Russian accont\group names

[Dees7]

Hello.
I use Windows10 (ltsb) and if I generate reports I see "??" instead of groups

<dir name="C:\Windows\Tasks">
<Grantee>NT AUTHORITY\????????? ????????</Grantee>
</dir>
<dir name="C:\Windows\Temp">
<Grantee>BUILTIN\????????????</Grantee>
</dir>

[rmoreas]

Hi,
Did you run the Set-OutputEncodingToUnicode.ps1 script in the Support folder before scanning the directories?

See also notes on pages 16 and 17 in the documentation.

[AaronMargosis]

Sorry for getting to this so late - I wasn't getting notifications - hopefully I've got that straightened out. Dees7 does rmoreas' suggestion fix your issue?

[Dees7]

Hello.
No. Set-OutputEncodingToUnicode.ps1 did not help. I see "???" in xml.

[AaronMargosis]

What does the output of this command look like by itself:

AccessChk.exe /accepteula -nobanner -w -d -s c:\windows\tasks

[Dees7]

 C:\Users\user\Documents\AaronLocker\AaronLocker>AccessChk.exe /accepteula -nobanner -w -d -s c:\windows\tasks
 c:\windows\Tasks
   RW NT AUTHORITY\????????? ????????
   RW BUILTIN\??????????????
   RW NT AUTHORITY\???????

[AaronMargosis]

OK. Confirmed that it's a bug in AccessChk.exe that doesn't handle Unicode properly. Bug filed and hopefully resolved soon. Thanks for the alert.

[AaronMargosis]

Does the "AaronLocker" rule generation still work correctly in spite of this bug? The design intent is to rely on SIDs and not have to depend on successful SID-to-name conversion. The bug here makes it harder for a human to review the results of the scans of the Windows and Program Files subdirectories, but it shouldn't otherwise block generation of correct rules. Is that what you're seeing?

[Dees7]

Hello.
Yes AaronLocker rule generation works and applies correctly.

[AaronMargosis]

OK. Sysinternals team has fixing the Unicode issue in their backlog now.