Me, myself & IT

Chinese Whispers – Lost in Translaition, Implementation, Documentation, Communication, …

Purpose
Trivia
Whisper № 0: Demonstration
Whisper № 1: Background Information; Demonstration
Whisper № 2: Background Information; Demonstration

Purpose

�

Trivia

In some parts of the English speaking world, the children’s game Chinese Whispers is known as Telephone – in German speaking countries it is called Stille Post. Any resemblance to Windows’ development process is purely coincidental.

Whisper № 0

MIME alias media types for file extensions have to be registered since Windows NT 3.1 and Windows 95 with the following pair of Registry entries:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.‹extension›]
"Content Type"="‹MIME type›"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\‹MIME type›]
"Extension"=".‹extension›"

Demonstration

Perform the following 2 simple steps to show the poor state of the MIME type registration.

Start the Command Processor cmd.exe, then display the MIME types registered with the 42 file extensions for which Microsoft has a MIME type assigned by IANA:

FOR %? IN (.doc .dot .rtf .scr .exe .dll .cpl .ocx .mui .drv .sys .cil .asf .cab
           .3mf .xls .xlt .xlam .xlsb .xlsm .xltm .eot .chm .ims .thmx .pps .ppt .ppam
           .pptm .sldm .ppsm .potm .mpp .docm .dotm .wpl .xps .pya .ico .mdi .mpf .pyv) DO @(
REG.EXE QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\%? /V "Content Type") 2>NUL:

Note: the command lines can be copied and pasted as block into a Command Processor window.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe
    Content Type    REG_SZ    application/x-msdownload

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll
    Content Type    REG_SZ    application/x-msdownload

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asf
    Content Type    REG_SZ    video/x-ms-asf

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wpl
    Content Type    REG_SZ    application/vnd.ms-wpl

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xps
    Content Type    REG_SZ    application/vnd.ms-xpsdocument

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ico
    Content Type    REG_SZ    image/x-icon

OUCH¹: only 6 of these 42 file extensions are registered with their MIME type – the 4 highlighted ones not assigned by IANA!

Display the file extensions registered with the MIME types which Microsoft has assigned by IANA:

REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/msword" /V "Extension"
REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/rtf" /V "Extension"
REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type" /F "vnd.microsoft" /K /S /V "Extension"
REG.EXE QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type" /F "vnd.ms-" /K /S /V "Extension"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/msword
    Extension    REG_SZ    .doc

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/rtf
    Extension    REG_SZ    .rtf

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-pki.certstore
    Extension    REG_SZ    .sst

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-pki.pko
    Extension    REG_SZ    .pko

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-pki.seccat
    Extension    REG_SZ    .cat

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-wpl
    Extension    REG_SZ    .wpl

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/vnd.ms-dds
    Extension    REG_SZ    .dds

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/vnd.ms-photo
    Extension    REG_SZ    .wdp

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\vnd.ms-pki.certstore
    Extension    REG_SZ    .sst

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\vnd.ms-pki.pko
    Extension    REG_SZ    .pko

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\vnd.ms-pki.seccat
    Extension    REG_SZ    .cat

OUCH²: the MIME type application/vnd.ms-xpsdocument is not registered!

OUCH³: the 5 MIME types application/vnd.ms-pki.* and image/vnd.ms-* are not assigned by IANA!

OUCH⁴: the 3 MIME types vnd.ms-pki.* are invalid – their top-level media type is missing!

Whisper № 1

With Windows 7 Microsoft introduced SRPv2 alias AppLocker, including 5 PowerShell cmdlets to handle its policies: Get-AppLockerFileInformation, Get-AppLockerPolicy, New-AppLockerPolicy, Set-AppLockerPolicy and Test-AppLockerPolicy.

PowerShell.exe /Command "Import-Module AppLocker; Get-AppLockerFileInformation -Directory '%WINDIR%'"
PowerShell.exe /Command "Import-Module AppLocker; Get-AppLockerFileInformation -Path '%COMSPEC%'"
PowerShell.exe /Command "Import-Module AppLocker; Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path '%COMSPEC%'"

Path                    Publisher                                                                                                                Hash                                                                     
----                    ---------                                                                                                                ----                                                                     
%WINDIR%\BFSVC.EXE      O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\BFSVC.EXE,6.1.7601.17514     SHA256 0x6BF48AC00680DA7969B51835B2C823755DCE121834082CDDAE24B4AAE267A92C
%WINDIR%\EXPLORER.EXE   O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\EXPLORER.EXE,6.1.7601.23537  SHA256 0xA186E53413C0A22B6BEE8A8D1BBF09550F1BEC2BF933D5DA3EFE7D42691C9EFD
%WINDIR%\FVEUPDATE.EXE  O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\FVEUPDATE.EXE,6.1.7601.23403 SHA256 0x89CF83AB9D92E3B074EC3A64D091262E4537158C2BDFD47EC16A56863AEA273D
%WINDIR%\HELPPANE.EXE   O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\HELPPANE.EXE,6.1.7601.23834  SHA256 0x9C1C90258267F795B092DBE74EDE34AC96FEF6C64892E0E9425E7D13193586FA
%WINDIR%\HH.EXE         O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\HTML HELP\HH.EXE,6.1.7601.24134                                   SHA256 0x5B6F92A818791679C71EB1249F684285E807CE45FA045162EA7BBF846D7FF167
%WINDIR%\NOTEPAD.EXE    O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\NOTEPAD.EXE,6.1.7601.23403   SHA256 0x4FD49DEF42CCF59968520F1A4DD9F136E7D6E3D6CEBC3C1DAC627CC0C8A34152
%WINDIR%\REGEDIT.EXE    O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\REGEDIT.EXE,6.1.7600.16385   SHA256 0x053A6D9C29A8A9C4DB3600CA46F8D4C32ABFFC090C87726DA5CA2EC8E068EAD1
%WINDIR%\SPLWOW64.EXE   O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\SPLWOW64.EXE,6.1.7601.23403  SHA256 0xEC19AE82CFF53F3EC05D231F115DA50BEA81753A2B2E335DEBF41E4560FFEAD5
%WINDIR%\TWUNK_16.EXE   O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\,0.0.0.0                                                         SHA256 0x103035A32E7893D702CED974FAA4434828BC03B0CC54D1B2E1205A2F2575E7C9
%WINDIR%\TWUNK_32.EXE   O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\TWAIN THUNKER\TWUNK_32.EXE,1.7.1.0                                SHA256 0x5E0831E4568A673CB23B955D30132D58669F6BF5FDBBA52693C0AEB9C72B5881
%WINDIR%\WINHLP32.EXE   O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WINHLP32.EXE,50.1.7600.16386 SHA256 0x0C2FD81A6ADBF6B48B18555B1D29192EE3DAB61631EA447714DFCF7FF0F321F1
%WINDIR%\WRITE.EXE      O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WRITE,6.1.7600.16385         SHA256 0xD1635E8EEE2979A4FBA988CAE2BA8FFB700FC78109FC1C38DCE8B4AC9E8FF402
%WINDIR%\TWAIN.DLL      O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\,0.0.0.0                                                         SHA256 0x3D922F8B608401AF4F34F71DBACFA458CEF1F7BFFFEDD7FEBEE0A968E51D6DCE
%WINDIR%\TWAIN_32.DLL   O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\TWAIN_32 SOURCE MANAGER\TWAIN_32.DLL,1.7.1.3                      SHA256 0x7E2FADCA8D0C5A279B2CD058D6C44D0FF2945286FFF7B0EADFF7D9D61314BE29

Path               Publisher                                                                                                          Hash                                                                     
----               ---------                                                                                                          ----                                                                     
%SYSTEM32%\CMD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\CMD.EXE,6.1.7601.23403 SHA256 0x7B78775AEC2C6D6C74CB7D431097A4018A9C6016E1B02CB0C7B2DD5C00B45267

FilePath                      PolicyDecision MatchingRule
--------                      -------------- ------------
C:\Windows\system32\cmd.exe AllowedByDefault

Their implementation uses methods from the (undocumented) COM interface IAppIdPolicyHandler of the scriptable COM class AppIdPolicyHandler and from the (undocumented) COM interface IAppIdPolicyHelper of the scriptable COM class AppIdPolicyHelper, both provided by %SystemRoot%\System32\AppIdPolicyEngineApi.dll via IID {B6FEA19E-32DD-4367-B5B7-2F5DA140E87D}, CLSID {F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3} and ProgID AppIdPolicyEngineApi.AppIdPolicyHandler respectively IID {D500522D-465B-4C83-8008-00C4EC90A859}, CLSID {0AEA3667-1039-43FF-8D21-B1A162090671} and ProgID AppIdPolicyEngineApi.AppIdPolicyHelper:

REG.EXE QUERY HKCR\Interface\{B6FEA19E-32DD-4367-B5B7-2F5DA140E87D} /S
REG.EXE QUERY HKCR\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3} /S
REG.EXE QUERY HKCR\AppIdPolicyEngineApi.AppIdPolicyHandler /S
REG.EXE QUERY HKCR\AppIdPolicyEngineApi.AppIdPolicyHandler.1 /S
REG.EXE QUERY HKCR\Interface\{D500522D-465B-4C83-8008-00C4EC90A859} /S
REG.EXE QUERY HKCR\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671} /S
REG.EXE QUERY HKCR\AppIdPolicyEngineApi.AppIdPolicyHelper /S
REG.EXE QUERY HKCR\AppIdPolicyEngineApi.AppIdPolicyHelper.1 /S

HKEY_CLASSES_ROOT\Interface\{B6FEA19E-32DD-4367-B5B7-2F5DA140E87D}
    (Default)    REG_SZ    IAppIdPolicyHandler

HKEY_CLASSES_ROOT\Interface\{B6FEA19E-32DD-4367-B5B7-2F5DA140E87D}\ProxyStubClsid
    (Default)    REG_SZ    {00020424-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{B6FEA19E-32DD-4367-B5B7-2F5DA140E87D}\ProxyStubClsid32
    (Default)    REG_SZ    {00020424-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{B6FEA19E-32DD-4367-B5B7-2F5DA140E87D}\TypeLib
    (Default)    REG_SZ    {85C3F8F7-CFCE-4259-87FF-CAB1F4521F6E}
    Version    REG_SZ    1.0

HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}
    (Default)    REG_SZ    AppIdPolicyHandler Class

HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\InprocServer32
    (Default)    REG_SZ    C:\Windows\System32\AppIdPolicyEngineApi.dll
    ThreadingModel    REG_SZ    Apartment

HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\ProgID
    (Default)    REG_SZ    AppIdPolicyEngineApi.AppIdPolicyHandler.1

HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\Programmable

HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\TypeLib
    (Default)    REG_SZ    {85C3F8F7-CFCE-4259-87FF-CAB1F4521F6E}

HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\Version
    (Default)    REG_SZ    1.0

HKEY_CLASSES_ROOT\CLSID\{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}\VersionIndependentProgID
    (Default)    REG_SZ    AppIdPolicyEngineApi.AppIdPolicyHandler

ERROR: The specified registry key or value was not found.

ERROR: The specified registry key or value was not found.

