Me, myself & IT

Chinese Whispers – Functions Microsoft^® Sweeps Under The Rug

Purpose
Whisper № 1: Background Information; Demonstration

Purpose

�

Whisper № 1

With Windows 7 Microsoft introduced SRPv2 alias AppLocker, including 5 PowerShell cmdlets to handle its policies: Get-AppLockerFileInformation, Get-AppLockerPolicy, New-AppLockerPolicy, Set-AppLockerPolicy and Test-AppLockerPolicy.

PowerShell.exe /Command "Import-Module AppLocker; Get-AppLockerFileInformation -Directory '%WINDIR%'"
PowerShell.exe /Command "Import-Module AppLocker; Get-AppLockerFileInformation -Path '%COMSPEC%'"
PowerShell.exe /Command "Import-Module AppLocker; Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path '%COMSPEC%'"

Path                       Publisher                  Hash                     
----                       ---------                  ----
%WINDIR%\BFSVC.EXE         O=MICROSOFT CORPORATION... SHA256 0x6BF48AC00680D...
%WINDIR%\EXPLORER.EXE      O=MICROSOFT CORPORATION... SHA256 0xA186E53413C0A...
%WINDIR%\FVEUPDATE.EXE     O=MICROSOFT CORPORATION... SHA256 0x89CF83AB9D92E...
%WINDIR%\HELPPANE.EXE      O=MICROSOFT CORPORATION... SHA256 0x9C1C90258267F...
%WINDIR%\HH.EXE            O=MICROSOFT CORPORATION... SHA256 0x5B6F92A818791...
%WINDIR%\NOTEPAD.EXE       O=MICROSOFT CORPORATION... SHA256 0x4FD49DEF42CCF...
%WINDIR%\REGEDIT.EXE       O=MICROSOFT CORPORATION... SHA256 0x053A6D9C29A8A...
%WINDIR%\SPLWOW64.EXE      O=MICROSOFT CORPORATION... SHA256 0xEC19AE82CFF53...
%WINDIR%\TWUNK_16.EXE      O=MICROSOFT CORPORATION... SHA256 0x103035A32E789...
%WINDIR%\TWUNK_32.EXE      O=MICROSOFT CORPORATION... SHA256 0x5E0831E4568A6...
%WINDIR%\WINHLP32.EXE      O=MICROSOFT CORPORATION... SHA256 0x0C2FD81A6ADBF...
%WINDIR%\WRITE.EXE         O=MICROSOFT CORPORATION... SHA256 0xD1635E8EEE297...
%WINDIR%\TWAIN.DLL         O=MICROSOFT CORPORATION... SHA256 0x3D922F8B60840...
%WINDIR%\TWAIN_32.DLL      O=MICROSOFT CORPORATION... SHA256 0x7E2FADCA8D0C5...

Path                       Publisher                  Hash
----                       ---------                  ----                     
%SYSTEM32%\CMD.EXE         O=MICROSOFT CORPORATION... SHA256 0x7B78775AEC2C6...

FilePath                               PolicyDecision MatchingRule             
--------                               -------------- ------------             
C:\Windows\system32\cmd...           AllowedByDefault

Their implementation uses methods of the (undocumented) COM interface IAppIdPolicyHandler of the scriptable COM class AppIdPolicyHandler provided by %SystemRoot%\System32\AppIdPolicyEngineApi.dll via IID {B6FEA19E-32DD-4367-B5B7-2F5DA140E87D}, CLSID {F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3} and ProgID AppIdPolicyEngineApi.AppIdPolicyHandler:

REG.EXE QUERY HKCR\Interface\{B6FEA19E-32DD-4367-B5B7-2F5DA140E87D}
REG.EXE QUERY HKCR\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3} /S
REG.EXE QUERY HKCR\AppIdPolicyEngineApi.AppIdPolicyHandler /S
REG.EXE QUERY HKCR\AppIdPolicyEngineApi.AppIdPolicyHandler.1 /S

HKEY_CLASSES_ROOT\Interface\{B6FEA19E-32DD-4367-B5B7-2F5DA140E87D}
    (Default)    REG_SZ    IAppIdPolicyHandler

HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}
    (Default)    REG_SZ    AppIdPolicyHandler Class

HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\InprocServer32
    (Default)    REG_SZ    C:\Windows\System32\AppIdPolicyEngineApi.dll
    ThreadingModel    REG_SZ    Apartment

HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\ProgID
    (Default)    REG_SZ    AppIdPolicyEngineApi.AppIdPolicyHandler.1

HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\Programmable

HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\TypeLib
    (Default)    REG_SZ    {85C3F8F7-CFCE-4259-87FF-CAB1F4521F6E}

HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\Version
    (Default)    REG_SZ    1.0

HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\VersionIndependentProgID
    (Default)    REG_SZ    AppIdPolicyEngineApi.AppIdPolicyHandler

ERROR: The specified registry key or value was not found.

ERROR: The specified registry key or value was not found.

OOPS: the version-independent as well as the versioned ProgID are but not registered!

Demonstration

Perform the following 5 simple steps to show how to use the COM class AppIdPolicyHandler with Windows Script Host:

Execute the OLE/COM Object Viewer application OLEView.exe shipped with the Windows SDK to generate the interface description:

OLEVIEW.EXE "%SystemRoot%\System32\AppIdPolicyEngineApi.dll"

// Generated .IDL file (by the OLE/COM Object Viewer)
// 
// typelib filename: AppIdPolicyEngineApi.dll

[
  uuid(85C3F8F7-CFCE-4259-87FF-CAB1F4521F6E),
  version(1.0),
  helpstring("AppIdPolicyEngineApi 1.0 Type Library")
]
library AppIdPolicyEngineApiLib
{
    // TLib :     // TLib : OLE Automation : {00020430-0000-0000-C000-000000000046}
    importlib("stdole2.tlb");

    // Forward declare all types defined in this typelib
    interface IAppIdPolicyHandler;
    interface IAppIdMmcPolicyHandler;
    interface IAppIdPolicyHelper;

    [
      uuid(F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3),
      helpstring("AppIdPolicyHandler Class")
    ]
    coclass AppIdPolicyHandler {
        [default] interface IAppIdPolicyHandler;
    };

    [
      odl,
      uuid(B6FEA19E-32DD-4367-B5B7-2F5DA140E87D),
      helpstring("IAppIdPolicyHandler Interface"),
      dual,
      nonextensible,
      oleautomation
    ]
    interface IAppIdPolicyHandler : IDispatch {
        [id(0x00000001), helpstring("method SetPolicy")]
        HRESULT SetPolicy(
                        [in] BSTR bstrLdapPath, 
                        [in] BSTR bstrXmlPolicy);
        [id(0x00000002), helpstring("method GetPolicy")]
        HRESULT GetPolicy(
                        [in] BSTR bstrLdapPath, 
                        [out, retval] BSTR* pbstrXmlPolicy);
        [id(0x00000003), helpstring("method GetEffectivePolicy")]
        HRESULT GetEffectivePolicy([out, retval] BSTR* pbstrXmlPolicy);
        [id(0x00000004), helpstring("method IsFileAllowed")]
        HRESULT IsFileAllowed(
                        [in] BSTR bstrXmlPolicy, 
                        [in] BSTR bstrFilePath, 
                        [in] BSTR bstrUserSid, 
                        [out] GUID* pguidResponsibleRuleId, 
                        [out, retval] long* pbStatus);
    };

    [
      uuid(5971EC44-072A-41B7-8E67-D9E045CC196D),
      helpstring("AppIdMmcPolicyHandler Class")
    ]
    coclass AppIdMmcPolicyHandler {
        [default] interface IAppIdMmcPolicyHandler;
    };

