Get applocker status of .exe file

Question

I have developed a launcher that updates/run our software in other companies enviroment. Most of the time the company approves the launcher but forgets about the actual application.

Currently im using Process.Start(procStart) to start the application, but that silently fails if applocker blocks the application.

So i was wondering if someone reliable way of detecting if applocker is active, and when it blocks my application( So i can provide a proper error message).

When the error happens my application seems idle to the user, a memory dump shows this:

Code note: There is no exception handling or suppression of exceptions. If the launcher crashes i would expect to see it in the eventlog.

Added code:

private void StartzzzDesktop(int value)
{            
       var rel = Settings.zzzDesktopStore.GetReleaseInfo(Settings.ConnectionDetails.zzzDesktopID);
        var proc = CreateProccess(rel);
        if (proc == null)
        {
            Settings.LastError = zzzLauncherError.FatelErrorStartzzz;
            Settings.EventManager.TriggerEvent(zzzDesktopStatus.FatalError);
            return;
        }

        Logger.Log(EventLogEntryType.Information, $"Started zzz desktop and got PID {proc.Id} from {rel.GenerateExtrationPath()}");
        Settings.EventManager.TriggerEventSync(zzzDesktopStatus.DeleteOldReleases);
        Settings.EventManager.TriggerEvent(zzzDesktopStatus.ReleaseBackgroundWorkers);
        GC.Collect();

        var remoteStatus = new GetRemotezzzWebStatus();
        while (!proc.HasExited)
        {
            Thread.Sleep(1000);

            if(!remoteStatus.IsRemoteVersionCompatible())
            {
                proc.Kill();
                Logger.Log(EventLogEntryType.Information, $"Detected that the remote website is no longer compatible with current runnign version, and we are killing desktop.");
            }
        }            

        if(proc.ExitCode != 0)
        {
            Settings.zzzDesktopStore.Delete(rel);
            Logger.Log(EventLogEntryType.Warning, $"zzz exited with a none zero exit code ({proc.ExitCode}), the local cached installation will be deleted");
        }
        else
            Logger.Log(EventLogEntryType.Information, $"zzz exited in a normal way with exitcode {proc.ExitCode}, running for {(DateTime.Now - proc.StartTime).ToString()} ");

        CloseDown();
} 

internal Process CreateProccess(zzzDesktopInfo release)
{
        release = GetReleaseInfo(release.ID);
        string pathzzzExe = Path.Combine(release.GenerateExtrationPath(), "zzz.exe");
        var verifyStatus = UtilsVerifyFile.Verify(pathzzzExe);
        if ( !File.Exists(pathzzzExe) || !verifyStatus.Verified)
        {
            Logger.Log(EventLogEntryType.Error, "Found zzz.exe in temp folder, but the certificate did not pass verification");

            foreach (var logentry in verifyStatus.Logs)
                Logger.Log(EventLogEntryType.Error, "Certificate verification log: " + logentry);
            MarkDatabaseForPurge();
            return null;
        }           
    // Removed enterprise spesific code.

        var procStart = new ProcessStartInfo();
        procStart.FileName = pathzzzExe;

        if (Settings.ConnectionDetails.zzzLoginToken != Guid.Empty )
        {
            procStart.Arguments = "/RefreshToken:" + Settings.ConnectionDetails.zzzLoginToken.ToString();
        }

        var process = Process.Start(procStart);
        return process;
}

If something goes wrong during start, it should not silently fail. Could you show us your code please? It is likely that you got some faulty exception handling. — Christopher, Nov 12 '19 at 14:55
Also, what app-blocker are we talkling about? Firewall exceptions not set? Rights on a mobile device missing? Some over-agressive security system that looks at process names and just kills stuff? — Christopher, Nov 12 '19 at 15:00
applocker is a microsoft product @Christopher . I updated with code sample, basicly any none 0 return code would be threated like a error, and to my understanding is the expected result. — EKS, Nov 12 '19 at 15:10
I am unsure the Error Code will help you here. It is a really old thing we used way back in the DOS days, to control BATCH files. It is set by giving the main function a int return type and retuning that number. The issue is that with any security, the programm will propably not even *start* so it will never get to write anything. So unless some other programm wraps around your call and gives you a Error Code. — Christopher, Nov 12 '19 at 15:27
What would fix it (and generally help with the use of a Updater Service) if the two processes would talk with one another. look at the IPC approaches to find one you like. https://learn.microsoft.com/en-us/windows/win32/ipc/interprocess-communications | If the service does not call you back, something blocked it - what that is and fixing it is the Adminsitrators job. — Christopher, Nov 12 '19 at 15:28
Most likely it never starts, the OS simply blocks it. And error code would provide feedback so i could inform the user what is wrong. So they can contact their local IT department. But i have to assume there is some method of detecting that this happend, so it can inform the user — EKS, Nov 12 '19 at 15:29
Yea im leaning towards IPC or a simple "imrunning.txt" but thats so dirty it makes me shives. There has to be a better way :( — EKS, Nov 12 '19 at 15:31
Windows Update is a Service. Services are barred from displaying any UI Since vista. Every time you look at the Windows Update Interface? Every time something updates there? That is a IPC operation happening. And if the service does not work, it even tells you "I could not reach it". IPC is the *least* dirty solution — Christopher, Nov 12 '19 at 15:36
The launcher is not a service, its a WPF application. And starts a c++ application :) Least dirty in my mind would be Get-ApplockerStatus(myExeFile); — EKS, Nov 12 '19 at 15:38
If you moved the UI to the proper application and used only IPC, you could make it a Windows Service. But one way or the other it s a reliable way to test if it started. — Christopher, Nov 12 '19 at 15:51

Get applocker status of .exe file

0 Answers0