Welcome to the Privilege Authority Community

PrivilegeAuthority is a product from ScriptLogic that allows administrators to elevate privileges for specific programs, windows features or ActiveX controls, without running every user as an administrator.

Privilege Authority provides a powerful, flexible way to tighten overall security on a workstation, without preventing people from doing their jobs. It is available from scriptlogic.com and other popular download sites as a Professional edition and a free community edition.

Professional edition includes additional security capabilities and technical support from ScriptLogic. This community is for all Privilege Authority users to collaborate, brainstorm new elevation rules, share rules with other users, and provide bug reports and enhancement requests back to ScriptLogic.

Unanswered Active Topics Forums Search
Forums > Privilege Authority Community Forum > Community Technical Support
Unable to elevate .exe from a shared folder
Last Post 20 Feb 2012 01:53 PM by frenchyyy. 7 Replies.
Printer Friendly
Sort:
PrevPrev NextNext
You are not authorized to post a reply.
Author Messages Not Resolved
frenchyyyUser is Offline
New Member
New Member
Posts:5

--
18 Jan 2012 03:44 PM  
I am completing some testing with Privilege Authority in a lab environment before I propose it as a solution for our network.

I have configured the following computers on a domain named, 'spicy.net':

Domain Controller | SPICY-DC01 | Windows Server 2008 R2
Application Server | SPICY-AS01 | Windows Server 2008 R2
Client | SPICY-CL01 | Windows 7 Enterprise x64

I've installed PA on the application server and the PA client on the Win 7 client.

In PA, I've configured a GPO named, 'Allow standard user to install approved applications'. I linked the GPO to the OU which contains the user logged in to the Win 7 client. In PA, I created a rule in the GPO, which is configured as follows:

Apply rule 'By Folder Path'.
Folder: \\SPICY-DC01\Approved software packages
'Apply settings to sub folders' is enabled.
'Apply settings to child processes' is enabled.
The built-in Administrator security group has been added to the rule.

The above folder on the DC is shared, and the Win 7 client can access the share or map it as a network drive.

I've confirmed in the registry that the rule has been applied to the client. If I copy the .exe to a folder on the client, and change the folder path in the above rule to the client's local folder path, the elevation works without any problems.

Does anyone have any advice on how I can get this rule to work. Is the folder path, '\\SPICY-DC01\Approved software packages' the correct way to write the folder path for the shared folder?

Any help would be much appreciated.
Don Reynolds (ScriptLogic)User is Online
ScriptLogic
ScriptLogic
Posts:61

--
20 Jan 2012 06:18 PM  
How are the apps launched on the client: are they launched using a mapped drive letter, or are they launched using the UNC path to the folder?
frenchyyyUser is Offline
New Member
New Member
Posts:5

--
27 Jan 2012 02:24 PM  
Hi Don,

The apps are launched via the mapped drive letter. If I delete the mapped drive and launch the apps via the UNC path, it works.

Regards,

David
Don Reynolds (ScriptLogic)User is Online
ScriptLogic
ScriptLogic
Posts:61

--
27 Jan 2012 02:37 PM  
Hello David,

Since the end users are launching the app via mapped drive, modify the rule to specify the mapped drive letter instead of the UNC path. Let me know if that works.

~Don
frenchyyyUser is Offline
New Member
New Member
Posts:5

--
16 Feb 2012 02:21 PM  
I have decided to use UNC paths only for my PA rules, and abandon the mapped drive route.

I created a GPO using PA. I created a folder path rule in the GPO so that files in a UNC path are elevated. I applied the built-in administrator security token to the rule.

The UNC path specifies a shared folder location.

I linked the GPO to an OU, which contains a test user. I executed the 'gpresult /h gpresult.html' command on the client to generate a report. I can see that the PA GPO has been applied to the client.

All was working well for a day or so, and suddenly the elevation is no longer being provided. I can see that the GPO is still being applied to the client, and the PA client is running. What should I check next?
frenchyyyUser is Offline
New Member
New Member
Posts:5

--
16 Feb 2012 03:58 PM  
Here is the CSEHostEngine log to assist troubleshooting:

16/02 15:48:41.254 | SENSLogonSink.cpp(54) | 364 | NONE | OnUserLogon SPICY\toby.lerone - starting
16/02 15:48:41.254 | LogonMonitor.cpp(287) | 1560 | NONE | User logon detected: sessionid=2 UserSID=S-1-5-21-2043219864-3882970144-2193913019-1106
16/02 15:48:41.254 | PolicyManager.cpp(214) | 1560 | NONE | CPolicyManager:nLogonEvent - starting
16/02 15:48:41.254 | PolicyManager.cpp(231) | 1560 | NONE | Activating policies for user: sessionid=2 sid=S-1-5-21-2043219864-3882970144-2193913019-1106
16/02 15:48:41.254 | PolicyManager.cpp(270) | 1560 | NONE | ActivatePolicies: policySid='S-1-5-21-2043219864-3882970144-2193913019-1106' - starting
16/02 15:48:41.254 | PolicyManager.cpp(320) | 1560 | NONE | ActivateAction: policySid=S-1-5-21-2043219864-3882970144-2193913019-1106; policyId=F9F0D031-4123-4EDF-8FB3-6164DFDCF68E; actionId=0 - starting
16/02 15:48:41.254 | ProcessMonitor.cpp(181) | 1560 | NONE | CProcessMonitor::Initialize - starting
16/02 15:48:41.254 | SENSLogonSink.cpp(54) | 364 | NONE | OnUserLogon SPICY\toby.lerone - succeeded (0 ms)
16/02 15:48:41.519 | ProcessMonitor.cpp(157) | 1560 | NONE | Registering GPEProcessMonitor singleton in GIT - starting
16/02 15:48:41.519 | ProcessMonitor.cpp(157) | 1560 | NONE | Registering GPEProcessMonitor singleton in GIT - succeeded (0 ms)
16/02 15:48:41.582 | DeferredAction.h(206) | 1560 | DBG | Thread 2188 is created for deferred action servicing
16/02 15:48:41.582 | ProcessMonitor.cpp(181) | 1560 | NONE | CProcessMonitor::Initialize - succeeded (328 ms)
16/02 15:48:41.582 | StringExpander.cpp(557) | 1560 | NONE | Adding environment strings to string expander - starting
16/02 15:48:41.597 | StringExpander.cpp(557) | 1560 | NONE | Adding environment strings to string expander - succeeded (15 ms)
16/02 15:48:41.597 | StringExpander.cpp(678) | 1560 | DBG | <<Expanded: '\\spicy-dc01\software packages\' -> '\\spicy-dc01\software packages\' by NT AUTHORITY\SYSTEM
16/02 15:48:41.597 | StringExpander.cpp(557) | 1560 | NONE | Adding environment strings to string expander - starting
16/02 15:48:41.597 | StringExpander.cpp(557) | 1560 | NONE | Adding environment strings to string expander - succeeded (0 ms)
16/02 15:48:41.597 | StringExpander.cpp(557) | 1560 | NONE | Adding environment strings to string expander - starting
16/02 15:48:41.597 | StringExpander.cpp(557) | 1560 | NONE | Adding environment strings to string expander - succeeded (0 ms)
16/02 15:48:41.597 | StringExpander.cpp(557) | 1560 | NONE | Adding environment strings to string expander - starting
16/02 15:48:41.597 | StringExpander.cpp(557) | 1560 | NONE | Adding environment strings to string expander - succeeded (0 ms)
16/02 15:48:41.597 | ActiveAction.cpp(65) | 1560 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
16/02 15:48:41.597 | PolicyManager.cpp(320) | 1560 | NONE | ActivateAction: policySid=S-1-5-21-2043219864-3882970144-2193913019-1106; policyId=F9F0D031-4123-4EDF-8FB3-6164DFDCF68E; actionId=0 - succeeded (343 ms)
16/02 15:48:41.597 | PolicyManager.cpp(270) | 1560 | NONE | ActivatePolicies: policySid='S-1-5-21-2043219864-3882970144-2193913019-1106' - succeeded (343 ms)
16/02 15:48:41.597 | PolicyManager.cpp(270) | 1560 | NONE | ActivatePolicies: policySid='S-1-1-0' - starting
16/02 15:48:41.597 | PolicyManager.cpp(270) | 1560 | NONE | ActivatePolicies: policySid='S-1-1-0' - succeeded (0 ms)
16/02 15:48:41.597 | PolicyManager.cpp(214) | 1560 | NONE | CPolicyManager:nLogonEvent - succeeded (343 ms)
16/02 15:48:41.597 | ProcessMonitor.cpp(229) | 1560 | DBG | CProcessMonitor:nLogonEvent 2
16/02 15:48:41.613 | DeferredAction.h(164) | 2188 | DBG | Started DoWork thread 2188
16/02 15:48:43.175 | GPUpdateMonitor.cpp(197) | 1572 | DBG | firing GPUpdate event for sid=S-1-5-21-2043219864-3882970144-2193913019-1106
16/02 15:48:43.175 | PolicyManager.cpp(167) | 1572 | NONE | CPolicyManager::Refresh - starting
16/02 15:48:43.175 | ActiveAction.cpp(81) | 1572 | NONE | Deactivated: Action: <FS Filter Loader> On events from: <GPUpdate Monitor> Filter: <<none>>.
16/02 15:48:43.175 | ActiveAction.cpp(81) | 1572 | NONE | Deactivated: Action: <FS Filter Loader> On events from: <Start-stop Monitor> Filter: <<none>>.
16/02 15:48:43.175 | ActiveAction.cpp(81) | 1572 | NONE | Deactivated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
16/02 15:48:43.175 | PolicyManager.cpp(183) | 1572 | NONE | Activating the local machine policies
16/02 15:48:43.175 | PolicyManager.cpp(270) | 1572 | NONE | ActivatePolicies: policySid='' - starting
16/02 15:48:43.175 | PolicyManager.cpp(320) | 1572 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=CSEStart - starting
