[Bug]: Use Strict CFG causing an issue in explorer.exe #115
Comments
|
Hi, In the screenshot I see NTlite there...is your OS image modified by any chance? I take exploit protection settings very seriously to make sure they are fully tested. I'm on the same build on physical machine, can't reproduce the issue..
|
|
The OS from my computer is not modified is just a build from uupdump and updated using windows update. The build from VM (Hyper-V) is modified a little, but not removing important components like defender and other stuff, just bloatware (apps). My OS is the 22631.2338 not modified or anything edited using NTLite or other software. |
|
And when restart the explorer.exe and remove the Use strict CFG works fine, will record a video and attach to the issue |
|
Thank you, I can remove Strict CFG for explorer.exe from process mitigations to fix this issue. Can you please check this log to see if there is anything for explorer.exe?
you'll need to press the "Next page" button till you reach the last page and scroll down all the way to see the newest logs.
You might be able to generate logs when you launch explore.exe and visit the blank home page. |
Will check it and attach here |
Yup, it's clearly having issue with Strict CFG, ty |
|
I just created a quick PowerShell code that you can run and it will show you exploit protection event logs in real-time $LastEventTime = Get-Date
# Comment this region if not using xml to specify event source and capture logic
#region XML-Loading
# For when QueryList isn't needed to be extracted
#$FilterXml = Get-Content -Path ".\Exploit Protection Events.xml" -Raw
# Load the XML content from a file or a string
$xml = [xml](Get-Content -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script\Exploit Protection Events.xml')
# Get the QueryList element using XPath
$queryList = $xml.SelectSingleNode('//QueryList')
# Convert the QueryList element to a string
$queryListString = $queryList.OuterXml
#endregion XML-Loading
while ($true) {
$Events = Get-WinEvent -FilterXml $queryListString -Oldest | Sort-Object -Property TimeCreated -Descending
<#
For When you don't use xml to specify the event source
$Events = Get-WinEvent -FilterHashtable @{
'LogName' = 'Microsoft-Windows-CodeIntegrity/Operational'
'ID' = 3077
} | Sort-Object -Property TimeCreated -Descending
#>
if ($Events) {
foreach ($Event in $Events) {
if ($Event.TimeCreated -gt $LastEventTime) {
Write-Host "`n##################################################" -ForegroundColor Yellow
$Time = $Event.TimeCreated
Write-Host "Found new event at time $Time"
$LastEventTime = $Time
Write-Host "Message: $($Event.Message)`n" -ForegroundColor Cyan
# Convert the event to XML
$Xml = [xml]$Event.toxml()
# Loop over the data elements in the XML
$Xml.event.eventdata.data | ForEach-Object -Begin {
# Create an empty hash table
$DataHash = @{}
} -Process {
# Add a new entry to the hash table with the name and text value of the current data element
$DataHash[$_.name] = $_.'#text'
} -End {
# Convert the hash table to a custom object and output it
[pscustomobject]$DataHash
}
Write-Host '##################################################' -ForegroundColor Yellow
}
}
}
Start-Sleep -Milliseconds 500
} |
|
I try to run the script, but nothing is happening, I download the custom view and moved to the folder put in the Get-Content Path but are not showing anything, is normal? Also check event viewer too I just import the Microsoft Defender Category in the machine with the build 22631.2338, but if need to do another step please tell me and I do here |
|
That script assumes you ran the Miscellaneous category because that category automatically imports the custom views. I removed Strict CFG from process mitigations of explorer.exe related PR: #116 Thanks again for reporting this, closing it as resolved. 馃檪 |
Tools category
Harden Windows Security Script
Does your system meet the requirements?
Please explain the bug
Hi @HotCakeX ,
In the exploit protection settings I find an issue with explorer.exe and decide to share this information, just in case others users decide to use the exploit protection settings. Use strict CFG is causing a little bug in the UI of explorer.exe in Windows 11 23H2 22631.2338
In this installation I only have windows tools and didn't install any third party software and with this issue I decide to test in a VM (Hyper-V) and using Windows 11 22H2 22621.2283 the explorer.exe with the exploit protection settings is working fine.
Not sure why this is happening, but if anyone is facing this issue like me has a workaround now. I didn't test in a full clean installation of windows, at the moment only updating to the build 22631.2338 using windows update.
The text was updated successfully, but these errors were encountered: