I knew the video would be longer than average but not this long 😩 📝Notes: • Also I figured this went without saying, but obviously if you download something malicious and add a rule to allow it, you will be infected. You still must ALWAYS be vigilant. And you should still also use an Antivirus, it’s not a replacement for that. • To get AppLocker policies to actually work, you might have to enable the "Application Identity" service and set it to start automatically if it isn't already. This requires a special command because it is a protect process (as opposed to just opening the services menu). To do this, run the command in command prompt as admin: sc.exe config appidsvc start= auto • Turns out you CAN actually add the Group Policy settings for PowerShell core without having to install PowerShell Core. I've added instructions to the ReadMe file in the resource pack in the description, but basically you download the latest zip release from Microsoft's PowerShell GitHub, and copy the files "PowerShellCoreExecutionPolicy.admx" and "PowerShellCoreExecutionPolicy.adml" into the directories "C:\Windows\PolicyDefinitions" and "C:\Windows\PolicyDefinitions\en-US" respectively.
I don't know why everybody is emphasizing the duration of this video - for me - it was like watching a super interesting, informative and well-written documentary - the time just flew buy! Excellent work, thank you so much for your effort! Greetings from Croatia :)
is it just me or did this 52 minute tutorial feel like a 10 minute tutorial? "Good tutorials feel like they took a fraction of the actual time it took to complete it. Bad tutorials are the same, except the reason is because of leaving early due to how bad it is instead of being due to how good it is."
You know @ThioJoe has a gift for teaching and explaining when the whole 50 minute video felt like 10 and you remember fairly well most of the process! Totally appreciate this video.
I swear this video is so informative and useful it’s something you could probably charge for and make thousands off of but you were nice enough to give it to everyone for free, what a guy
@thiojoe, this was one of the best mapped out videos covering a relatively complex topic and one with lots of settings. We are implementing this, and your video has been shared to the team as the best tutorial about it.
I have no intention to do any of this myself but I watched it all You made it very engaging and informative, I didn't noticed the length until it was almost done I wont mind more "complex" tutorials like this on in the future
Here's what I did for my grandma's PC, very simple: - Require my own password for Administrative privileges so she can't do that - Set up a single browser so she has no access to other browsers, with downloads always dropping into the Downloads folder - Wrote a script to instantly delete any executables that enter the Downloads folder My beloved virus addict is now sober :)
Thank you for think of us and sharing this knowledge! You are the BEST!! I made the changes on my PC and hopefully the random file explorer windows opening will stop.
Hi ThioJoe, I just wanted to say thank you, although I'll never do any of what you've shown here. Just not Tech savvy enough.I do realize how much time you have spent on video. Thanks
I'm really fascinated by this *type* of security. Antiviruses don't exite me, but this idea of reducing attack surface and plugging security holes is suuper amazing to me. I'd love to see more similar stuff
Yes, whitelisting is so muc more powerful than blacklisting, in fact antivirus solutions are not able to defeat the 100.000 of new attacks nowadays. Plus it doesnt slow the machine down anymore like AV solutions :)
Another excellent how to video!! Many thanks. Had to enable “Application Identity” service to get AppLocker to work. However to get it to auto start.. Had to regedit and set its start to 2.
Thank you so much for this detailed guide. I was able to follow all of your instructions easily. I understood each and every step depicted in your video. By the way, I'm a big fan of your TH-cam Channel. You make great videos. It's always a great time whenever I watch any of your videos. 😁
Awesome!! Unfortunately we wouldn't get rid of those pesky refund scammers with this but atleast we'd get away from ransomware and so on. Really great video, thanks!! Since I regularly reinstall my Windows I'm gonna have to delve deeper into how to transfer the settings to another computer, didn't know it was that easy!
Well done, Thio! Another suggestion for a video would be about Azure Information Protection and DLP (Data Loss Prevention). What files are protected, what can be managed, tracking files on disk and in transit etc.
Top tip if you are ever applying AppLocker policy in an AD domain NEVER and i mean NEVER edit a live policy always export the rules edit them locally and then re import. If something goes wrong ( and it can ) you can corrupt the policy and brick machines. I learned that the hard way, bricked about 20 machines . The best way to fix this is to switch to editing rules via configuration manager.
With admin rights you can unbrick the machines, in the last instance you can boot from windows cd, shift f10, regedit, mount the local registry hives and remove the applocker rules :)
Oh and to prevent this happening: allow wverything for admins, like the default templats suggests. I mean admins can do whatever they want anyway, effectively delete rules, thats why there is little sense in deleting the admincandoall rule :)
Wow, awesome work! This is very technical but also very thorough. One thing I found was my Application Identity service was not running for some reason. Even though I'm logged in as admin I could not set it to run automatically. But found a PS script that was able to set it. :) This whole process seems a little "quirky" though. The audit event log doesn't seem to work for me. But when I change it to Enforce, then the events start showing. Microsoft is also so "fun" to try to figure out. :D
You are logged as root. You are a hackers perfect target man. Linux does it right only when you need root, install a program and punch password you get 15 mins of root running. This is very dangerous having it 24/.
@@Whitemike63 In Windows, it works a bit differently. As far as I can tell, most users have admin-level control of the system by default (without editing group policy settings, of course), which isn't too dangerous because admin accounts, despite the implications in the name, don't actually have full system access, like the Linux root account. In fact, it's supposed to be extremely difficult to scale a user's system-wide authority to root-level in the first place.
You're excellent, Joe! I would love to share with you my motivational presentation about my life with Cerebral Palsy, and how tech has enabled me to lead a normal life online.
Thanks for the long and detailed video, will be testing this out... I'm curious how this is implemented on a domain (as far as scripts go, what has priority.. still local machine?) Keep up the great work!
I’m not as familiar with WDAC, but I have dabbled with it. It is harder to set up but has some advantages over AppLocker. The biggest problem is there is no GUI for WDAC.
@@patricklechner1 You can manage WDAC through either the ConfigCI suite of PowerShell cmdlets, or you can create WDAC policies with the WDAC Wizard (which is a project maintained by Microsoft.) Edit: Despite that, managing WDAC through both of those options is still a pain, and there is not yet a full-automation solution for WDAC on the market.
WDAC can control apps that run in Kernel mode as well as User mode. (AppLocker just deals in User mode.) Also, if you create a signed WDAC policy and put it in the UEFI partition, then it becomes much harder for a hacker--even with admin privileges--to remove (unless they can get ahold of the signing certificate.) WDAC does NOT control .BAT scripts. (There's other minor differences in the file types that they maintain.) WDAC is applied to the whole device regardless of the user account, but AppLocker allows you to vary rule enforcement based on different user accounts. The logs for WDAC events are located in the Event Viewer -> in Applications and Services logs > Microsoft > Windows > CodeIntegrity > Operational. HOWEVER, logs for WDAC enforcement events involving scripts and MSI files are still located in the "AppLocker" location described in this video.
I wasn't so paranoid until my avast antivirus was not protecting me, and the UI was bugged so i couldnt access it but in the ui it said that it was protecting me, but in the tray icon it said i wasnt. aa restart showed that my firewall was disabled and i IMMEDIATELY activated it and did a full virus scan. Now here I am, doing this regardless of the inconvenience of it. A few menu navigation clicks as an inconvenience is nothing compared to trying to remove dangerous malware from your computer and possibly spend hundreds to get it repaired if your not good with tech, and possibly even thousands if it cannot be removed and you have to buy a new pc. "Paranoia is not an inconvenience, it is your body's natural safeguard when it senses danger"
Im really proud lol, I have made a Powershell script which I added to the context menu which allows me to on right clicking the file, instantly whitelisting it.
Love this, suggestion/question for the import files you have (thanks btw), any reason you can't replace all of the WHATEVERUSERNAME placeholders with %USERNAME%
Thanks ThioJoe for this great content. For me the length of the video is very OK, considering the content. However, following this tutorial is a challenge. It's difficult to know how you arrived at certain point by the clicks of the mouse due to the speed and rate of zooming in and out. The movement of the mouse pointer on the screen is almost at the "speed of light". Maybe it's just me seeing it that way
Yea I realized afterwards I wasn’t really explaining everything I was doing so I tried to add on-screen explanations at some point. Some parts might be helped by putting the video on 0.5x speed
Also when checking event viewer events in these custom views that just happened disappear even though other older events in other logs are still there.
