ssj100 Security Forums
Would you like to react to this message? Create an account in a few clicks or log in to continue.

How to enable advanced logging for Software Restriction Policies

3 posters

Go down

How to enable advanced logging for Software Restriction Policies Empty How to enable advanced logging for Software Restriction Policies

Post by ssj100 22/7/2010, 14:14

Only just discovered this neat "trick" to enable detailed logging for Software Restriction Policies:
http://technet.microsoft.com/en-us/library/bb457006.aspx#EDAA

When creating rules or troubleshooting a machine displaying problems, an administrator may want a log of every software restriction policy evaluation. This can be done by enabling advanced logging.

To enable advanced logging:

Create the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers

String Value: LogFileName, <path to a log file>
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

How to enable advanced logging for Software Restriction Policies Empty Re: How to enable advanced logging for Software Restriction Policies

Post by wat0114 2/9/2010, 16:17

LoBy wrote:Nice Find SSJ!!

Agreed! Knowing from first-hand experience how valuable a troubleshooting tool logging is with Applocker, this will provide the same for those encountering issues with SRP.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

Back to top Go down

How to enable advanced logging for Software Restriction Policies Empty Re: How to enable advanced logging for Software Restriction Policies

Post by Sully 2/9/2010, 21:02

ssj, I thought you would have known of this for at least 2 years now. I posted that in one of my many SRP type topics over at WS. (not that you had to know, just suprised you didn't).

btw, it has been a feature of PGS from its inception.
http://mrwoojoo.com/PGS/PGS_index.htm

Sul.

Sully
Member
Member

Posts : 13
Join date : 2010-05-16

Back to top Go down

How to enable advanced logging for Software Restriction Policies Empty Re: How to enable advanced logging for Software Restriction Policies

Post by ssj100 3/9/2010, 00:15

Thanks guys. Sully, I've only been using SRP for just under 1 year (after discovering it existed a year ago and that it was already built into my system).

I've only been using advanced logging for testing purposes (it's not enabled on my REAL system, only in my VM) - for example, with advanced logging, I was able to confirm that SRP blocked DLL loading in these tests:
https://ssj100.forumotion.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1303
https://ssj100.forumotion.com/security-f7/dll-exploit-testing-t257.htm#2012

Yes, PGS is a very neat tool that, like SRP itself, also needs more limelight. I don't personally use it (I try to minimise the number of third party tools/programs on my system), but more "novice" users would greatly benefit from it.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

How to enable advanced logging for Software Restriction Policies Empty Re: How to enable advanced logging for Software Restriction Policies

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum