@GossiTheDog I guess that's the reason why spotify isn't working properly right now.
@GossiTheDog I guess that's the reason why spotify isn't working properly right now.
@HonkHase
Leider viel Geraune, wenig Substanz und unterkomplex 😔
@wdormann @GossiTheDog
Sorry, I should have looked at the script first.
Sami Laiho posted a link on twitter concerning c:\inetpub
(CVE-2025-21204)
https://securityonline.info/cve-2025-21204-system-level-privilege-escalation-in-windows-update-stack-exposed-poc-released/
That page doesn't load in my firefox. But this does: https://cyberdom.blog/abusing-the-windows-update-stack-to-gain-system-access-cve-2025-21204/
I don't understand why Microsoft doesn't instead enable the process mitigations?
https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-process-mitigation-redirection-trust-policy
@GossiTheDog @wdormann
@wdormann @GossiTheDog
Encountered the same error. I used sysinternals junction to create the directory. The error is logged in c:\windows\logs\cbs\cbs.log
@wdormann @GossiTheDog Could you use a junction instead?
@wdormann
If the driver was blocked by the hvci feature and not the block list the codeintegrity eventlog will contain errors with eventid 3111.
@wdormann Maybe the drivers were blocked by HVCI and not by the block list. This should be easy to verify using the hvciscan tool from MSFT:
https://answers.microsoft.com/en-us/windows/forum/all/check-incompatible-device-system-drivers-for-hvci/d5bd48a6-0953-4dae-85dc-334bddd24e5a
(The reason I reply to your threat today is because I activated HVCI, ran into issues and recalled you posting about it some days ago. Wish me luck 😅)
@wdormann Also I'm not sure if the FilePath attrib can be used to explicitly block (instead of allow) a binary? But more importantly FilePath rules according to the documentation only apply to user mode binaries:
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create#table-2-app-control-for-business-policy---file-rule-levels
However if this is the reason for MSFTs response they should have pointed it out.
@wdormann First of thanks a lot for posting all those insights! I'm trying to figure out how WDAC and HVCI work and posts like these are great for that.
I think that FileName attrib doesn't reference the file name in the file system but the "originalfilename" of the PE File (part of the header). And changing that shouldn't be possible without breaking the signature.
Fascinating footage of a human white blood cell chasing a bacterium captured through a microscope.
Credit: David Rogers
Source: https://embryology.med.unsw.edu.au/embryology/index.php/Movie_-_Neutrophil_chasing_bacteria
Anthropic (Claude LLM) AI Company doesn’t want people using AI for their resumes or any part of Interview for software developer or IT jobs at their office. How ironic? LOL. The company says AI tools are flooding their system with bogus résumés and too many applicants. They can't find real talent even using their own AI system where candidates lie about their skills when resumes are created by AI.
@0xabad1dea
As someone who has to deal with Microsoft services on a daily basis: I share your pain😔
@kevinrothrock
I'm missing the Anglophone Russia list already.