16/02 15:48:43.175 | ActiveAction.cpp(65) | 1572 | NONE | Activated: Action: <FS Filter Loader> On events from: <Start-stop Monitor> Filter: <<none>>.
16/02 15:48:43.175 | PolicyManager.cpp(320) | 1572 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=CSEStart - succeeded (0 ms)
16/02 15:48:43.175 | PolicyManager.cpp(320) | 1572 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=GPUpdate - starting
16/02 15:48:43.175 | ActiveAction.cpp(65) | 1572 | NONE | Activated: Action: <FS Filter Loader> On events from: <GPUpdate Monitor> Filter: <<none>>.
16/02 15:48:43.175 | PolicyManager.cpp(320) | 1572 | NONE | ActivateAction: policySid=; policyId={3B280287-F4AB-4270-ACD7-5E6ABE0C4BBE}; actionId=GPUpdate - succeeded (0 ms)
16/02 15:48:43.175 | PolicyManager.cpp(270) | 1572 | NONE | ActivatePolicies: policySid='' - succeeded (0 ms)
16/02 15:48:43.175 | LogonMonitor.cpp(293) | 1572 | DBG | Firing logon event: sessionid=2 UserSID=S-1-5-21-2043219864-3882970144-2193913019-1106 subscriber cookie=2
16/02 15:48:43.175 | PolicyManager.cpp(214) | 1572 | NONE | CPolicyManager:nLogonEvent - starting
16/02 15:48:43.175 | PolicyManager.cpp(231) | 1572 | NONE | Activating policies for user: sessionid=2 sid=S-1-5-21-2043219864-3882970144-2193913019-1106
16/02 15:48:43.175 | PolicyManager.cpp(270) | 1572 | NONE | ActivatePolicies: policySid='S-1-5-21-2043219864-3882970144-2193913019-1106' - starting
16/02 15:48:43.175 | PolicyManager.cpp(320) | 1572 | NONE | ActivateAction: policySid=S-1-5-21-2043219864-3882970144-2193913019-1106; policyId=F9F0D031-4123-4EDF-8FB3-6164DFDCF68E; actionId=0 - starting
16/02 15:48:43.175 | StringExpander.cpp(557) | 1572 | NONE | Adding environment strings to string expander - starting
16/02 15:48:43.175 | StringExpander.cpp(557) | 1572 | NONE | Adding environment strings to string expander - succeeded (0 ms)
16/02 15:48:43.175 | StringExpander.cpp(678) | 1572 | DBG | <<Expanded: '\\spicy-dc01\software packages\' -> '\\spicy-dc01\software packages\' by NT AUTHORITY\SYSTEM
16/02 15:48:43.175 | StringExpander.cpp(557) | 1572 | NONE | Adding environment strings to string expander - starting
16/02 15:48:43.175 | StringExpander.cpp(557) | 1572 | NONE | Adding environment strings to string expander - succeeded (0 ms)
16/02 15:48:43.191 | StringExpander.cpp(557) | 1572 | NONE | Adding environment strings to string expander - starting
16/02 15:48:43.191 | StringExpander.cpp(557) | 1572 | NONE | Adding environment strings to string expander - succeeded (0 ms)
16/02 15:48:43.191 | StringExpander.cpp(557) | 1572 | NONE | Adding environment strings to string expander - starting
16/02 15:48:43.191 | StringExpander.cpp(557) | 1572 | NONE | Adding environment strings to string expander - succeeded (0 ms)
16/02 15:48:43.191 | ActiveAction.cpp(65) | 1572 | NONE | Activated: Action: <New Process Action> On events from: <Process Monitor> Filter: <New Process Event Filter>.
16/02 15:48:43.191 | PolicyManager.cpp(320) | 1572 | NONE | ActivateAction: policySid=S-1-5-21-2043219864-3882970144-2193913019-1106; policyId=F9F0D031-4123-4EDF-8FB3-6164DFDCF68E; actionId=0 - succeeded (15 ms)
16/02 15:48:43.191 | PolicyManager.cpp(270) | 1572 | NONE | ActivatePolicies: policySid='S-1-5-21-2043219864-3882970144-2193913019-1106' - succeeded (15 ms)
16/02 15:48:43.191 | PolicyManager.cpp(270) | 1572 | NONE | ActivatePolicies: policySid='S-1-1-0' - starting
16/02 15:48:43.191 | PolicyManager.cpp(270) | 1572 | NONE | ActivatePolicies: policySid='S-1-1-0' - succeeded (0 ms)
16/02 15:48:43.191 | PolicyManager.cpp(214) | 1572 | NONE | CPolicyManager:nLogonEvent - succeeded (15 ms)
16/02 15:48:43.191 | PolicyManager.cpp(167) | 1572 | NONE | CPolicyManager::Refresh - succeeded (15 ms)
16/02 15:48:43.191 | FsFilterLoader.cpp(96) | 1572 | NONE | OnEvent - starting
16/02 15:48:43.191 | FltDevRestrictionsManager.(51) | 1572 | DBG | driver has default config - skip driver load
16/02 15:48:43.191 | FsFilterLoader.cpp(96) | 1572 | NONE | OnEvent - succeeded (0 ms)
16/02 15:48:44.878 | ProcessingStageEvent.h(117) | 364 | DBG | New process event created (PID: 2360; Parent: 1852; Path: C:\Windows\System32\userinit.exe; Params: <>
16/02 15:48:44.878 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:48:44.878 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Windows\System32\userinit.exe 1 0
16/02 15:48:44.878 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:48:44.878 | LUAFilterRules.cpp(428) | 364 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:48:44.878 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:48:44.878 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:48:44.878 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Windows\System32\userinit.exe 1 0
16/02 15:48:44.878 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:48:44.878 | LUAFilterRules.cpp(428) | 364 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:48:44.878 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:48:44.940 | ProcessingStageEvent.h(117) | 364 | DBG | New process event created (PID: 2368; Parent: 792; Path: C:\Windows\System32\dwm.exe; Params: <>
16/02 15:48:44.956 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:48:44.956 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Windows\System32\dwm.exe 1 0
16/02 15:48:44.956 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:48:44.956 | LUAFilterRules.cpp(428) | 364 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:48:44.956 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:48:44.956 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:48:44.956 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Windows\System32\dwm.exe 1 0
16/02 15:48:44.956 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:48:44.956 | LUAFilterRules.cpp(428) | 364 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:48:44.956 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:48:45.065 | ProcessingStageEvent.h(117) | 364 | DBG | New process event created (PID: 2392; Parent: 2360; Path: C:\Windows\explorer.exe; Params: <>
16/02 15:48:45.065 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:48:45.065 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Windows\explorer.exe 1 0
16/02 15:48:45.065 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:48:45.065 | LUAFilterRules.cpp(428) | 364 | DBG | AppSec: Matching process folder: 'C:\Windows\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:48:45.065 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:48:45.065 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:48:45.065 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Windows\explorer.exe 1 0
16/02 15:48:45.065 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:48:45.065 | LUAFilterRules.cpp(428) | 364 | DBG | AppSec: Matching process folder: 'C:\Windows\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:48:45.065 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:48:45.737 | ProcessingStageEvent.h(117) | 364 | DBG | New process event created (PID: 2476; Parent: 2392; Path: C:\Program Files\Windows Sidebar\sidebar.exe; Params: </autoRun>
16/02 15:48:45.737 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:48:45.737 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Program Files\Windows Sidebar\sidebar.exe 1 0
16/02 15:48:45.737 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:48:45.737 | LUAFilterRules.cpp(428) | 364 | DBG | AppSec: Matching process folder: 'C:\Program Files\Windows Sidebar\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:48:45.737 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:48:45.737 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:48:45.737 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Program Files\Windows Sidebar\sidebar.exe 1 0
16/02 15:48:45.737 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:48:45.737 | LUAFilterRules.cpp(428) | 364 | DBG | AppSec: Matching process folder: 'C:\Program Files\Windows Sidebar\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:48:45.737 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:48:45.800 | ProcessingStageEvent.h(117) | 364 | DBG | New process event created (PID: 2496; Parent: 2392; Path: C:\Program Files (x86)\Skype\Phone\Skype.exe; Params: </nosplash /minimized>
16/02 15:48:45.800 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:48:45.800 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Program Files (x86)\Skype\Phone\Skype.exe 1 0
16/02 15:48:45.800 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:48:45.800 | LUAFilterRules.cpp(428) | 364 | DBG | AppSec: Matching process folder: 'C:\Program Files (x86)\Skype\Phone\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:48:45.800 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:48:45.800 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:48:45.800 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Program Files (x86)\Skype\Phone\Skype.exe 1 0
16/02 15:48:45.800 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:48:45.800 | LUAFilterRules.cpp(428) | 364 | DBG | AppSec: Matching process folder: 'C:\Program Files (x86)\Skype\Phone\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:48:45.800 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:48:45.831 | ReportErrorStub.h(47) | 364 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:48:52.049 | ProcessingStageEvent.h(117) | 364 | DBG | New process event created (PID: 2840; Parent: 1168; Path: C:\Windows\System32\SearchProtocolHost.exe; Params: <Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2043219864-3882970144-2193913019-11061_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2043219864-3882970144-2193913019-11061 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1">
16/02 15:48:52.049 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:48:52.049 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Windows\System32\SearchProtocolHost.exe 1 0
16/02 15:48:52.049 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:48:52.049 | LUAFilterRules.cpp(428) | 364 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:48:52.049 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:48:52.049 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:48:52.049 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Windows\System32\SearchProtocolHost.exe 1 0
16/02 15:48:52.049 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:48:52.049 | LUAFilterRules.cpp(428) | 364 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:48:52.049 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:48:52.174 | ProcessingStageEvent.h(117) | 364 | DBG | New process event created (PID: 2860; Parent: 1168; Path: C:\Windows\System32\SearchFilterHost.exe; Params: <0 504 508 516 65536 512 >
16/02 15:48:52.174 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:48:52.174 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Windows\System32\SearchFilterHost.exe 1 0
16/02 15:48:52.174 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': NO MATCH
16/02 15:48:52.174 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:48:52.174 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:48:52.174 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Windows\System32\SearchFilterHost.exe 1 0
16/02 15:48:52.174 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': NO MATCH
16/02 15:48:52.174 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:48:56.604 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 2516)
16/02 15:48:56.604 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 2476)
16/02 15:49:11.731 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 2360)
16/02 15:49:40.736 | ReportErrorStub.h(47) | 364 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:49:41.477 | ProcessingStageEvent.h(117) | 364 | DBG | New process event created (PID: 2212; Parent: 2392; Path: \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe; Params: <>
16/02 15:49:41.477 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:49:41.479 | ValidationLogic.cpp(120) | 364 | DBG | *** Transform path from: \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe failed...........
16/02 15:49:41.479 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe 0 -2147024894
16/02 15:49:41.479 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:49:41.479 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:49:41.480 | ValidationLogic.cpp(120) | 364 | DBG | *** Transform path from: \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe failed...........
16/02 15:49:41.480 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe 0 -2147024894
16/02 15:49:41.480 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:49:41.949 | ProcessingStageEvent.h(117) | 364 | DBG | New process event created (PID: 2120; Parent: 864; Path: C:\Windows\System32\consent.exe; Params: <864 756 0000000003B5D6B0>
16/02 15:49:41.950 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:49:41.950 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Windows\System32\consent.exe 1 0
16/02 15:49:41.950 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': NO MATCH
16/02 15:49:41.950 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:49:41.950 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:49:41.950 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Windows\System32\consent.exe 1 0
16/02 15:49:41.951 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': NO MATCH
16/02 15:49:41.951 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:49:42.031 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 2496)
16/02 15:49:51.267 | ReportErrorStub.h(47) | 364 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:49:55.199 | ProcessingStageEvent.h(117) | 364 | DBG | New process event created (PID: 2984; Parent: 2392; Path: C:\Windows\System32\notepad.exe; Params: <C:\ProgramData\Privilege Authority\Logs\CSEHostEngine.log>
16/02 15:49:55.199 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:49:55.200 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Windows\System32\notepad.exe 1 0
16/02 15:49:55.200 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:49:55.200 | LUAFilterRules.cpp(428) | 364 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:49:55.200 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:49:55.200 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:49:55.200 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match C:\Windows\System32\notepad.exe 1 0
16/02 15:49:55.201 | LUAFilterRules.cpp(165) | 364 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:49:55.201 | LUAFilterRules.cpp(428) | 364 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:49:55.201 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:49:57.180 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 2840)
16/02 15:49:57.183 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 2212)
16/02 15:49:57.186 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 2860)
16/02 15:49:57.190 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 2120)
16/02 15:49:57.192 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 1832)