Super helpful video! Thank you very much. One thing I noticed is that some malware use a Microsoft certificate that is used to encrypt. Is AppLocker smart enough to not fall for that? Edit: There is a right-click option to "Automatically generate" also. How well does that work and what does it do?
I have noticed an error at Creating a Shortcut to AppLocker at 3:43. The path you listed is correct, but you forgot to list "Windows Settings" after computer configuration in the red text box path
I am not able to see app locker from the event viewer under custom view. You lost me at 6:35 in your video. Furthermore, I don't see the events under app locker in custom view. My events are found under administrative events.
ever time I try to save the updated directory path for my username i get an error policy could not be saved error unspecified error violates pattern constraint
I noticed there a tons of DLLs that are not signed show they will be blocked. I also noticed that regedit the file you are using as a sample is also not signed? Will this cause a problem?
I see that you can allow only signed executables. But can you block executables signed sha1 only? Sha1 was broken awhile ago and is practically useless.
Is an allow for executable installer or other installer for example make it so a uac prompt doesn't show up when it normally would if no applocker was configured
Doesn't Steam set the permissions on some folders in its install directory to be modifiable without elevation? I imagine it would be difficult to configure rules properly to allow games to run but disallow malware from copying executables into the same directories as the games...
That's what the file hash exceptions are for. That said, very few malwares are going to try the trick of copying themselves into a game's directory to attempt to use that as a staging ground, so the possibility of that happening is pretty remote. Most malware authors are not going to be writing it to tailor to your specific security policies/install setup, but hitting broader targets and going for typically unprotected areas like the Windows directory or Program Files directory etc. since most malware is just trying to find as many vulnerable victims as possible and ignore hardened systems. It's certainly possible malware could be written to do that though. Real dangerous malware, like the kind the NSA or other state sponsored hacking organizations create, and not just script kiddie stuff, are going to use previously unknown zero-day vulnerabilities to get around security policies (such as the Windows AppLocker) rendering all of this useless against them. If you're being targeted specifically by the NSA though you're kinda just screwed at that point.
I have a problem in windows whenever I try to open icon it automatically opens the first icon besides this I can't scroll down it automatically scrolls up please help me this problem I have executed so many commands but can't get of it
Informative However, if the OS itself has no care for your data or privacy in the first place, whatever you'd do on top of it just makes your data more exclusive to Microsoft and the third parties they send your data to
I don't know if you are aware of this but when you set the signed permissions as you did at 13:45, instead of selecting "Use custom settings" you can actually just drag the arrow to the right of "File version" up to "Any publisher" and it will do the exact same thing without you having add a star to each text field manually. This is just a minor detail that saves you a little bit of time, but I just felt like mentioning it. Thanks for a great tutorial! 😀 Edit: Nvm, after looking further into the video I just saw that you mentioned that too. Ignore everything I just said, except for this being a great tutorial. 🫠
Can you help me my new MSI laptop is like powershell admin hacked , can't reset or hardly do anything on it . . . Pretty sure they are using this on me . . .
I am curious. I have been having issues applying specific rules by user group. It seems all of the rules applied to the built-in user group, "everyone" works, but when I apply rules by a User Group based off of the Domain hostnames, the rules are not applied after waiting the 90 minutes or applying gpupdate /force cmdlet. I am only receiving event ID 8003 for the manually created user groups. I would appreciate any help or expertise. Thanks.
Why create 2 MMC files when Event viewer and GPO AppLocker can be added in a single Console. From there just add some windows. I've got a console with a whole bunch of tools even some custom scripts that I can launch from the MMC.
Is it feasible to devise a script that establishes an 'allow' rule for executing a specific application, alongside another script to subsequently revoke this 'allow' rule? This would enable me to proactively enable and disable applock rules for a particular application, both prior to and following its execution. Additionally, I'm interested in maintaining a default state of denying the execution of all applications and scripts.???? I'm just curious 🧐.