HKEY_CLASSES_ROOT\Interface\{D500522D-465B-4C83-8008-00C4EC90A859}
    (Default)    REG_SZ    IAppIdPolicyHelper

HKEY_CLASSES_ROOT\Interface\{D500522D-465B-4C83-8008-00C4EC90A859}\ProxyStubClsid
    (Default)    REG_SZ    {00020424-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{D500522D-465B-4C83-8008-00C4EC90A859}\ProxyStubClsid32
    (Default)    REG_SZ    {00020424-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\Interface\{D500522D-465B-4C83-8008-00C4EC90A859}\TypeLib
    (Default)    REG_SZ    {85C3F8F7-CFCE-4259-87FF-CAB1F4521F6E}
    Version    REG_SZ    1.0

HKEY_CLASSES_ROOT\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671}
    (Default)    REG_SZ    AppIdPolicyHelper Class

HKEY_CLASSES_ROOT\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671}\InprocServer32
    (Default)    REG_SZ    C:\Windows\System32\AppIdPolicyEngineApi.dll
    ThreadingModel    REG_SZ    Apartment

HKEY_CLASSES_ROOT\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671}\ProgID
    (Default)    REG_SZ    AppIdPolicyEngineApi.AppIdPolicyHelper.1

HKEY_CLASSES_ROOT\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671}\Programmable

HKEY_CLASSES_ROOT\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671}\TypeLib
    (Default)    REG_SZ    {85C3F8F7-CFCE-4259-87FF-CAB1F4521F6E}

HKEY_CLASSES_ROOT\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671}\Version
    (Default)    REG_SZ    1.0

HKEY_CLASSES_ROOT\CLSID\{0AEA3667-1039-43FF-8D21-B1A162090671}\VersionIndependentProgID
    (Default)    REG_SZ    AppIdPolicyEngineApi.AppIdPolicyHelper

ERROR: The specified registry key or value was not found.

ERROR: The specified registry key or value was not found.

OOPS: the version-independent as well as the versioned ProgIDs are but not registered!

Demonstration

Perform the following 8 simple steps to use the COM classes AppIdPolicyHandler and AppIdPolicyHelper with Windows Script Host.

Execute the OLE/COM Object Viewer application OLEView.exe shipped with the Windows SDK to generate the interface description:

OLEVIEW.EXE "%SystemRoot%\System32\AppIdPolicyEngineApi.dll"

// Generated .IDL file (by the OLE/COM Object Viewer)
// 
// typelib filename: AppIdPolicyEngineApi.dll

[
  uuid(85C3F8F7-CFCE-4259-87FF-CAB1F4521F6E),
  version(1.0),
  helpstring("AppIdPolicyEngineApi 1.0 Type Library")
]
library AppIdPolicyEngineApiLib
{
    // TLib :     // TLib : OLE Automation : {00020430-0000-0000-C000-000000000046}
    importlib("stdole2.tlb");

    // Forward declare all types defined in this typelib
    interface IAppIdPolicyHandler;
    interface IAppIdMmcPolicyHandler;
    interface IAppIdPolicyHelper;

    [
      uuid(F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3),
      helpstring("AppIdPolicyHandler Class")
    ]
    coclass AppIdPolicyHandler {
        [default] interface IAppIdPolicyHandler;
    };

    [
      odl,
      uuid(B6FEA19E-32DD-4367-B5B7-2F5DA140E87D),
      helpstring("IAppIdPolicyHandler Interface"),
      dual,
      nonextensible,
      oleautomation
    ]
    interface IAppIdPolicyHandler : IDispatch {
        [id(0x00000001), helpstring("method SetPolicy")]
        HRESULT SetPolicy(
                        [in] BSTR bstrLdapPath, 
                        [in] BSTR bstrXmlPolicy);
        [id(0x00000002), helpstring("method GetPolicy")]
        HRESULT GetPolicy(
                        [in] BSTR bstrLdapPath, 
                        [out, retval] BSTR* pbstrXmlPolicy);
        [id(0x00000003), helpstring("method GetEffectivePolicy")]
        HRESULT GetEffectivePolicy([out, retval] BSTR* pbstrXmlPolicy);
        [id(0x00000004), helpstring("method IsFileAllowed")]
        HRESULT IsFileAllowed(
                        [in] BSTR bstrXmlPolicy, 
                        [in] BSTR bstrFilePath, 
                        [in] BSTR bstrUserSid, 
                        [out] GUID* pguidResponsibleRuleId, 
                        [out, retval] long* pbStatus);
    };

    [
      uuid(5971EC44-072A-41B7-8E67-D9E045CC196D),
      helpstring("AppIdMmcPolicyHandler Class")
    ]
    coclass AppIdMmcPolicyHandler {
        [default] interface IAppIdMmcPolicyHandler;
    };

    [
      odl,
      uuid(B780009A-2622-46E4-A23C-33E8D0990B27),
      helpstring("IAppIdMmcPolicyHandler Interface"),
      dual,
      nonextensible,
      oleautomation
    ]
    interface IAppIdMmcPolicyHandler : IDispatch {
        [id(0x00000001), helpstring("method Register")]
        HRESULT Register(
                        [in] IUnknown* pGPEInformation, 
                        [out, retval] GUID* pguidClientId);
        [id(0x00000002), helpstring("method Unregister")]
        HRESULT Unregister([in] GUID guidClientId);
        [id(0x00000003), helpstring("method SetPolicy")]
        HRESULT SetPolicy(
                        [in] GUID guidClientId, 
                        [in] BSTR bstrXmlPolicy);
        [id(0x00000004), helpstring("method GetPolicy")]
        HRESULT GetPolicy(
                        [in] GUID guidClientId, 
                        [out, retval] BSTR* pbstrXmlPolicy);
    };