16/02 15:50:12.343 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 2708)
16/02 15:50:12.345 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 2984)
16/02 15:50:13.423 | ReportErrorStub.h(47) | 364 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:50:15.828 | ProcessingStageEvent.h(117) | 364 | DBG | New process event created (PID: 2648; Parent: 2392; Path: \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe; Params: <>
16/02 15:50:15.829 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:50:15.829 | ValidationLogic.cpp(120) | 364 | DBG | *** Transform path from: \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe failed...........
16/02 15:50:15.829 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe 0 -2147024894
16/02 15:50:15.829 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:50:15.829 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:50:15.830 | ValidationLogic.cpp(120) | 364 | DBG | *** Transform path from: \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe failed...........
16/02 15:50:15.830 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe 0 -2147024894
16/02 15:50:15.830 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:50:20.292 | ProcessingStageEvent.h(117) | 364 | DBG | New process event created (PID: 2632; Parent: 2392; Path: \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe; Params: <>
16/02 15:50:20.293 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:50:20.293 | ValidationLogic.cpp(120) | 364 | DBG | *** Transform path from: \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe failed...........
16/02 15:50:20.294 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe 0 -2147024894
16/02 15:50:20.294 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:50:20.294 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1
16/02 15:50:20.295 | ValidationLogic.cpp(120) | 364 | DBG | *** Transform path from: \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe failed...........
16/02 15:50:20.295 | LUAFilterRules.cpp(134) | 364 | DBG | FileAccessRule::Match \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe 0 -2147024894
16/02 15:50:20.295 | NewProcessEvtFilter.cpp(121) | 364 | DBG | Filter matching result 0
16/02 15:50:27.496 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 2400)
16/02 15:50:27.503 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 2648)
16/02 15:50:27.506 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 2632)
16/02 15:50:28.572 | ReportErrorStub.h(47) | 364 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:50:42.655 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 2436)
16/02 15:50:43.733 | ReportErrorStub.h(47) | 364 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:50:57.805 | ProcessingStageEvent.h(121) | 364 | DBG | Stop process event created (PID: 2452)
16/02 15:50:58.881 | ReportErrorStub.h(47) | 364 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:51:12.955 | ProcessingStageEvent.h(121) | 1284 | DBG | Stop process event created (PID: 1728)
16/02 15:51:14.041 | ReportErrorStub.h(47) | 1284 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:51:28.107 | ProcessingStageEvent.h(121) | 1284 | DBG | Stop process event created (PID: 1256)
16/02 15:51:29.183 | ReportErrorStub.h(47) | 1284 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:51:43.257 | ProcessingStageEvent.h(121) | 1284 | DBG | Stop process event created (PID: 1684)
16/02 15:51:44.332 | ReportErrorStub.h(47) | 1284 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:51:58.408 | ProcessingStageEvent.h(121) | 1284 | DBG | Stop process event created (PID: 2544)
16/02 15:51:59.485 | ReportErrorStub.h(47) | 1284 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:52:13.558 | ProcessingStageEvent.h(121) | 1284 | DBG | Stop process event created (PID: 1936)
16/02 15:52:14.651 | ReportErrorStub.h(47) | 1284 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:52:28.710 | ProcessingStageEvent.h(121) | 1284 | DBG | Stop process event created (PID: 1948)
16/02 15:52:29.794 | ReportErrorStub.h(47) | 1284 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:52:43.861 | ProcessingStageEvent.h(121) | 1284 | DBG | Stop process event created (PID: 2888)
16/02 15:52:44.941 | ReportErrorStub.h(47) | 1284 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:52:59.012 | ProcessingStageEvent.h(121) | 1284 | DBG | Stop process event created (PID: 2560)
16/02 15:53:00.097 | ReportErrorStub.h(47) | 1284 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:53:14.164 | ProcessingStageEvent.h(121) | 1284 | DBG | Stop process event created (PID: 2796)
16/02 15:53:15.256 | ReportErrorStub.h(47) | 1284 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:53:29.315 | ProcessingStageEvent.h(121) | 1284 | DBG | Stop process event created (PID: 2128)
16/02 15:53:30.382 | ReportErrorStub.h(47) | 1284 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:53:44.466 | ProcessingStageEvent.h(121) | 2680 | DBG | Stop process event created (PID: 2984)
16/02 15:53:45.560 | ReportErrorStub.h(47) | 2680 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:53:59.616 | ProcessingStageEvent.h(121) | 2680 | DBG | Stop process event created (PID: 2684)
16/02 15:54:00.701 | ReportErrorStub.h(47) | 2680 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:54:14.686 | ProcessingStageEvent.h(121) | 2680 | DBG | Stop process event created (PID: 1532)
16/02 15:54:15.745 | ReportErrorStub.h(47) | 2680 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:54:29.751 | ProcessingStageEvent.h(121) | 2680 | DBG | Stop process event created (PID: 3068)
16/02 15:54:30.807 | ReportErrorStub.h(47) | 2680 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:54:38.460 | ReportErrorStub.h(47) | 2680 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:54:41.563 | ProcessingStageEvent.h(117) | 2680 | DBG | New process event created (PID: 2068; Parent: 2392; Path: \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe; Params: <>
16/02 15:54:41.563 | LUAFilterRules.cpp(185) | 2680 | DBG | NotInternalProcessRule::Match result:1
16/02 15:54:41.565 | ValidationLogic.cpp(120) | 2680 | DBG | *** Transform path from: \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe failed...........
16/02 15:54:41.565 | LUAFilterRules.cpp(134) | 2680 | DBG | FileAccessRule::Match \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe 0 -2147024894
16/02 15:54:41.565 | NewProcessEvtFilter.cpp(121) | 2680 | DBG | Filter matching result 0
16/02 15:54:41.565 | LUAFilterRules.cpp(185) | 2680 | DBG | NotInternalProcessRule::Match result:1
16/02 15:54:41.565 | ValidationLogic.cpp(120) | 2680 | DBG | *** Transform path from: \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe failed...........
16/02 15:54:41.565 | LUAFilterRules.cpp(134) | 2680 | DBG | FileAccessRule::Match \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe 0 -2147024894
16/02 15:54:41.565 | NewProcessEvtFilter.cpp(121) | 2680 | DBG | Filter matching result 0
16/02 15:54:41.969 | ProcessingStageEvent.h(117) | 2680 | DBG | New process event created (PID: 576; Parent: 864; Path: C:\Windows\System32\consent.exe; Params: <864 756 00000000022E1630>
16/02 15:54:41.969 | LUAFilterRules.cpp(185) | 2680 | DBG | NotInternalProcessRule::Match result:1
16/02 15:54:41.970 | LUAFilterRules.cpp(134) | 2680 | DBG | FileAccessRule::Match C:\Windows\System32\consent.exe 1 0
16/02 15:54:41.970 | LUAFilterRules.cpp(165) | 2680 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': NO MATCH
16/02 15:54:41.970 | NewProcessEvtFilter.cpp(121) | 2680 | DBG | Filter matching result 0
16/02 15:54:41.970 | LUAFilterRules.cpp(185) | 2680 | DBG | NotInternalProcessRule::Match result:1
16/02 15:54:41.970 | LUAFilterRules.cpp(134) | 2680 | DBG | FileAccessRule::Match C:\Windows\System32\consent.exe 1 0
16/02 15:54:41.971 | LUAFilterRules.cpp(165) | 2680 | DBG | AppSec: Matching process SID: 'S-1-5-18' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': NO MATCH
16/02 15:54:41.971 | NewProcessEvtFilter.cpp(121) | 2680 | DBG | Filter matching result 0
16/02 15:54:44.817 | ProcessingStageEvent.h(121) | 2680 | DBG | Stop process event created (PID: 544)
16/02 15:54:44.820 | ProcessingStageEvent.h(121) | 2680 | DBG | Stop process event created (PID: 2068)
16/02 15:54:44.822 | ProcessingStageEvent.h(121) | 2680 | DBG | Stop process event created (PID: 576)
16/02 15:54:44.824 | ProcessingStageEvent.h(121) | 2680 | DBG | Stop process event created (PID: 1460)
16/02 15:54:57.805 | ReportErrorStub.h(47) | 2680 | ERROR | Access is denied.
[EIP: 0x1F8BBD6,0x1F8B8E8] 0x80070005
16/02 15:54:57.914 | ProcessingStageEvent.h(117) | 2680 | DBG | New process event created (PID: 2844; Parent: 2392; Path: C:\Windows\System32\notepad.exe; Params: <C:\ProgramData\Privilege Authority\Logs\CSEHostEngine.log>
16/02 15:54:57.914 | LUAFilterRules.cpp(185) | 2680 | DBG | NotInternalProcessRule::Match result:1
16/02 15:54:57.914 | LUAFilterRules.cpp(134) | 2680 | DBG | FileAccessRule::Match C:\Windows\System32\notepad.exe 1 0
16/02 15:54:57.914 | LUAFilterRules.cpp(165) | 2680 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:54:57.914 | LUAFilterRules.cpp(428) | 2680 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:54:57.914 | NewProcessEvtFilter.cpp(121) | 2680 | DBG | Filter matching result 0
16/02 15:54:57.914 | LUAFilterRules.cpp(185) | 2680 | DBG | NotInternalProcessRule::Match result:1
16/02 15:54:57.915 | LUAFilterRules.cpp(134) | 2680 | DBG | FileAccessRule::Match C:\Windows\System32\notepad.exe 1 0
16/02 15:54:57.915 | LUAFilterRules.cpp(165) | 2680 | DBG | AppSec: Matching process SID: 'S-1-5-21-2043219864-3882970144-2193913019-1106' and 'S-1-5-21-2043219864-3882970144-2193913019-1106': MATCH
16/02 15:54:57.916 | LUAFilterRules.cpp(428) | 2680 | DBG | AppSec: Matching process folder: 'C:\Windows\System32\' and '\\spicy-dc01\software packages\*' (Recursive): NO MATCH
16/02 15:54:57.916 | NewProcessEvtFilter.cpp(121) | 2680 | DBG | Filter matching result 0
Don Reynolds (ScriptLogic)User is Online
ScriptLogic
ScriptLogic
Posts:61