It might cause a small hit to responsiveness because everything running must be checked against the rules. But I don’t see why it would have an effect on a program once it runs. That being said I haven’t noticed any slowdowns.
@@ThioJoe wow, Thanks for the Quick response! I will follow this tutorial, try out my system as usual run a few games and report back if i encountered any issues!
@@НААТthe biggest issue you'll probably run into is if you're trying to mod games, as a lot of mod authors don't bother to do things like get their executables signed etc so you'll probably be needing to make exceptions for most mods (though obviously it depends)
Great guide. I'm giving it a whirl, but I expect there'll be some teething issues when I fire up my software development tools, software on other hard drives, and Mod Organizer 2. Btw, I think on my system, AppBlocker didn't start checking rules until I started the "Application Identity" service (e.g. appidsvc ) and restarted. Either that or I just wasn't hitting the refresh button on the event log. It is getting a bit late...
@@bokami3445 Google "Configure the Application Identity service" and go to the link from microsoft. The page notes that "Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service Startup type to Automatic by using the Services snap-in. " They give you a command line to use in powershell. I'd give you the line, but you really shouldn't trust command lines from random youtubers! ;-)
if anyone even doest see that this GPO settings wil working the Service "Application Identity" must be running else the rule changes doest take any effect it look like that it even take effect after using gpupdate /force
can they hack your "digital fingerprint" or URLs that can change your incoming and outgoing data? via router or dns.? and not have the device actually hacked? I'm going crazy with what they did to me and will not stop.
I knew the video would be longer than average but not this long 😩
📝Notes:
• Also I figured this went without saying, but obviously if you download something malicious and add a rule to allow it, you will be infected. You still must ALWAYS be vigilant. And you should still also use an Antivirus, it’s not a replacement for that.
• To get AppLocker policies to actually work, you might have to enable the "Application Identity" service and set it to start automatically if it isn't already. This requires a special command because it is a protect process (as opposed to just opening the services menu). To do this, run the command in command prompt as admin:
sc.exe config appidsvc start= auto
• Turns out you CAN actually add the Group Policy settings for PowerShell core without having to install PowerShell Core. I've added instructions to the ReadMe file in the resource pack in the description, but basically you download the latest zip release from Microsoft's PowerShell GitHub, and copy the files "PowerShellCoreExecutionPolicy.admx" and "PowerShellCoreExecutionPolicy.adml" into the directories "C:\Windows\PolicyDefinitions" and "C:\Windows\PolicyDefinitions\en-US" respectively.
it’s 52 minutes but ok-
Looooonnngggg 😊
🤣🤣
You made a Documentary....😄👏
Woah, I didn't realize how long this video is until I saw this comment.
I don't know why everybody is emphasizing the duration of this video - for me - it was like watching a super interesting, informative and well-written documentary - the time just flew buy! Excellent work, thank you so much for your effort! Greetings from Croatia :)
is it just me or did this 52 minute tutorial feel like a 10 minute tutorial?
"Good tutorials feel like they took a fraction of the actual time it took to complete it. Bad tutorials are the same, except the reason is because of leaving early due to how bad it is instead of being due to how good it is."
Same !
The hero we didn't know we deserved
He used to be the villain, happy he has become the hero.
@@ziphyfyiMe too.
Who says we deserve him?
NGL I use to love the villain side of him back in the day
Yes
Hey ThioJoe! I appreciate you making this more detailed and longer! 🎉
You know @ThioJoe has a gift for teaching and explaining when the whole 50 minute video felt like 10 and you remember fairly well most of the process!
Totally appreciate this video.
Congrats on 3M subscribers! Well deserved!
