1

We have an application which uses an internal update mechanism by downloading our latest setup.exe to %TEMP% and executing it afterwards. We use this ShellExecuteW function:

 

ShellExecuteW(NULL, "open", filePath, parameters, NULL, SW_SHOWNORMAL);

 

When using this command on a machine without AppLocker configured, and without administrator rights, the setup.exe will be executed as intended.

 

With the following settings in AppLocker and trying to do the same when running without administrator rights, the AppLocker blocks the setup.exe, which is fine. The problem is that nothing happens - it doesn't display a dialog, and there is no information whatsoever for the user, even though the Event Viewer shows that the app was prevented from running.

AppLocker executable Rules

Event Viewer AppLocker

How can I achieve that at least the error message comes up? Is it even possible to directly start the setup.exe as administrator, so that the UAC prompt comes up instead?

Alex Sergeenko
  • 642
  • 5
  • 22
n0sk
  • 21
  • 6

1 Answers1

1

I came to the conclusion that ShellExecute() does not really behave reliably when AppLocker is being used on the system. In one case it would return value 42, which would indicate a successful execution of the setup.exe and the log said it was not prevented from running, but still the setup.exe would not open. In another case it would be prevented but return value 42.

So I switched to CreateProcess() instead, because it always reliably returns false, if somehow the executing of the setup.exe doesn't work and always true if it works. Here is my code:

STARTUPINFO info={sizeof(info)};
PROCESS_INFORMATION processInfo;

if (CreateProcessW(NULL, "filepath + /paremeters", NULL, NULL, true, CREATE_NEW_CONSOLE, NULL, NULL, &info, &processInfo)) {
    //Do something
    CloseHandle(processInfo.hProcess);
    CloseHandle(processInfo.hThread);
} else {
    //Do something
}
n0sk
  • 21
  • 6