From d27aeb5ef1783ef8043798e80fe47d08f0ae0309 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 1 Apr 2024 16:21:55 -0700 Subject: [PATCH] Add a little space to help readability, add punctuation --- .../deployment/deploy-catalog-files-to-support-wdac.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-catalog-files-to-support-wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-catalog-files-to-support-wdac.md index afa066fa59..2265945d4e 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-catalog-files-to-support-wdac.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-catalog-files-to-support-wdac.md @@ -336,13 +336,16 @@ Some of the known issues using Package Inspector to build a catalog file are: - Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this USN was the most recent one when you ran PackageInspector start). Then use fsutil.exe to read that starting location. Replace "RegKeyValue" in the following command with the value from the reg key:
`fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt` - The above command should return an error if the older USNs don't exist anymore due to overflow - - You can expand the USN Journal size using: `fsutil usn createjournal` with a new size and allocation delta. `Fsutil usn queryjournal` shows the current size and allocation delta, so using a multiple of that may help + - You can expand the USN Journal size using: `fsutil usn createjournal` with a new size and allocation delta. `Fsutil usn queryjournal` shows the current size and allocation delta, so using a multiple of that may help. + - **CodeIntegrity - Operational event log is too small to track all files created by the installer** - To diagnose whether Eventlog size is the issue, after running through Package Inspector: - Open Event Viewer and expand the **Application and Services//Microsoft//Windows//CodeIntegrity//Operational**. Check for a 3076 audit block event for the initial installer launch. - - To increase the Event log size, in Event Viewer right-click the operational log, select Properties, and then set new values + - To increase the Event log size, in Event Viewer right-click the operational log, select Properties, and then set new values. + - **Installer or app files that change hash each time the app is installed or run** - Some apps generate files at run time whose hash value is different every time. You can diagnose this issue by reviewing the hash values in the 3076 audit block events (or 3077 enforcement events) that are generated. If each time you attempt to run the file you observe a new block event with a different hash, the package doesn't work with Package Inspector. + - **Files with an invalid signature blob or otherwise "unhashable" files** - This issue arises when a signed file was modified in a way that invalidates the file's PE header. A file modified in this way is unable to be hashed according to the Authenticode spec. - Although these "unhashable" files can't be included in the catalog file created by PackageInspector, you should be able to allow them by adding a hash ALLOW rule to your policy that uses the file's flat file hash.