    [
      uuid(0AEA3667-1039-43FF-8D21-B1A162090671),
      helpstring("AppIdPolicyHelper Class")
    ]
    coclass AppIdPolicyHelper {
        [default] interface IAppIdPolicyHelper;
    };

    [
      odl,
      uuid(D500522D-465B-4C83-8008-00C4EC90A859),
      helpstring("IAppIdPolicyHelper Interface"),
      dual,
      nonextensible,
      oleautomation
    ]
    interface IAppIdPolicyHelper : IDispatch {
        [id(0x00000001), helpstring("method GetFileType")]
        HRESULT GetFileType(
                        [in] BSTR bstrFilePath, 
                        [out, retval] FILE_TYPE* peFileType);
        [id(0x00000002), helpstring("method GetFileRuleCollection")]
        HRESULT GetFileRuleCollection(
                        [in] FILE_TYPE eFileType, 
                        [out, retval] BSTR* pbstrRuleCollection);
        [id(0x00000003), helpstring("method GetFileExtensions")]
        HRESULT GetFileExtensions(
                        [in] FILE_TYPE eFileType, 
                        [out, retval] BSTR* pbstrFileExtesnions);
        [id(0x00000004), helpstring("method CalculateFileHash")]
        HRESULT CalculateFileHash(
                        [in] BSTR bstrFilePath, 
                        [out, retval] SAFEARRAY(unsigned char)* ppsabHashData);
        [id(0x00000005), helpstring("method CalculateFilePublisher")]
        HRESULT CalculateFilePublisher(
                        [in] BSTR bstrFilePath, 
                        [out] BSTR* pbstrPublisherName, 
                        [out] BSTR* pbstrProductName, 
                        [out] BSTR* pbstrBinaryName, 
                        [out] uint64* pulBinaryVersion);
        [id(0x00000006), helpstring("method NormalizeFilePath")]
        HRESULT NormalizeFilePath(
                        [in] BSTR bstrFilePath, 
                        [out, retval] BSTR* pbstrNormalizedFilePath);
        [id(0x00000007), helpstring("method EncodeFilePublisherInformation")]
        HRESULT EncodeFilePublisherInformation(
                        [in] BSTR bstrInformation, 
                        [in] long bIngoreWildCharacters, 
                        [out, retval] BSTR* pbstrEncodedInformation);
        [id(0x00000008), helpstring("method DecodeFilePublisherInformation")]
        HRESULT DecodeFilePublisherInformation(
                        [in] BSTR bstrInformation, 
                        [out, retval] BSTR* pbstrDecodedInformation);
        [id(0x00000009), helpstring("method CompileRule")]
        HRESULT CompileRule(
                        [in] BSTR bstrXmlRule, 
                        [out, retval] BSTR* pbstrCompiledRule);
    };

    typedef [helpstring("FileType")public]
    __MIDL___MIDL_itf_appidpolicyengineapi_0000_0000_0001 FILE_TYPE;

    typedef [helpstring("FileType")]
    enum {
        FILE_TYPE_NOT_SUPPORTED = 0,
        FILE_TYPE_EXE = 1,
        FILE_TYPE_DLL = 2,
        FILE_TYPE_WINDOWS_INSTALLER = 3,
        FILE_TYPE_SCRIPT = 4
    } __MIDL___MIDL_itf_appidpolicyengineapi_0000_0000_0001;
};

Create the text file whisper.wsf with the following content in an arbitrary, preferable empty directory:

<?xml version='1.0' encoding='US-ASCII' standalone='yes' ?>
<package>
    <comment>Copyright (C) 2009-2025, Stefan Kanthak</comment>
    <job id='Handler'>
        <object id='AppIdPolicyHandler' classid='clsid:F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3' />
        <script language='JScript'>
        <![CDATA[
            WScript.Echo(AppIdPolicyHandler.GetEffectivePolicy())
            WScript.Echo(AppIdPolicyHandler.GetPolicy(""))
        //  WScript.Echo(AppIdPolicyHandler.SetPolicy("", "<AppLockerPolicy Version='1' />"))
            WScript.Quit(0)
        ]]>
        </script>
    </job>
    <job id='Helper'>
        <object id='AppIdPolicyHelper' classid='clsid:0AEA3667-1039-43FF-8D21-B1A162090671' />
        <reference guid='85C3F8F7-CFCE-4259-87FF-CAB1F4521F6E' />
        <script language='VBScript'>
        <![CDATA[
            Option Explicit
            With AppIdPolicyHelper
                WScript.Echo .GetFileType(WScript.ScriptName) & vbTab & WScript.ScriptName
                WScript.Echo .GetFileType(WScript.FullName) & vbTab & WScript.FullName
                WScript.Echo .GetFileType(WScript.Path) & vbTab & WScript.Path
                WScript.Echo
                WScript.Echo .GetFileRuleCollection(FILE_TYPE_EXE) & vbTab & .GetFileExtensions(FILE_TYPE_EXE)
                WScript.Echo .GetFileRuleCollection(FILE_TYPE_DLL) & vbTab & .GetFileExtensions(FILE_TYPE_DLL)
                WScript.Echo .GetFileRuleCollection(FILE_TYPE_WINDOWS_INSTALLER) & vbTab & .GetFileExtensions(FILE_TYPE_WINDOWS_INSTALLER)
                WScript.Echo .GetFileRuleCollection(FILE_TYPE_SCRIPT) & vbTab & .GetFileExtensions(FILE_TYPE_SCRIPT)
                WScript.Echo
                WScript.Echo WScript.ScriptName & " = " & .NormalizeFilePath(WScript.ScriptName)
                WScript.Echo WScript.FullName & " = " & .NormalizeFilePath(WScript.FullName)
                WScript.Echo
                WScript.Echo Hash2Text(.CalculateFileHash(WScript.ScriptName))
                WScript.Echo Hash2Text(.CalculateFileHash(WScript.FullName))
                WScript.Echo
                WScript.Echo .DecodeFilePublisherInformation("CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US")
                WScript.Echo .EncodeFilePublisherInformation("CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", vbTrue)
                WScript.Echo
                WScript.Echo .CompileRule("<FilePathRule Action='Allow' Description='' Id='00000000-0000-0000-0000-000000000000' Name='' UserOrGroupSid='S-1-5-32-544'><Conditions><FilePathCondition Path='*' /></Conditions></FilePathRule>")
                WScript.Echo .CompileRule("<FilePublisherRule Action='Allow' Description='' Id='00000000-0000-0000-0000-000000000000' Name='' UserOrGroupSid='S-1-1-0'><Conditions><FilePublisherCondition BinaryName='*' ProductName='*' PublisherName='CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US'><BinaryVersionRange HighSection='65535.65535.65535.65535' LowSection='0.0.0.0' /></FilePublisherCondition></Conditions></FilePublisherRule>")
            End With
            WScript.Quit 0
            Function Hash2Text(Hash)
                Dim int, asc, str
                For int = 1 To LenB(Hash)
                    asc = AscB(MidB(Hash, int, 1))
                    If asc < 16 Then str = str & "0"
                    str = str & Hex(asc)
                Next
                Hash2Text = str
            End Function
        ]]>
        </script>
    </job>
</package>