I swear this video is so informative and useful it’s something you could probably charge for and make thousands off of but you were nice enough to give it to everyone for free, what a guy
@thiojoe, this was one of the best mapped out videos covering a relatively complex topic and one with lots of settings. We are implementing this, and your video has been shared to the team as the best tutorial about it.
one of the best tutorials for applocker, even one of the most in-depth well explained tutorial in general
I know
I have no intention to do any of this myself but I watched it all
You made it very engaging and informative, I didn't noticed the length until it was almost done
I wont mind more "complex" tutorials like this on in the future
that's why you blush the whole time
Here's what I did for my grandma's PC, very simple:
- Require my own password for Administrative privileges so she can't do that
- Set up a single browser so she has no access to other browsers, with downloads always dropping into the Downloads folder
- Wrote a script to instantly delete any executables that enter the Downloads folder
My beloved virus addict is now sober :)
This is amazing, thanks so much for taking the time and putting so much effort into this. You're a legend!
I think this is your second longest video. Nothing beats that 2 hour one
This is one of those videos that I've saved up to watch, as you were asking in a recent poll. Thanks for the detailed explanation!
Best 50 minute of my time, thanks a lot TJ, definitely learned a lot.
Thank you for think of us and sharing this knowledge! You are the BEST!! I made the changes on my PC and hopefully the random file explorer windows opening will stop.
We've been waiting! Thank you Thio!! 🎉🎉🎉
THANK YOU SO MUCH! I've been waiting for a tutorial on how to set this up.
Great video as always!
This might be the best video on your channel! I wanted to thank you for your effort doing this!
Wow, this has played fully through! 😳 Was fixing a speaker bar while this played in the background 😅
Hi ThioJoe, I just wanted to say thank you, although I'll never do any of what you've shown here. Just not Tech savvy enough.I do realize how much time you have spent on video. Thanks
I'm really fascinated by this *type* of security. Antiviruses don't exite me, but this idea of reducing attack surface and plugging security holes is suuper amazing to me. I'd love to see more similar stuff
Yes, whitelisting is so muc more powerful than blacklisting, in fact antivirus solutions are not able to defeat the 100.000 of new attacks nowadays. Plus it doesnt slow the machine down anymore like AV solutions :)
52 minute ThioJoe video?
Yes please! 🙂
yes
@doubleWmemesYes, a few hours ago
wait what it’s published since 3 minutes but it says you posted this comment 12 hours ago
@@_SJ how did you even watch it before it was posted
paid member @@CanDoesGames
Awesome video ThioJoe! Structured well like a course. 👍
Exactly what I was waiting for 🎉 Many, many thanks Thio ✌️
Thank you for this very comprehensive tutorial, ThioJoe. It is much appreciated.
Holy moly this guy is insane! Take so much time and effort to make us safer
Another excellent how to video!! Many thanks. Had to enable “Application Identity” service to get AppLocker to work. However to get it to auto start.. Had to regedit and set its start to 2.
This video seems excalty what I was looking for. You saved me a lot of reading and studying time! Thank you very much!!!
"Comprehensive tutorial" is an understatement!
This video structure is great and you explain it very well.
Thanks for taking the time
My favorite tech channel ❤️ was with you during the joke videos, and still with you now learning new stuff
Thank you so much for this detailed guide. I was able to follow all of your instructions easily. I understood each and every step depicted in your video.
By the way, I'm a big fan of your TH-cam Channel. You make great videos. It's always a great time whenever I watch any of your videos. 😁
Awesome!! Unfortunately we wouldn't get rid of those pesky refund scammers with this but atleast we'd get away from ransomware and so on. Really great video, thanks!! Since I regularly reinstall my Windows I'm gonna have to delve deeper into how to transfer the settings to another computer, didn't know it was that easy!
Thank you for putting so much time into this
Love the content you have been putting out, really made me understand this underused feature!
Well done, Thio! Another suggestion for a video would be about Azure Information Protection and DLP (Data Loss Prevention). What files are protected, what can be managed, tracking files on disk and in transit etc.
I finished. Thank you for the great video and the detailed guide.
Just did it ! Enjoyed the entire video.
best time spent on windows security, thank you for sharing!
Just what I was looking for! Great vid
An hour video... thanks man!
Top tip if you are ever applying AppLocker policy in an AD domain NEVER and i mean NEVER edit a live policy always export the rules edit them locally and then re import. If something goes wrong ( and it can ) you can corrupt the policy and brick machines. I learned that the hard way, bricked about 20 machines . The best way to fix this is to switch to editing rules via configuration manager.
