The goal is to control the AppLocker by temporarily stopping the AppIDSvc (Application Identity) Windows service and then resuming its execution. The action is supposed to be performed from within another Windows service with elevated permissions under the SYSTEM user security context.
By default, the AppIDSvc service startup type is Manual (Trigger Start). It means that even if the service is stopped with ServiceController.Stop method or sc stop AppIDSvc command, it will be triggered and started again by any AppLocker event, e.g. an executable is launched.
Since it’s a protected service, calling ChangeServiceConfig WinAPI function or sc config AppIDSvc start= disabled to disable the service returns "Access Denied" error.
Attempting to kill the service process, even from within the SYSTEM user security context, also leads to "Access Denied".
The only method that worked for me was to change the registry value Start in HKLM\SYSTEM\CurrentControlSet\Services\AppIDSvc to 4 and then restart a computer. Unfortunately, this method is not suitable because of the computer restart.
There could also be the following solution based on AppLocker PowerShell cmdlets:
1) backup existing AppLocker rules;
2) import “Allow Everything to Everyone” rules with “overwrite existing” option;
3) recover existing ones after the operation.
It is proved to be working, but also not suitable: it will only substitute local GPO rules, Domain rules will not be overwritten, and the solution needs to work in Domain corporate networks.
Can anyone give advice? Also, the solution mustn't degrade native Windows security. At the same time, we can rely on the fact that customers are aware and, even more, they intend to pause the AppLocker for a certain amount of time.