Execute the JScript from the first job of the Windows Script File whisper.wsf created in step 2. to demonstrate the handler methods:

CSCRIPT.EXE //Job:Handler whisper.wsf

Microsoft (R) Windows Script Host, Version 5.8
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

<AppLockerPolicy Version="1"/>

<AppLockerPolicy Version="1"/>

Execute the VBScript from the second job of the Windows Script File whisper.wsf created in step 2. to demonstrate the helper methods:

CSCRIPT.EXE //Job:Helper whisper.wsf

Microsoft (R) Windows Script Host, Version 5.8
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

0	whisper.wsf
1	C:\Windows\System32\cscript.exe
0	C:\Windows\System32

Exe	com,exe
Dll	dll
Msi	msi,msp
Script	bat,cmd,js,ps1,vbs

whisper.wsf = %OSDRIVE%\USERS\STEFAN\DESKTOP\WHISPER.WSF
C:\Windows\System32\cscript.exe = %SYSTEM32%\CSCRIPT.EXE

C7AFE4127307150B2E024FB1EFCFE33C4F2BFCAAFBDA74E5E161233022BA0327
0A242026DA1DF243E88C2D56FC7A77CF04F65513075968F010E213046E64465E

CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

D:(XA;;FX;;;BA;(APPID://PATH Contains "*"))
D:(XA;;FX;;;WD;((Exists APPID://FQBN) && ((APPID://FQBN >= {"CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*\*", 0}) && (APPID://FQBN <= {"CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*\*", 18446744073709551615}))))

Create the text file whisper.reg with the following content in the same directory:

REGEDIT4

[HKEY_CLASSES_ROOT\AppIdPolicyEngineApi.AppIdPolicyHandler\CurVer]
@="AppIdPolicyEngineApi.AppIdPolicyHandler.1"

[HKEY_CLASSES_ROOT\AppIdPolicyEngineApi.AppIdPolicyHandler.1\CLSID]
@="{F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}"

[HKEY_CLASSES_ROOT\AppIdPolicyEngineApi.AppIdPolicyHelper\CurVer]
@="AppIdPolicyEngineApi.AppIdPolicyHeloer.1"

[HKEY_CLASSES_ROOT\AppIdPolicyEngineApi.AppIdPolicyHelper.1\CLSID]
@="{0AEA3667-1039-43FF-8D21-B1A162090671}"

�

REG.EXE IMPORT whisper.reg

The operation completed successfully.

Create the text file whisper.vbs with the following content in the same directory:

Rem Copyright © 2009-2025, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

Option Explicit

Const strLDAPPath = "" ' ldap://ad-dc.example.org/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Example,DC=Org
Const strXMLPolicy = "<AppLockerPolicy Version='1' />"

With WScript.CreateObject("AppIdPolicyEngineApi.AppIdPolicyHandler")
    WScript.Echo .GetEffectivePolicy
    WScript.Echo .GetPolicy(strLDAPPath)
'   WScript.Echo .SetPolicy(strLDAPPath, strXMLPolicy)
End With

Register the missing ProgIDs AppIdPolicyEngineApi.AppIdPolicyHandler and AppIdPolicyEngineApi.AppIdPolicyHandler.1, then execute the VBScript whisper.vbs created in step 6. to display the AppLocker policies again:

REG.EXE ADD HKCR\AppIdPolicyEngineApi.AppIdPolicyHandler\CurVer /VE /T REG_SZ /D AppIdPolicyEngineApi.AppIdPolicyHandler.1
REG.EXE ADD HKCR\AppIdPolicyEngineApi.AppIdPolicyHandler.1\CLSID /VE /T REG_SZ /D {F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3}
CSCRIPT.EXE whisper.vbs

Note: the command lines can be copied and pasted as block into a Command Processor window.

The operation completed successfully.

The operation completed successfully.

Microsoft (R) Windows Script Host, Version 5.8
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

<AppLockerPolicy Version="1"/>

<AppLockerPolicy Version="1"/>

Overwrite the text file whisper.vbs created in step 5. with the following content:

Rem Copyright © 2009-2025, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

Option Explicit

Const FILE_TYPE_NOT_SUPPORTED = 0
Const FILE_TYPE_EXE = 1
Const FILE_TYPE_DLL = 2
Const FILE_TYPE_WINDOWS_INSTALLER = 3
Const FILE_TYPE_SCRIPT = 4

With WScript.CreateObject("AppIdPolicyEngineApi.AppIdPolicyHelper")
    WScript.Echo .GetFileType(WScript.ScriptName) & vbTab & WScript.ScriptName
    WScript.Echo .GetFileType(WScript.FullName) & vbTab & WScript.FullName
    WScript.Echo .GetFileType(WScript.Path) & vbTab & WScript.Path
    WScript.Echo
    WScript.Echo .GetFileRuleCollection(FILE_TYPE_EXE) & vbTab & .GetFileExtensions(FILE_TYPE_EXE)
    WScript.Echo .GetFileRuleCollection(FILE_TYPE_DLL) & vbTab & .GetFileExtensions(FILE_TYPE_DLL)
    WScript.Echo .GetFileRuleCollection(FILE_TYPE_WINDOWS_INSTALLER) & vbTab & .GetFileExtensions(FILE_TYPE_WINDOWS_INSTALLER)
    WScript.Echo .GetFileRuleCollection(FILE_TYPE_SCRIPT) & vbTab & .GetFileExtensions(FILE_TYPE_SCRIPT)
    WScript.Echo
    WScript.Echo WScript.ScriptName & " = " & .NormalizeFilePath(WScript.ScriptName)
    WScript.Echo WScript.FullName & " = " & .NormalizeFilePath(WScript.FullName)
    WScript.Echo
    WScript.Echo Hash2Text(.CalculateFileHash(WScript.ScriptName))
    WScript.Echo Hash2Text(.CalculateFileHash(WScript.FullName))
    WScript.Echo
    WScript.Echo .DecodeFilePublisherInformation("CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US")
    WScript.Echo .EncodeFilePublisherInformation("CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", vbTrue)
    WScript.Echo
    WScript.Echo .CompileRule("<FilePathRule Action='Allow' Description='' Id='00000000-0000-0000-0000-000000000000' Name='' UserOrGroupSid='S-1-5-32-544'><Conditions><FilePathCondition Path='*' /></Conditions></FilePathRule>")
    WScript.Echo .CompileRule("<FilePublisherRule Action='Allow' Description='' Id='00000000-0000-0000-0000-000000000000' Name='' UserOrGroupSid='S-1-1-0'><Conditions><FilePublisherCondition BinaryName='*' ProductName='*' PublisherName='CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US'><BinaryVersionRange HighSection='65535.65535.65535.65535' LowSection='0.0.0.0' /></FilePublisherCondition></Conditions></FilePublisherRule>")
End With

Function Hash2Text(Hash)
    Dim int, asc, str
    For int = 1 To LenB(Hash)
        asc = AscB(MidB(Hash, int, 1))
        If asc < 16 Then str = str & "0"
        str = str & Hex(asc)
    Next
    Hash2Text = str
End Function

Register the missing ProgIDs AppIdPolicyEngineApi.AppIdPolicyHelper and AppIdPolicyEngineApi.AppIdPolicyHelper.1, then execute the VBScript whisper.vbs overwritten in step 7. to demonstrate the helper methods again:

REG.EXE ADD HKCR\AppIdPolicyEngineApi.AppIdPolicyHelper\CurVer /VE /T REG_SZ /D AppIdPolicyEngineApi.AppIdPolicyHandler.1
REG.EXE ADD HKCR\AppIdPolicyEngineApi.AppIdPolicyHelper.1\CLSID /VE /T REG_SZ /D {0AEA3667-1039-43FF-8D21-B1A162090671}
CSCRIPT.EXE whisper.vbs

The operation completed successfully.

The operation completed successfully.

Microsoft (R) Windows Script Host, Version 5.8
Copyright (C) Microsoft Corporation 1996-2001. Alle Rechte vorbehalten.

4	whisper.vbs
1	C:\Windows\System32\cscript.exe
0	C:\Windows\System32

Exe	com,exe
Dll	dll
Msi	msi,msp
Script	bat,cmd,js,ps1,vbs

whisper.vbs = %OSDRIVE%\USERS\STEFAN\DESKTOP\WHISPER.VBS
C:\Windows\System32\cscript.exe = %SYSTEM32%\CSCRIPT.EXE

60E51D76C652B4DFA204BDCA182818EA42B67F8BC11B344A87C0B6CB9CF919F2
0A242026DA1DF243E88C2D56FC7A77CF04F65513075968F010E213046E64465E

CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

D:(XA;;FX;;;BA;(APPID://PATH Contains "*"))
D:(XA;;FX;;;WD;((Exists APPID://FQBN) && ((APPID://FQBN >= {"CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*\*", 0}) && (APPID://FQBN <= {"CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*\*", 18446744073709551615}))))

Whisper № 2

The TechNet article Understanding AppLocker Rule Collections specifies:

An AppLocker rule collection is a set of rules that apply to one of five types:

Executable files: .exe and .com

Windows Installer files: .msi, .mst and .msp

Scripts: .ps1, .bat, .cmd, .vbs, and .js

DLLs: .dll and .ocx

Packaged apps and Packaged app installers: .appx

OUCH¹: this documentation fails to enumerate at least the well-known file extensions .scr for screen saver executables, .msix for Windows Installer files, .vbe, .jse, .wsc, .wsf, .wsh and .sct for scripts, plus .acm, .ax, .drv, .ime, .mui, .tsp, .wll, .xll and .cpl for DLLs!

OUCH²: at least executable files, script files run by Windows Script Host and DLLs may have an arbitrary or no file extension at all!