With admin rights you can unbrick the machines, in the last instance you can boot from windows cd, shift f10, regedit, mount the local registry hives and remove the applocker rules :)
Oh and to prevent this happening: allow wverything for admins, like the default templats suggests. I mean admins can do whatever they want anyway, effectively delete rules, thats why there is little sense in deleting the admincandoall rule :)
I appreciate the effort for this. Thank you Joe.
Great section on allow and deny rules also 👍
Wow, awesome work! This is very technical but also very thorough. One thing I found was my Application Identity service was not running for some reason. Even though I'm logged in as admin I could not set it to run automatically. But found a PS script that was able to set it. :) This whole process seems a little "quirky" though. The audit event log doesn't seem to work for me. But when I change it to Enforce, then the events start showing. Microsoft is also so "fun" to try to figure out. :D
Do you mind sharing that PS script? I'm having the same issue. I can get it to run on Windows 11 Pro, but not Windows 10 Pro. Very strange...
You are logged as root. You are a hackers perfect target man. Linux does it right only when you need root, install a program and punch password
you get 15 mins of root running. This is very dangerous having it 24/.
@@Whitemike63 In Windows, it works a bit differently. As far as I can tell, most users have admin-level control of the system by default (without editing group policy settings, of course), which isn't too dangerous because admin accounts, despite the implications in the name, don't actually have full system access, like the Linux root account. In fact, it's supposed to be extremely difficult to scale a user's system-wide authority to root-level in the first place.
Excellent!
Very informative. Great job! Much appreciated.
You're excellent, Joe! I would love to share with you my motivational presentation about my life with Cerebral Palsy, and how tech has enabled me to lead a normal life online.
Thanks for the super paranoid virus guide, will be installing in my pc
May god bless you thio. Have a great day
Thanks for the long and detailed video, will be testing this out... I'm curious how this is implemented on a domain (as far as scripts go, what has priority.. still local machine?) Keep up the great work!
Thanks so much! Glad I was patient :)
Can you do a comparison between Applocker and Windows Application Control? And how to set up WDAC?
I’m not as familiar with WDAC, but I have dabbled with it. It is harder to set up but has some advantages over AppLocker. The biggest problem is there is no GUI for WDAC.
@@ThioJoe isn't it set through a program where you can create a customized script that enforces what it runs?
@@patricklechner1 You can manage WDAC through either the ConfigCI suite of PowerShell cmdlets, or you can create WDAC policies with the WDAC Wizard (which is a project maintained by Microsoft.)
Edit: Despite that, managing WDAC through both of those options is still a pain, and there is not yet a full-automation solution for WDAC on the market.
WDAC can control apps that run in Kernel mode as well as User mode. (AppLocker just deals in User mode.) Also, if you create a signed WDAC policy and put it in the UEFI partition, then it becomes much harder for a hacker--even with admin privileges--to remove (unless they can get ahold of the signing certificate.)
WDAC does NOT control .BAT scripts. (There's other minor differences in the file types that they maintain.)
WDAC is applied to the whole device regardless of the user account, but AppLocker allows you to vary rule enforcement based on different user accounts.
The logs for WDAC events are located in the Event Viewer -> in Applications and Services logs > Microsoft > Windows > CodeIntegrity > Operational. HOWEVER, logs for WDAC enforcement events involving scripts and MSI files are still located in the "AppLocker" location described in this video.
@kennethhusayn9354 thank you so much
thank you for this been wanting to know how this is set up
One of my favorite youtubers
I heard if you say your favorite youtuber 3 times you will get a hearted comment
ThioJoe
ThioJoe
ThioJoe
👌
Ok, I watched every second and did that all. Now Im affraid to restart pc :D
"28 second" old, never been this early for a TJ video before, and a very interesting and informative video too! =D
Did you watch it
ago*
@@yashprogamer647I have now, it was very interesting and informative
Awsome Video😀
perfect video thanks a lot
i didn't even know what this tool do even after using windows for 15 years already 🤣
Thank you for your hard work. Much appreciated.
