A list of Microsoft Exploit Guard related software/configurations, along with other notes. Primarily process mitigation config.

You can apply these settings to your Windows system by running the following commands, or by running the install.ps1 script. Note that both require Administrator privileges.

(New-Object System.Net.WebClient).DownloadFile("https://github.com/gwillgues/Exploit-Guard-Config/raw/main/win_proc_mitigations.xml", "C:\Windows\Temp\win_proc_mitigations.xml")

Set-ProcessMitigation -PolicyFilePath "C:\Windows\Temp\win_proc_mitigations.xml"

The location of the Process Mitigation settings can be found at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ There will be a list of sub-keys which are the name of the executables to have the mitigations applied. The actual mitigation settings are in a binary format. I still need to find what each component of the binary format actually signifies.

Actions blocked by Exploit Guard Process Mitigations, or actions blocked only in audit mode (logs but doesn't actually block), can be found in the Windows Event Log.

The location of the logs is in the Event Log under Application and Services Log -> Microsoft -> Windows -> Security-Mitigations -> Kernel

You can get the list of events using PowerShell using the following command

Get-WinEvent -ProviderName Microsoft-Windows-Security-Mitigations

An example of a process action being blocked:

Process '\Device\HarddiskVolume1\Program Files\Microsoft Office\root\Office16\EXCEL.EXE' (PID 7000) was blocked from creating a child process 'C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe' with command line '"C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe" 7500 7496 55fa64db-5ed7-48e2-abe7-922d863949ad 1 --logfile "C:\Users\rootuser\AppData\Local\Temp\PowerQuery\ContainerLogs\3245bbd1-f910-4d5c-9f82-b039c8f41324.log" '. 

An example of a setting in audit mode that would have caused an action to be blocked:

Process '\Device\HarddiskVolume1\Windows\System32\svchost.exe' (PID 3668) would have been blocked from generating dynamic code.

Note that the actual block log says was blocked from, while the audit mode log says would have been blocked

If disable child process creation is enabled on some processes, the process may work but some functionality may be missing. For example, with excel.exe, you will be unable to load exceedingly large excel spreadsheets because excel is unable to launch a child process of itself. For some reason it wants to launch a new process of itself with the command line "excel.exe -embedding". You also may be unable to export or import data to/from different formats using excel due to the lack of child process creation capabilities.

With Microsoft Word, the same applies, you will be unable to export data if the child process setting is enabled.

With outlook, disable child process creation also works, but certain functionality will simply not work. For example, you will be unable to create new signatures in outlook if this setting is enabled (and probably more).

A very nice addition that Microsoft should add is the ability to only allow child process creation if the child process name matches known-good binary names that are expected for that process.