The documentation for the Test-AppLockerPolicy PowerShell cmdlet specifies:

The Test-AppLockerPolicy cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run on the local computer for a specific user.
Syntax
Test-AppLockerPolicy [-PolicyObject] <AppLockerPolicy> [-Path <String[]>] [-User <String>] [-Filter <PolicyDecision[]>] [<CommonParameters>]

Test-AppLockerPolicy [-XMLPolicy] <String> [-Path <String>] [-User <String>] [-Filter <FilterType>] [<CommonParameters>]
Parameters

Parameter Description

PolicyObject <AppLockerPolicy> Specifies the policy object that contains the AppLocker policy. It can be obtained from the Get-AppLockerPolicy or New-AppLockerPolicy cmdlet.

XMLPolicy <String> The XML file path that contains the AppLocker policy.

Path <String[]> Specifies the list of file paths to test. Supports regular expressions.

User <String> Defines the user or group that the rules are applied to. You must provide one of the following property values:

DNS user name (domain\username)

User principal name (username@domain.com)

Security identifier (S-1-5-21-3165297888-301567370-576410423-1103)

SAM user name (username)

Filter <PolicyDecision[]> Filters the output by the policy decision for each input file. The policy decision options include: All, Allowed, Denied, DeniedByDefault, and AllowedByDefault. By default, all policy decisions are displayed.

Parameter	Description
PolicyObject <AppLockerPolicy>	Specifies the policy object that contains the AppLocker policy. It can be obtained from the Get-AppLockerPolicy or New-AppLockerPolicy cmdlet.
XMLPolicy <String>	The XML file path that contains the AppLocker policy.
Path <String[]>	Specifies the list of file paths to test. Supports regular expressions.
User <String>	Defines the user or group that the rules are applied to. You must provide one of the following property values: DNS user name (domain\username) User principal name (username@domain.com) Security identifier (S-1-5-21-3165297888-301567370-576410423-1103) SAM user name (username)
Filter <PolicyDecision[]>	Filters the output by the policy decision for each input file. The policy decision options include: All, Allowed, Denied, DeniedByDefault, and AllowedByDefault. By default, all policy decisions are displayed.

CAVEAT: this documentation specifies neither preconditions nor restrictions for the file paths to test!

Demonstration

Perform the following 6 simple steps to show the (mis)behaviour of the Test-AppLockerPolicy cmdlet and its cause.

Create the text file whisper.xml with the following content in an arbitrary, preferable empty directory:
```
<?xml version='1.0' encoding='US-ASCII' standalone='yes' ?>
<AppLockerPolicy Version='1' />
```

Test file paths with the 12 file extensions specified in the first documentation cited above against the empty allow all AppLocker policy whisper.xml created in step 1.:

PowerShell.exe /Command "Import-Module AppLocker; Test-AppLockerPolicy -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx"

Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.exe" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
    + CategoryInfo          : InvalidArgument: (whisper.exe:String) [Test-AppLockerPolicy], ItemNotFoundException
    + FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
 
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.com" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
    + CategoryInfo          : InvalidArgument: (whisper.com:String) [Test-AppLockerPolicy], ItemNotFoundException
    + FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
 
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.msi" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
    + CategoryInfo          : InvalidArgument: (whisper.msi:String) [Test-AppLockerPolicy], ItemNotFoundException
    + FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
 
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.mst" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
    + CategoryInfo          : InvalidArgument: (whisper.mst:String) [Test-AppLockerPolicy], ItemNotFoundException
    + FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
 
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.msp" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
    + CategoryInfo          : InvalidArgument: (whisper.msp:String) [Test-AppLockerPolicy], ItemNotFoundException
    + FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
 
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.ps1" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
    + CategoryInfo          : InvalidArgument: (whisper.ps1:String) [Test-AppLockerPolicy], ItemNotFoundException
    + FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
 
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.bat" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
    + CategoryInfo          : InvalidArgument: (whisper.bat:String) [Test-AppLockerPolicy], ItemNotFoundException
    + FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
 
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.cmd" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
    + CategoryInfo          : InvalidArgument: (whisper.cmd:String) [Test-AppLockerPolicy], ItemNotFoundException
    + FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
 
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.vbs" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
    + CategoryInfo          : InvalidArgument: (whisper.vbs:String) [Test-AppLockerPolicy], ItemNotFoundException
    + FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
 
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.js" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
    + CategoryInfo          : InvalidArgument: (whisper.js:String) [Test-AppLockerPolicy], ItemNotFoundException
    + FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
 
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.dll" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
    + CategoryInfo          : InvalidArgument: (whisper.dll:String) [Test-AppLockerPolicy], ItemNotFoundException
    + FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
 
Test-AppLockerPolicy : The path "C:\Users\Stefan\Desktop\whisper.ocx" can not be found, it does not exist.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
    + CategoryInfo          : InvalidArgument: (whisper.ocx:String) [Test-AppLockerPolicy], ItemNotFoundException
    + FullyQualifiedErrorId : CmdletHelper-FailedResolvingPSPath,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet

OUCH¹: the Test-AppLockerPolicy cmdlet requires the files to exist unconditionally, even for an (empty) AppLocker policy without file hash or publisher rules!