I wasn't so paranoid until my avast antivirus was not protecting me, and the UI was bugged so i couldnt access it but in the ui it said that it was protecting me, but in the tray icon it said i wasnt. aa restart showed that my firewall was disabled and i IMMEDIATELY activated it and did a full virus scan. Now here I am, doing this regardless of the inconvenience of it. A few menu navigation clicks as an inconvenience is nothing compared to trying to remove dangerous malware from your computer and possibly spend hundreds to get it repaired if your not good with tech, and possibly even thousands if it cannot be removed and you have to buy a new pc.
"Paranoia is not an inconvenience, it is your body's natural safeguard when it senses danger"
Im really proud lol, I have made a Powershell script which I added to the context menu which allows me to on right clicking the file, instantly whitelisting it.
Love this, suggestion/question for the import files you have (thanks btw), any reason you can't replace all of the WHATEVERUSERNAME placeholders with %USERNAME%
Thanks ThioJoe for this great content. For me the length of the video is very OK, considering the content. However, following this tutorial is a challenge. It's difficult to know how you arrived at certain point by the clicks of the mouse due to the speed and rate of zooming in and out. The movement of the mouse pointer on the screen is almost at the "speed of light". Maybe it's just me seeing it that way
Yea I realized afterwards I wasn’t really explaining everything I was doing so I tried to add on-screen explanations at some point. Some parts might be helped by putting the video on 0.5x speed
Also when checking event viewer events in these custom views that just happened disappear even though other older events in other logs are still there.
Super helpful. The only problem is my Event Viewer isn't showing the audit logs at all. It's as if nothing is run.
Super helpful video! Thank you very much.
One thing I noticed is that some malware use a Microsoft certificate that is used to encrypt. Is AppLocker smart enough to not fall for that?
Edit: There is a right-click option to "Automatically generate" also. How well does that work and what does it do?
lol in recommended videos i get "how to bypass applocker"
Who else remembers when ThioJoe used to just troll people with his videos?
I have noticed an error at Creating a Shortcut to AppLocker at 3:43. The path you listed is correct, but you forgot to list "Windows Settings" after computer configuration in the red text box path
I am not able to see app locker from the event viewer under custom view. You lost me at 6:35 in your video. Furthermore, I don't see the events under app locker in custom view. My events are found under administrative events.
Only tech creator as an indian i see from us❤❤❤ . Love you bro from India.
Great job, thanks!
YO ALMOST ONE HOUR OF CONTENT???? I CANT WAIT
ever time I try to save the updated directory path for my username i get an error policy could not be saved error unspecified error violates pattern constraint
I noticed there a tons of DLLs that are not signed show they will be blocked. I also noticed that regedit the file you are using as a sample is also not signed? Will this cause a problem?
I see that you can allow only signed executables. But can you block executables signed sha1 only? Sha1 was broken awhile ago and is practically useless.
Is an allow for executable installer or other installer for example make it so a uac prompt doesn't show up when it normally would if no applocker was configured
Doesn't Steam set the permissions on some folders in its install directory to be modifiable without elevation? I imagine it would be difficult to configure rules properly to allow games to run but disallow malware from copying executables into the same directories as the games...
That's what the file hash exceptions are for. That said, very few malwares are going to try the trick of copying themselves into a game's directory to attempt to use that as a staging ground, so the possibility of that happening is pretty remote. Most malware authors are not going to be writing it to tailor to your specific security policies/install setup, but hitting broader targets and going for typically unprotected areas like the Windows directory or Program Files directory etc. since most malware is just trying to find as many vulnerable victims as possible and ignore hardened systems. It's certainly possible malware could be written to do that though. Real dangerous malware, like the kind the NSA or other state sponsored hacking organizations create, and not just script kiddie stuff, are going to use previously unknown zero-day vulnerabilities to get around security policies (such as the Windows AppLocker) rendering all of this useless against them. If you're being targeted specifically by the NSA though you're kinda just screwed at that point.
