P
PhilReason
I was experimenting on my own system with process hardening for launching files in Windows 10 Pro, under "App & browser control" -> "Exploit protection" -> "Program Settings".
I had added custom settings for svchost.exe, and enabled several rules, specifically the rule "Do not allow child processes" switched to "on", and to override the system setting.
I did this in an attempt to try a simple method to both block the oh-so-many frivolous background processes which clutter my system's resources, while also testing for mitigation methods against USB-exploits by self-executing code (firmware rootkit mitigation).
Unfortunately I can no longer edit administrative settings, as clicking "apply" or initializing any other system task requiring an unrestrained svchost process no longer works. My system is effectively now a 'very' secure 'dumb windows client' seemingly without any system-altering process access. UAC is non-invokable, do to inability to confirm actions; when attempted a dialog box does come up, but clicking "OK" does nothing, or spawns an Exception dialog box: "The process creation has been blocked".
The actual configuration ():
Note that any problems mentioned here began immediately after 'locking-down' svchost.exe.
I would rather not reinstall the OS, nor use a system restore point, but may as a last resort; my goal is to undo this crippling action during runtime.
My Question: Assuming it is possible, how should I be able to mitigate this problem?
Thanks in advance for any advice or solutions! "Complicated" solutions or hints are welcome, if solely to restore workability.
Continue reading...
I had added custom settings for svchost.exe, and enabled several rules, specifically the rule "Do not allow child processes" switched to "on", and to override the system setting.
I did this in an attempt to try a simple method to both block the oh-so-many frivolous background processes which clutter my system's resources, while also testing for mitigation methods against USB-exploits by self-executing code (firmware rootkit mitigation).
Unfortunately I can no longer edit administrative settings, as clicking "apply" or initializing any other system task requiring an unrestrained svchost process no longer works. My system is effectively now a 'very' secure 'dumb windows client' seemingly without any system-altering process access. UAC is non-invokable, do to inability to confirm actions; when attempted a dialog box does come up, but clicking "OK" does nothing, or spawns an Exception dialog box: "The process creation has been blocked".
The actual configuration ():
Code:
[INDENT]<AppConfig Executable="svchost.exe">
<DEP Enable="true" EmulateAtlThunks="true" />
<ASLR ForceRelocateImages="true" RequireInfo="true" BottomUp="true" HighEntropy="true" />
<StrictHandle Enable="true" />
<SystemCalls DisableWin32kSystemCalls="false" Audit="true" />
<ExtensionPoints DisableExtensionPoints="true" />
<DynamicCode BlockDynamicCode="true" AllowThreadsToOptOut="false" Audit="false" />
<ControlFlowGuard Enable="true" SuppressExports="false" StrictControlFlowGuard="true" />
<SignedBinaries MicrosoftSignedOnly="true" AllowStoreSignedBinaries="true" Audit="false" AuditStoreSigned="false" EnforceModuleDependencySigning="true" />
<Fonts DisableNonSystemFonts="true" AuditOnly="false" Audit="false" />
<ImageLoad BlockRemoteImageLoads="true" AuditRemoteImageLoads="false" BlockLowLabelImageLoads="true" AuditLowLabelImageLoads="false" />
<Payload EnableExportAddressFilter="true" AuditEnableExportAddressFilter="false" EnableExportAddressFilterPlus="true" AuditEnableExportAddressFilterPlus="false" EnableImportAddressFilter="true" AuditEnableImportAddressFilter="false" EnableRopStackPivot="true" AuditEnableRopStackPivot="false" EnableRopCallerCheck="true" AuditEnableRopCallerCheck="false" EnableRopSimExec="true" AuditEnableRopSimExec="false" />
<SEHOP Enable="true" TelemetryOnly="false" />
<Heap TerminateOnError="true" />
<ChildProcess DisallowChildProcessCreation="true" Audit="false" />
</AppConfig>[/INDENT]Note that any problems mentioned here began immediately after 'locking-down' svchost.exe.
I would rather not reinstall the OS, nor use a system restore point, but may as a last resort; my goal is to undo this crippling action during runtime.
My Question: Assuming it is possible, how should I be able to mitigate this problem?
Thanks in advance for any advice or solutions! "Complicated" solutions or hints are welcome, if solely to restore workability.
Continue reading...