portmaster icon indicating copy to clipboard operation
portmaster copied to clipboard

Published 20 hours ago verified publisher icon safing

Postmaster keeps trying to access registry with different scripts and with HIPS is annoying

Open Rexadev opened this issue 2 years ago • 2 comments

Registries-

HKUS\LongNumberAndAlphabets\Software\Microsft\SystemCertificates\CA\Certificates
portmaster launches cmd>powershell>bat>powershellscript>cmd

I think portmaster excutes seperate commands directly to cmd.exe. Using .bat or .ps1 may solve the issue. as those files can be whitelisted

I have added exception for registry. Also Some of these may not be from postmaster-

-ExecutionPolicy Bypass -NoProfile -NonInteractive "[System.Console]::OutputEncoding = [System.Text.Encoding]::UTF8
Get-NetRoute -DestinationPrefix '0.0.0.0/0' | Select-Object -First 1 | Get-NetIPConfiguration | Format-List"

-ExecutionPolicy Bypass -NoProfile -NonInteractive "[System.Console]::OutputEncoding = [System.Text.Encoding]::UTF8
Get-DnsClient -InterfaceIndex 17 | ConvertTo-Json -Depth 1"

""Get-AppxPackage | Select Name""

Start-Process -FilePath "'C:\Users\User*\AppData\Local\Temp\6ccbd36109bf7a914f80274bb76efcb9\execute.bat'" -WindowStyle hidden -Verb runAs

-ExecutionPolicy Bypass -NoProfile -NonInteractive "[System.Console]::OutputEncoding = [System.Text.Encoding]::UTF8
Get-DnsClient -InterfaceIndex 19 | ConvertTo-Json -Depth 1"

Start-Process -FilePath "'C:\Users\User*\AppData\Local\Temp\b2a2083c43cf33fe019f9dc693d88f72\execute.bat'" -WindowStyle hidden -Verb runAs

Start-Process -FilePath "'C:\Users\User\AppData\Local\Temp\76aa60852110cc334b3793207cbb4d30\execute.bat'" -WindowStyle hidden -Verb runAs

@dhaavi a workaround it to instead to running commands create .ps1 and .bat files which can then be whitelisted

Rexadev avatar Apr 24 '22 05:04 Rexadev

Hey @Rexadev, thanks for raising this issue!

Can you elaborate on this?

  • What exactly is it that you see is accessed?
  • Can you pinpoint who accesses it? (we don't directly)
  • How does this manifest to you that you feel it is annoying?

dhaavi avatar Apr 25 '22 09:04 dhaavi

Please list all instances (exact powershell command, registry entry), so we can investigate.

dhaavi avatar Jun 23 '22 13:06 dhaavi

Auto-closing this issue after waiting for input for a month. If anyone finds the time to provide the requested information, please re-open the issue and we will continue handling it.

github-actions[bot] avatar Sep 23 '22 05:09 github-actions[bot]

@dhaavi please reopen this

Rexadev avatar Sep 23 '22 06:09 Rexadev