    [
      odl,
      uuid(B780009A-2622-46E4-A23C-33E8D0990B27),
      helpstring("IAppIdMmcPolicyHandler Interface"),
      dual,
      nonextensible,
      oleautomation
    ]
    interface IAppIdMmcPolicyHandler : IDispatch {
        [id(0x00000001), helpstring("method Register")]
        HRESULT Register(
                        [in] IUnknown* pGPEInformation, 
                        [out, retval] GUID* pguidClientId);
        [id(0x00000002), helpstring("method Unregister")]
        HRESULT Unregister([in] GUID guidClientId);
        [id(0x00000003), helpstring("method SetPolicy")]
        HRESULT SetPolicy(
                        [in] GUID guidClientId, 
                        [in] BSTR bstrXmlPolicy);
        [id(0x00000004), helpstring("method GetPolicy")]
        HRESULT GetPolicy(
                        [in] GUID guidClientId, 
                        [out, retval] BSTR* pbstrXmlPolicy);
    };

    [
      uuid(0AEA3667-1039-43FF-8D21-B1A162090671),
      helpstring("AppIdPolicyHelper Class")
    ]
    coclass AppIdPolicyHelper {
        [default] interface IAppIdPolicyHelper;
    };

    [
      odl,
      uuid(D500522D-465B-4C83-8008-00C4EC90A859),
      helpstring("IAppIdPolicyHelper Interface"),
      dual,
      nonextensible,
      oleautomation
    ]
    interface IAppIdPolicyHelper : IDispatch {
        [id(0x00000001), helpstring("method GetFileType")]
        HRESULT GetFileType(
                        [in] BSTR bstrFilePath, 
                        [out, retval] FILE_TYPE* peFileType);
        [id(0x00000002), helpstring("method GetFileRuleCollection")]
        HRESULT GetFileRuleCollection(
                        [in] FILE_TYPE eFileType, 
                        [out, retval] BSTR* pbstrRuleCollection);
        [id(0x00000003), helpstring("method GetFileExtensions")]
        HRESULT GetFileExtensions(
                        [in] FILE_TYPE eFileType, 
                        [out, retval] BSTR* pbstrFileExtesnions);
        [id(0x00000004), helpstring("method CalculateFileHash")]
        HRESULT CalculateFileHash(
                        [in] BSTR bstrFilePath, 
                        [out, retval] SAFEARRAY(unsigned char)* ppsabHashData);
        [id(0x00000005), helpstring("method CalculateFilePublisher")]
        HRESULT CalculateFilePublisher(
                        [in] BSTR bstrFilePath, 
                        [out] BSTR* pbstrPublisherName, 
                        [out] BSTR* pbstrProductName, 
                        [out] BSTR* pbstrBinaryName, 
                        [out] uint64* pulBinaryVersion);
        [id(0x00000006), helpstring("method NormalizeFilePath")]
        HRESULT NormalizeFilePath(
                        [in] BSTR bstrFilePath, 
                        [out, retval] BSTR* pbstrNormalizedFilePath);
        [id(0x00000007), helpstring("method EncodeFilePublisherInformation")]
        HRESULT EncodeFilePublisherInformation(
                        [in] BSTR bstrInformation, 
                        [in] long bIngoreWildCharacters, 
                        [out, retval] BSTR* pbstrEncodedInformation);
        [id(0x00000008), helpstring("method DecodeFilePublisherInformation")]
        HRESULT DecodeFilePublisherInformation(
                        [in] BSTR bstrInformation, 
                        [out, retval] BSTR* pbstrDecodedInformation);
        [id(0x00000009), helpstring("method CompileRule")]
        HRESULT CompileRule(
                        [in] BSTR bstrXmlRule, 
                        [out, retval] BSTR* pbstrCompiledRule);
    };

    typedef [helpstring("FileType")public]
    __MIDL___MIDL_itf_appidpolicyengineapi_0000_0000_0001 FILE_TYPE;

    typedef [helpstring("FileType")]
    enum {
        FILE_TYPE_NOT_SUPPORTED = 0,
        FILE_TYPE_EXE = 1,
        FILE_TYPE_DLL = 2,
        FILE_TYPE_WINDOWS_INSTALLER = 3,
        FILE_TYPE_SCRIPT = 4
    } __MIDL___MIDL_itf_appidpolicyengineapi_0000_0000_0001;
};

