Page 1 of 1

Hard Coded Path and AppLocker

PostPosted: 11.08.2017, 08:43
by romanf
Hi everyone,

Did I notice correctly that WSUSOffline will ONLY run if

- it is executed from C:\WSUSOFFLINE *and*
- AppLocker is not active?

Would it be possible to change WSUSOffline in a way to get rid of these two restrictions? :)

Thanks
Roman

Re: Hard Coded Path and AppLocker

PostPosted: 11.08.2017, 11:08
by aker
You may store wsusou, where you want.
But remember, that there are no special characters such as "!" or similar in the path. Also the path must not be longer than 192 characters.

I never worked with AppLocker before, but wsusou has to be able to run all binaries and scripts inside its "bin"- and "cmd"-directories.
Also wsusou will create some executable scripts (%temp%\SetSystemEnvVars.cmd, %temp%\SetFileVersion.cmd, ...), it needs to execute.

Re: Hard Coded Path and AppLocker

PostPosted: 11.08.2017, 11:16
by romanf
Hi aker,

Thanks for your reply!

Does "no special characters in path" also include spaces? I tried to put it under c:\program files\ ... and there it didn't work. :(

AppLocker prevents execution of binaries and scripts outside of configured directories. It's one measure for in-depth security. Would it be possible to change WSUSOU so that the generated scripts are dropped in a subdir of it's working dir and only in %temp% if it doesn't have the permissions to write in it's working dir?

Rgds
Roman

Re: Hard Coded Path and AppLocker

PostPosted: 11.08.2017, 14:41
by Dalai
romanf wrote:Does "no special characters in path" also include spaces?

No, it doesn't. I've been having WSUS Offline in a path with spaces for years and it works just fine.

I tried to put it under c:\program files\ ... and there it didn't work. :(

"Didn't work" means what exactly? Which error messages did you get (if any)? Do you have write permissions in this directory (i.e. did you run WSUS Offline as admin)?

Regards
Dalai

Re: Hard Coded Path and AppLocker

PostPosted: 13.08.2017, 22:23
by boco
Using protected OS directories for such purposes (writing files into them) isn't recommended. Windows will prevent any write access to the directories unless the application is started as Administrator (also not recommended as it's a potential attack vector).

Re: Hard Coded Path and AppLocker

PostPosted: 14.08.2017, 21:09
by aker
You may try this to redirect your TEMP-path:
- create a folder named "tmp" in your wsusou-dir
- rename .\cmd\custom\InitializationHook.cmdt to InitializationHook.cmd (just remove the "t" from the extension)
- open the file in an editor ans put this content inside
Code: Select all
cd "%~dp0..\.."
set WSUSOU_DIR=%cd%
cd "%~dp0"
if not exist "%WSUSOU_DIR%\tmp" (
   exit /b 1
)
set TEMP=%WSUSOU_DIR%\tmp


For UpdateInstaller do the same with .\client\cmd\custom\InitializationHook.cmdt