SOLVED Windows 10 & Hook Scripts

[DapperDave]

I'm a Linux guy who is having a difficult time solving a permissions issue (at least that's what I think it is). My cmd scripts used to work in Windows but now they have stopped. OpenVPN has no problem assigning the pushed ip's and routes for the Tap device, however it will no longer execute scripts on Windows 10 clients. The scripts work fine from the user and administrator command prompts (currently I am only writing to a file), but when OpenVPN calls the scripts I get errors in the log and the scripts have not written to the file. This is the feedback from the OpenVPN log;

Thu Jan 09 19:41:47 2020 us=896429 C:\Users\user\OpenVPN\config\user\scripts\client-tap.cmd Tap 1500 1584 192.168.XXX.XXX 255.255.255.XXX init
Thu Jan 09 19:41:47 2020 us=896429 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem

Looking in the Event Viewer I see no 'Error' or 'Warning' events coinciding with the starting and stopping of the OpenVPN Tap connection. However, there are four events coinciding with the reboot of the computer;

ERROR #1

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user DESKTOP-FP9UVBJ\david SID (S-1-5-21-772083243-123503260-1006230852-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

ERROR #2

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscDataProtection and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

ERROR #3

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscBrokerManager and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

WARNING

Windows Hello for Business provisioning will not be launched. 
Device is AAD joined ( AADJ or DJ++ ): Not Tested 
User has logged on with AAD credentials: No 
Windows Hello for Business policy is enabled: Not Tested 
Windows Hello for Business post-logon provisioning is enabled: Not Tested 
Local computer meets Windows hello for business hardware requirements: Not Tested 
User is not connected to the machine via Remote Desktop: Yes 
User certificate for on premise auth policy is enabled: Not Tested 
Machine is governed by none policy. 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

All applications and scripts have been given 'Run this program as an administraor' on the 'Compatibility' tab of the properties pop-up or 'Run as administrator' on 'Advanced Propties' pop-up of links.

So far, I have tried the following
- starting app locker service then adding the script folder to app locker with Administrator\Local Service\Network Service\Everyone as user.
- Adding OpenVPN service trigger as task when connected to particular SSID with evelvated privlages.
- Editing and adding 'Local Service', 'Network Service' and 'DESKTOP-FP9UVBJ\david' as groups to the tagged CLSIS/APPID in the lo.

Nothing seems to work. I have been working on this for too long now! An help would be greatly apprecieated.

Thanks, Dave

 

[Regedit32]

Editing and adding 'Local Service', 'Network Service' and 'DESKTOP-FP9UVBJ\david' as groups to the tagged CLSIS/APPID in the lo

I'm not sure what you meant here.

However, Error #1 is telling you the User DESKTOP-FP9UVBJ\david SID (S-1-5-21-772083243-123503260-1006230852-1001) does not have adequate permissions set for the COM Server application RuntimeBroker.

You set those via Component Services:

• Press WinKey + R to open the Run dialog
• Type comexp.msc and click OK to open the Component Services dialog
• On the left pane expand Exponent Services > Computers > My Computer > DCOM Config
• In the left pane locate and right-click on RuntimeBroker then select Properties
• In the RuntimeBroker Properties dialog select the Security tab
• In the first pane titled Launch and Activation Permissions check the radio button next to Customize then click Edit
• Add the User mentioned in your error message and give it Launch and Activation permissions
• Apply changes
• Restart computer for settings to take affect

Regards,

Regedit32

 

[DapperDave]

Thank-you for your prompt response Regedit32. I followed your recommendations. As the keys to edit in the Component Services pop-up were grayed out I followed another post on google recommending that I change ownership of the APPID from 'trusted installer' to 'administrators' in the registry under 'HKEY_CLASSES_ROOT\appid'. Once this was done I followed the error messages (including after reboot) and set the following;

- RuntimeBroker - Added administrators, myself and 'local services' as users with full privilages (local and remote) for both 'Launch and Activation' and 'Access Permission'
- ShellServiceHost - same as RuntimeBroker, error didn't ask for 'local services', but since it seems to control scripts I added anyways.

This was to no avail, I still see the OpenVpn error message, and the script doesn't write to a file. The following errors appear in "administrative events" coinciding with reboots;

ERROR #1

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user DESKTOP-FP9UVBJ\david SID (S-1-5-21-772083243-123503260-1006230852-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

ERROR #2

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscDataProtection and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

ERROR #3

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID Windows.SecurityCenter.WscBrokerManager and APPID Unavailable to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

I took a deep dive into the event viewer and found the following error coinciding with reboots under 'App and Service logs-> Microsoft-> Windows-> Security-LessPriviledgedAppContainer;

ERROR #4

Access to the a resource has been denied for a less privileged app container at ‎2020‎-‎01‎-‎10T22:58:57.994821800Z (StackHash: 0x842199D).

There are no errors coinciding with starting and stopping the OpenVPN connection. In regards to error #1, I checked the RuntimeBroker in 'Component Services' and 'DESKTOP-FP9UVBJ\david' still has full permissions as set. There is a related warning under "administrative events" coinciding with reboots from e1iexpress that the H/W ethernet port is down, but the OpenVpn connection is through WiFi anyways. I should have mentioned before, the OpenVpn-gui is a running service (or daemon to me). This service is shown in 'Component Services' as 'OpenVPN Interactive Service' and as running.

I have a question for you; since scripts controlled by a remote server are potentially very dangerous are there special permissions required? Where should I look for this?

Your guidance is greatly appreciated. Thank-you, Dave

 

[Regedit32]

The AppContainer environment is a form of sandboxing an application to prevent malicious execution of scripts or other code.

If your OpenVPN is setup within an AppContainer, then you'll need to authorize the associated SID's you intend to access you application.

There is documentation on this on Microsoft's site:

Implement an AppContainer - Win32 apps

An AppContainer is implemented by adding new information to the process token, changing SeAccessCheck() so that all legacy, unmodified access control list (ACL) objects block access requests from AppContainer processes by default, and re-ACL objects that should be available to AppContainers.

docs.microsoft.com

 

[DapperDave]

Thank-you for your help. I have put this aside for the time being. I will let you know if I have success.

 

[DapperDave]

Well it turned out to be much simpler than the trail I was on! OpenVPN does not inherit the user environment and I was using %user% and %homedrive% to develop paths. Once hardcoded everything went fine. Thanks for your help Regedit32.