--
20 Feb 2012 01:01 PM  

Hello David,

Looking at the log I see that the client is logging an error as it is trying to process the path of the process "\\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe"

16/02 15:49:41.477 | ProcessingStageEvent.h(117) | 364 | DBG | New process event created (PID: 2212; Parent: 2392; Path: \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe; Params: <>

16/02 15:49:41.477 | LUAFilterRules.cpp(185) | 364 | DBG | NotInternalProcessRule::Match result:1

16/02 15:49:41.479 | ValidationLogic.cpp(120) | 364 | DBG | *** Transform path from: \\spicy-dc01\Software Packages\install_reader10_uk_air_gtbd_aih.exe failed...........


I am not sure specifically what might be causing this, but I know that in the latest releease several items dealing with processes running from UNC and mapped drives were corrected.

(one other thing you might verify is that the client "computer" account has at least read permission on that network share, and not just the "user" account running on the client).

Have you had a chance to try out the latest version, v2.7?  If not, I would suggest deploying the PA 2.7 Client to a test machine to verify if it corrects this issue for you.  To try that, you could download the latest relase and install the console to a test machine in order to get access to the client installer. 

If that corrects the problem, then I would recommend that you begin using the 2.7 console and client for all of your computers.

Let me know if that helps.
frenchyyyUser is Offline
New Member
New Member
Posts:5

--
20 Feb 2012 01:53 PM  
I upgraded the console and client to version 2.7. This resolved the issue. Thanks for your help.
You are not authorized to post a reply.
Forums > Privilege Authority Community Forum > Community Technical Support
Active Forums 4.2