I have a problem in windows whenever I try to open icon it automatically opens the first icon besides this I can't scroll down it automatically scrolls up please help me this problem I have executed so many commands but can't get of it
If someone got trouble running a program, just take a look into event viewer to see which sub-program for example is getting blocked
Informative
However, if the OS itself has no care for your data or privacy in the first place, whatever you'd do on top of it just makes your data more exclusive to Microsoft and the third parties they send your data to
I don't know if you are aware of this but when you set the signed permissions as you did at 13:45, instead of selecting "Use custom settings" you can actually just drag the arrow to the right of "File version" up to "Any publisher" and it will do the exact same thing without you having add a star to each text field manually. This is just a minor detail that saves you a little bit of time, but I just felt like mentioning it. Thanks for a great tutorial! 😀
Edit: Nvm, after looking further into the video I just saw that you mentioned that too. Ignore everything I just said, except for this being a great tutorial. 🫠
Yea I forgot that was a thing and realized later in the video 😂. I do mention it though when I realized
Can you help me my new MSI laptop is like powershell admin hacked , can't reset or hardly do anything on it . . . Pretty sure they are using this on me . . .
1 thing before you begin create a retore point in case you mess something up I did and had to re install windows
I am curious. I have been having issues applying specific rules by user group. It seems all of the rules applied to the built-in user group, "everyone" works, but when I apply rules by a User Group based off of the Domain hostnames, the rules are not applied after waiting the 90 minutes or applying gpupdate /force cmdlet. I am only receiving event ID 8003 for the manually created user groups. I would appreciate any help or expertise. Thanks.
Why create 2 MMC files when Event viewer and GPO AppLocker can be added in a single Console. From there just add some windows. I've got a console with a whole bunch of tools even some custom scripts that I can launch from the MMC.
Adding more application those can be use pro-actively: Simplewall or Portmaster
Excellent firewall application
Thank you for once again scratching my cybersecurity paranoia itch
Hi, I don't have new window option when I right click on applocker. Is there a reason why or did I do something wrong in the steps? thanks.
Is it feasible to devise a script that establishes an 'allow' rule for executing a specific application, alongside another script to subsequently revoke this 'allow' rule? This would enable me to proactively enable and disable applock rules for a particular application, both prior to and following its execution. Additionally, I'm interested in maintaining a default state of denying the execution of all applications and scripts.????
I'm just curious 🧐.
How to apply File hash rule to some applications through GPO to systems. Which is not installed on server
Hey thio, does this affect gaming performance in anyway?
It might cause a small hit to responsiveness because everything running must be checked against the rules. But I don’t see why it would have an effect on a program once it runs. That being said I haven’t noticed any slowdowns.
@@ThioJoe wow, Thanks for the Quick response! I will follow this tutorial, try out my system as usual run a few games and report back if i encountered any issues!
@@НААТthe biggest issue you'll probably run into is if you're trying to mod games, as a lot of mod authors don't bother to do things like get their executables signed etc so you'll probably be needing to make exceptions for most mods (though obviously it depends)
Great guide. I'm giving it a whirl, but I expect there'll be some teething issues when I fire up my software development tools, software on other hard drives, and Mod Organizer 2.
Btw, I think on my system, AppBlocker didn't start checking rules until I started the "Application Identity" service (e.g. appidsvc ) and restarted. Either that or I just wasn't hitting the refresh button on the event log. It is getting a bit late...
I'm having a problem, the Application ID Service won't let me set to automatic? How did you accomplish it? Thanks
@@bokami3445 Google "Configure the Application Identity service" and go to the link from microsoft. The page notes that "Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service Startup type to Automatic by using the Services snap-in. " They give you a command line to use in powershell. I'd give you the line, but you really shouldn't trust command lines from random youtubers! ;-)
Thank you so much!!!
if anyone even doest see that this GPO settings wil working the Service "Application Identity" must be running else the rule changes doest take any effect
it look like that it even take effect after using gpupdate /force
If i want only Google Chrome access the Chrome's cookie foler what rule should i make?
can they hack your "digital fingerprint" or URLs that can change your incoming and outgoing data? via router or dns.? and not have the device actually hacked? I'm going crazy with what they did to me and will not stop.