Create the text file whisper.wsf with the following content in an arbitrary, preferable empty directory:

<?xml version='1.0' encoding='US-ASCII' standalone='yes' ?>
<job>
    <object id='AppIdPolicyHandler' classid='clsid:F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3' />
    <script language='VBScript'>
    <![CDATA[
        Option Explicit
        Const strLDAPPath = ""
        Const strXMLPolicy = "whisper.xml"
        With AppIdPolicyHandler
            WScript.Echo .GetEffectivePolicy
            WScript.Echo .GetPolicy(strLDAPPath)
        '   .SetPolicy strLDAPPath, strXMLPolicy
        End With
        WScript.Quit 0
    ]]>
    </script>
</job>

Execute the script file whisper.wsf created in step 2.:

CSCRIPT.EXE whisper.wsf

Microsoft (R) Windows Script Host, Version 5.8
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

<AppLockerPolicy Version="1">

<AppLockerPolicy Version="1">

Create the text file whisper.reg with the following content in the same directory:

REGEDIT4

[HKEY_CLASSES_ROOT\AppIdPolicyEngineApi.AppIdPolicyHandler\CurVer]
@="AppIdPolicyEngineApi.AppIdPolicyHandler.1"

[HKEY_CLASSES_ROOT\AppIdPolicyEngineApi.AppIdPolicyHandler.1\CLSID]
@="{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}"

�

REG.EXE IMPORT whisper.reg

The operation completed successfully.

Create the text file whisper.vbs with the following content in the same directory:

Rem Copyright © 2009-2025, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

Option Explicit

Const strLDAPPath = "" ' LDAP://controller.example.org/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Example,DC=Org
Const strXMLPolicy = "whisper.xml"

With WScript.CreateObject("AppIdPolicyEngineApi.AppIdPolicyHandler")
    WScript.Echo .GetEffectivePolicy
    WScript.Echo .GetPolicy(strLDAPPath)
'   .SetPolicy strLDAPPath, strXMLPolicy
End With

Register the missing ProgIDs AppIdPolicyEngineApi.AppIdPolicyHandler and AppIdPolicyEngineApi.AppIdPolicyHandler.1, then execute the VBScript whisper.vbs created in step 4.:

REG.EXE ADD HKCR\AppIdPolicyEngineApi.AppIdPolicyHandler\CurVer /VE /T REG_SZ /D AppIdPolicyEngineApi.AppIdPolicyHandler.1
REG.EXE ADD HKCR\AppIdPolicyEngineApi.AppIdPolicyHandler.1\CLSID /VE /T REG_SZ /D {F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}
CSCRIPT.EXE whisper.vbs

Note: the command lines can be copied and pasted as block into a Command Processor window.

The operation completed successfully.

The operation completed successfully.

Microsoft (R) Windows Script Host, Version 5.8
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

<AppLockerPolicy Version="1">

<AppLockerPolicy Version="1">

Overwrite the text file whisper.vbs with the following content:

Rem Copyright © 2009-2025, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

Option Explicit

Const FILE_TYPE_NOT_SUPPORTED = 0
Const FILE_TYPE_EXE = 1
Const FILE_TYPE_DLL = 2
Const FILE_TYPE_WINDOWS_INSTALLER = 3
Const FILE_TYPE_SCRIPT = 4