Create the files to test with arbitrary content, then repeat the command from step 2.:

FOR %? IN (whisper.exe whisper.com whisper.msi whisper.mst whisper.msp whisper.ps1 whisper.bat whisper.cmd whisper.vbs whisper.js whisper.dll whisper.ocx) DO @(1>%? ECHO %?)
PowerShell.exe /Command "Import-Module AppLocker; Test-AppLockerPolicy -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx"

FilePath                              PolicyDecision MatchingRule
--------                              -------------- ------------
C:\Users\Stefan\Desktop\whisper.exe AllowedByDefault             
C:\Users\Stefan\Desktop\whisper.com AllowedByDefault             
C:\Users\Stefan\Desktop\whisper.msi AllowedByDefault             
Test-AppLockerPolicy : The file C:\Users\Stefan\Desktop\whisper.mst is not supported by AppLocker. The supported file types are Exe, Dll, Windows Installer, and Script.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
    + CategoryInfo          : NotSpecified: (:) [Test-AppLockerPolicy], UnsupportedFileTypeException
    + FullyQualifiedErrorId : TestAppLockerPolicyCmdlet-FailedProcessingFile,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
 
C:\Users\Stefan\Desktop\whisper.msp AllowedByDefault             
C:\Users\Stefan\Desktop\whisper.ps1 AllowedByDefault             
C:\Users\Stefan\Desktop\whisper.bat AllowedByDefault             
C:\Users\Stefan\Desktop\whisper.cmd AllowedByDefault             
C:\Users\Stefan\Desktop\whisper.vbs AllowedByDefault             
C:\Users\Stefan\Desktop\whisper.js  AllowedByDefault             
C:\Users\Stefan\Desktop\whisper.dll AllowedByDefault             
Test-AppLockerPolicy : The file C:\Users\Stefan\Desktop\whisper.ocx is not supported by AppLocker. The supported file types are Exe, Dll, Windows Installer, and Script.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.exe, whisper.com, whisper.msi, whisper.mst, whisper.msp, whisper.ps1, whisper.bat, whisper.cmd, whisper.vbs, whisper.js, whisper.dll, whisper.ocx
    + CategoryInfo          : NotSpecified: (:) [Test-AppLockerPolicy], UnsupportedFileTypeException
    + FullyQualifiedErrorId : TestAppLockerPolicyCmdlet-FailedProcessingFile,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet

OUCH²: the Test-AppLockerPolicy cmdlet fails to support the file extensions .mst and .ocx specified in the first documentation cited above!

Repeat the previous step 3. with (arbitrary) other file extensions, for example .scr, .vbe and .cpl mentioned above:

FOR %? IN (whisper.scr whisper.vbe whisper.cpl) DO @(1>%? ECHO %?)
PowerShell.exe /Command "Import-Module AppLocker; Test-AppLockerPolicy -XMLPolicy whisper.xml -Path whisper.scr, whisper.vbe, whisper.cpl"

Test-AppLockerPolicy : The file C:\Users\Stefan\Desktop\whisper.scr is not supported by AppLocker. The supported file types are Exe, Dll, Windows Installer, and Script.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.src, whisper.vbe, whisper.cpl
    + CategoryInfo          : NotSpecified: (:) [Test-AppLockerPolicy], UnsupportedFileTypeException
    + FullyQualifiedErrorId : TestAppLockerPolicyCmdlet-FailedProcessingFile,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
 
Test-AppLockerPolicy : The file C:\Users\Stefan\Desktop\whisper.vbe is not supported by AppLocker. The supported file types are Exe, Dll, Windows Installer, and Script.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.scr, whisper.vbe, whisper.cpl
    + CategoryInfo          : NotSpecified: (:) [Test-AppLockerPolicy], UnsupportedFileTypeException
    + FullyQualifiedErrorId : TestAppLockerPolicyCmdlet-FailedProcessingFile,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet
 
Test-AppLockerPolicy : The file C:\Users\Stefan\Desktop\whisper.cpl is not supported by AppLocker. The supported file types are Exe, Dll, Windows Installer, and Script.
At line:1 char:46
+ Import-Module AppLocker; Test-AppLockerPolicy <<<<  -XMLPolicy whisper.xml -Path whisper.scr, whisper.vbe, whisper.cpl
    + CategoryInfo          : NotSpecified: (:) [Test-AppLockerPolicy], UnsupportedFileTypeException
    + FullyQualifiedErrorId : TestAppLockerPolicyCmdlet-FailedProcessingFile,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet

Create the text file whisper.wsf with the following content in the same directory:

<?xml version='1.0' encoding='US-ASCII' standalone='yes' ?>
<job>
    <object id='AppIdPolicyHelper' classid='clsid:0AEA3667-1039-43FF-8D21-B1A162090671' />
    <script language='VBScript'>
    <![CDATA[
        Option Explicit
        Dim strExtension
        For Each strExtension In Array(".scr", _
                                       ".vbe", ".jse", ".wsc", ".wsf", ".wsh", ".sct", _
                                       ".acm", ".ax", ".drv", ".ime", ".mui", ".tsp", ".wll", ".xll", ".cpl", _
                                       ".")
            WScript.Echo AppIdPolicyHelper.GetFileType(strExtension) & vbTab & strExtension
        Next
        WScript.Quit 0
    ]]>
    </script>
</job>

Execute the Windows Script File whisper.wsf created in step 5. to show the culprit responsible for the misbehaviour:
```
CSCRIPT.EXE whisper.wsf
```
```
Microsoft (R) Windows Script Host, Version 5.8
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

0	.scr
0	.vbe
0	.jse
0	.wsc
0	.wsf
0	.wsh
0	.sct
0	.acm
0	.ax
0	.drv
0	.ime
0	.mui
0	.tsp
0	.wll
0	.xll
0	.cpl
0	.
```
OUCH³: the GetFileType() helper method, used by the Test-AppLockerPolicy cmdlet to determine which rule collection to evaluate, returns 0 alias FILE_TYPE_NOT_SUPPORTED for any file extension except .exe, .com, .msi, .msp, .ps1, .bat, .cmd, .vbs, .js and .dll!

Contact and Feedback

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

the (pseudonymised) IP address;
the date and time of the request;
the URL of the requested web page or file;
the Referer and User-Agent HTTP headers sent by the web browser;
the result (success or failure) of the request;
the amount of data received and sent.