AppLocker w rules for specific users & SBIE 4.x+

Utilities designed for use with Sandboxie
Post Reply
Sandboxie Guru
Sandboxie Guru
Posts: 620
Joined: Fri Nov 13, 2015 4:11 pm

AppLocker w rules for specific users & SBIE 4.x+

Post by Syrinx » Mon Aug 22, 2016 1:59 pm

I remember messing with AppLocker before and not getting far alongside SBIE. I decided to look at it again and after I finally got far enough along to recreate the problems I had before I took a look at the Event Log. It took me a while to figure out what my issues were because at first the exe rules were playing quite well alongside SBIE. It turns out my primary issues were mainly related to DLL rules though I expect there may be occasions to use this workaround with other areas as well.

Specifically, my issues started when I wanted to create rules for a certain user instead of an entire group.

Here's an example of a dll being blocked from the apps install directory once SBIE takes control(path/program name Xx'd Out)

- UserData
- RuleAndFileData
PolicyName DLL
RuleId {00000000-0000-0000-0000-000000000000}
RuleName -
RuleSddl -
TargetUser S-1-5-7
TargetProcessId 2080
Here's another example of a dll being blocked from inside an app already sandboxed. (drive x'd out)
PolicyName DLL
RuleId {00000000-0000-0000-0000-000000000000}
RuleName -
RuleSddl -
TargetUser S-1-5-7
TargetProcessId 3400
Normally you could create a rule for 'everyone' or another group and not run into this issue. However with SBIE in the mix, once the app is under its control, it identifies as ANONYMOUS LOGON so if you have rules for specific users like I did, you end up with blocks like those shown above and normally a program that doesn't function correctly if at all.

When attempting to add NT AUTHORITY\ANONYMOUS LOGON via the GUI in AppLocker I was greeted with an alert
"The following object is not from a domain listed in the Select Location dialog box, and is therefore not valid:

This made it 'impossible' to add rules for ANONYMOUS LOGON via the gui. So I thought we couldn't use DLL rules or add other rules for exes etc when needed and still have rules defined per user so I gave up on using AppLocker alongside SBIE. Well, it turns out there is a way! I found a workaround in my setup though I needed a few duplicates so as to retain the original rules and still have seperate ones for ANONYMOUS LOGON...

1) Create similar rules (I used everyone instead of the specific user and I also suggest naming them so they are easily identifiable when looking through the xml)

2) Use the export function of AppLocker and save the policy someplace.

3) Open up the XML and manually replace the existing User SID with the Universal SID of NT AUTHORITY\ANONYMOUS LOGON: (S-1-5-7) in the xml for needed entries.

4) Save the changes (I suggest a different name in case you mess something up so you still have the original to work from or re-import if needed)

5) Re-import the altered ruleset.

6) Be sure to stop/start the AppID Service (or reboot) after importing the altered xml or it may not apply the new ruleset right away and appear not to make a difference.

7) Re-Test your app and re-check the Event Log for any other needed changes.

AppLocker will now handle NT AUTHORITY\ANONYMOUS LOGON and you can set up whatever rules you want, even for specific users, alongside SBIE. The best part is the altered rules can also be edited without losing the SID info or seeing the error again.

How helpful all this will be in general is questionable but it's something I wanted to play with before and finally can thanks to a little manual editing of the exported AL policy.

Posts: 583
Joined: Sat Jul 13, 2013 9:34 am
Location: Mexico

Re: AppLocker w rules for specific users & SBIE 4.x+

Post by Mr.X » Tue Aug 23, 2016 10:22 am

Thanks a lot for this contribution my friend.
Windows 8.1 x64/x86 EN | Sandboxie latest beta or stable | All software latest versions unless stated otherwise

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest