* C:\Windows\System32\aadauthhelper.dll
* C:\Windows\System32\aadcloudap.dll
* C:\Windows\System32\AgentService.exe
I know there is a IMAGE_FILE_SYSTEM flag in the PE characteristics, but I could not find the flag in any of the listed files.
(PE Format - Win32 apps)
I could also not find any obvious difference in the PE header.
Can any one explain what exactly is defined as a "kernel" and what as "user" application and how this is determined based on the given PE file.
Best regards,
Tobias
Continue reading...