3. Reading AppLocker Entries
Reading the AppLocker entries means locating the
entries in the registry and then parsing them. You have no way of
knowing how many entries the registry will contain (if it contains any
entries at all). Listing 2 parses the entries using the assumption that the registry might not contain any entries.
Example 2. Reading the AppLocker entries from a known location
private void btnList_Click(object sender, EventArgs e)
{
// Clear the previous entries.
lstEntries.Items.Clear();
// Open the AppLocker registry key.
RegistryKey AppLock =
Registry.LocalMachine.OpenSubKey(
@"SOFTWARE\Policies\Microsoft\Windows\SrpV2");
// Obtain the kinds of entries that the application can create.
String[] EntryTypes = AppLock.GetSubKeyNames();
// Process each entry in turn.
foreach (String EntryType in EntryTypes)
{
// Display the entry type.
lstEntries.Items.Add(EntryType);
// Open the associated subkey.
RegistryKey ThisType = AppLock.OpenSubKey(EntryType);
// Obtain a list of entries within the type.
String[] AppLockEntries = ThisType.GetSubKeyNames();
// Process each of the individual entries.
foreach (String AppLockEntry in AppLockEntries)
{
// Display the individual entry GUID.
lstEntries.Items.Add("\t" + AppLockEntry);
// Open the individual entry.
RegistryKey ThisEntry = ThisType.OpenSubKey(AppLockEntry);
// Obtain the XML value of the entry.
XmlDocument Entry = new XmlDocument();
Entry.LoadXml(ThisEntry.GetValue("Value").ToString());
// Obtain the root element.
XmlNode TheRule = Entry.FirstChild;
// Display the overall rule values.
lstEntries.Items.Add("\t\tName: " +
TheRule.Attributes["Name"].Value);
lstEntries.Items.Add("\t\tDescription: " +
TheRule.Attributes["Description"].Value);
lstEntries.Items.Add("\t\tGroup or User SID: " +
TheRule.Attributes["UserOrGroupSid"].Value);
lstEntries.Items.Add("\t\tAction: " +
TheRule.Attributes["Action"].Value);
// Obtain the condition element.
Code View:
Scroll
/
Show All XmlNode Conditions = TheRule.FirstChild;
// Examine the conditions.
foreach (XmlNode Condition in Conditions)
{
// Display the attributes for each condition.
foreach (XmlAttribute Specification in Condition.Attributes)
{
// Show the attribute information.
lstEntries.Items.Add("\t\t\t" + Specification.Name +
": " + Specification.Value);
}
}
// Close the individual entry.
ThisEntry.Close();
// Add a space.
lstEntries.Items.Add("");
}
// Close the entry type.
ThisType.Close();
// Add a space.
lstEntries.Items.Add("");
}
// Close the main key.
AppLock.Close();
}
|
The example begins by clearing the previous list box
entries. It then opens the one key that you can depend on to find
AppLocker entries, assuming the target system supports AppLocker. The AppLock object contains a handle to the registry entry after the code calls OpenSubKey() using the Registry.LocalMachine property. The code calls GetSubKeyNames() to obtain a list of entries and places them in EntryTypes (the array should contain the Dll, Exe, Msi, and Script key names). Because Microsoft could decide to change the format of the registry entries, the code uses a foreach loop to parse through whatever entries appear in the EntryTypes String array.
At this point, the code opens a subkey, such as Dll, for processing by calling OpenSubKey(). The code uses the GetSubKeyNames() call to place a list of GUID entries in AppLockEntries. It uses a second foreach loop to process each of the GUID entries that appear as subkeys of EntryType.
As previously mentioned, each GUID entry contains a value named Value that contains XML describing the rule used to define an exception. The code begins by creating an XmlDocument object, Entry, and placing the XML in it by calling LoadXml(). The code processes the XML as you would any XML document. It begins by accessing the <FilePublisherRule> or other rule element, listing the attributes in this element, and then working through the <Conditions> element. The precise order of processing depends on the rule. Figure 2 shows typical output from this example.