With WScript.CreateObject("AppIdPolicyEngineApi.AppIdPolicyHelper")
    WScript.Echo .GetFileType(WScript.Path)
    WScript.Echo .GetFileType(WScript.ScriptName)
    WScript.Echo .GetFileType(WScript.FullName)
    WScript.Echo
    WScript.Echo .GetFileRuleCollection(FILE_TYPE_EXE) & vbTab & .GetFileExtensions(FILE_TYPE_EXE)
    WScript.Echo .GetFileRuleCollection(FILE_TYPE_DLL) & vbTab & .GetFileExtensions(FILE_TYPE_DLL)
    WScript.Echo .GetFileRuleCollection(FILE_TYPE_WINDOWS_INSTALLER) & vbTab & .GetFileExtensions(FILE_TYPE_WINDOWS_INSTALLER)
    WScript.Echo .GetFileRuleCollection(FILE_TYPE_SCRIPT) & vbTab & .GetFileExtensions(FILE_TYPE_SCRIPT)
    WScript.Echo
    WScript.Echo WScript.ScriptName & " = " & .NormalizeFilePath(WScript.ScriptName)
    WScript.Echo WScript.FullName & " = " & .NormalizeFilePath(WScript.FullName)
    WScript.Echo
    WScript.Echo Hash2Text(.CalculateFileHash(WScript.ScriptName))
    WScript.Echo Hash2Text(.CalculateFileHash(WScript.FullName))
    WScript.Echo
    WScript.Echo .DecodeFilePublisherInformation("CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US")
    WScript.Echo
    WScript.Echo .EncodeFilePublisherInformation("CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", vbTrue)
    WScript.Echo
    WScript.Echo .CompileRule("<FilePathRule Action='Allow' Description='' Id='00000000-0000-0000-0000-000000000000' Name='' UserOrGroupSid='S-1-5-32-544'><Conditions><FilePathCondition Path='*' /></Conditions></FilePathRule>")
    WScript.Echo .CompileRule("<FilePublisherRule Action='Allow' Description='' Id='00000000-0000-0000-0000-000000000000' Name='' UserOrGroupSid='S-1-1-0'><Conditions><FilePublisherCondition BinaryName='*' ProductName='*' PublisherName='CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US'><BinaryVersionRange HighSection='65535.65535.65535.65535' LowSection='0.0.0.0' /></FilePublisherCondition></Conditions></FilePublisherRule>")
End With

Function Hash2Text(Hash)
    Dim int, asc, str
    For int = 1 To LenB(Hash)
        asc = AscB(MidB(Hash, int, 1))
        If asc > 15 Then
            str = str & Hex(asc)
        Else
            str = str & "0" & Hex(asc)
        End If
    Next
    Hash2Text = str
End Function

Register the missing ProgIDs AppIdPolicyEngineApi.AppIdPolicyHelper and AppIdPolicyEngineApi.AppIdPolicyHelper.1, then execute the VBScript whisper.vbs overwritten in step 6.:

REG.EXE ADD HKCR\AppIdPolicyEngineApi.AppIdPolicyHelper\CurVer /VE /T REG_SZ /D AppIdPolicyEngineApi.AppIdPolicyHandler.1
REG.EXE ADD HKCR\AppIdPolicyEngineApi.AppIdPolicyHelper.1\CLSID /VE /T REG_SZ /D {0AEA3667-1039-43FF-8D21-B1A162090671}
CSCRIPT.EXE whisper.vbs

The operation completed successfully.

The operation completed successfully.

Microsoft (R) Windows Script Host, Version 5.8
Copyright (C) Microsoft Corporation 1996-2001. Alle Rechte vorbehalten.

0
4
1

Exe	com,exe
Dll	dll
Msi	msi,msp
Script	bat,cmd,js,ps1,vbs

whisper.vbs = %OSDRIVE%\USERS\STEFAN\DESKTOP\WHISPER.VBS
C:\Windows\System32\cscript.exe = %SYSTEM32%\CSCRIPT.EXE

DB920167485ECC7454BAF085783CD59B873A7514F2DECC88CABBA373C34DDA34
0A242026DA1DF243E88C2D56FC7A77CF04F65513075968F010E213046E64465E

CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

D:(XA;;FX;;;BA;(APPID://PATH Contains "*"))
D:(XA;;FX;;;WD;((Exists APPID://FQBN) && ((APPID://FQBN >= {"CN=MICROSOFT WINDOWS, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*\*", 0}) && (APPID://FQBN <= {"CN=MICROSOFT WINDOWS, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*\*", 18446744073709551615}))))

Contact and Feedback

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

the (pseudonymised) IP address;
the date and time of the request;
the URL of the requested web page or file;
the Referer and User-Agent HTTP headers sent by the web browser;
the result (success or failure) of the request;
the amount of data received and sent.