2 blocks from WDAC, on WHH Light

[shmu26]

I got two blocks after enabling WDAC. The first one is wsl, which you already explained to me that it is blocked by design. But I have no idea where the second block is coming from.

`******** WDAC blocked events for EXE and DLL files ********
***********************************************************




Event[0]:
Event Id = 3077
Local Time:  2024/04/08 19:58:55
Attempted Path = C:\Windows\System32\wsl.exe
Parent Process = C:\Program Files\WindowsApps\CanonicalGroupLimited.Ubuntu_2204.3.49.0_x64__79rhkp1fndgsc\ubuntu.exe
PolicyName = UserSpace Lock
UserWriteable = false


***********************************************************
***********************************************************


Event[1]:
Event Id = 3077
Local Time:  2024/04/08 19:56:10
Attempted Path = C:\Windows\System32\wsl.exe
Parent Process = C:\Program Files\WindowsApps\CanonicalGroupLimited.Ubuntu_2204.3.49.0_x64__79rhkp1fndgsc\ubuntu.exe
PolicyName = UserSpace Lock
UserWriteable = false


***********************************************************
***********************************************************


Event[2]:
Event Id = 3077
Local Time:  2024/04/08 19:42:22
Attempted Path = C:\Windows\SysWOW64\wbem\WMIC.exe
Parent Process = C:\Windows\SysWOW64\cmd.exe
PolicyName = UserSpace Lock
UserWriteable = false


***********************************************************
***********************************************************`

[AndyFul]

Yes, two LOLBins (WMIC.exe and wsl.exe) are blocked via WDAC policy by Microsoft's recommended rules.

[shmu26]

Do you have any idea why cmd would spawn WMIC in normal computer usage of Windows 11? The only thing I regularly use cmd for is to shut down wsl, via the command wsl --shutdown

[AndyFul]

This is uncommon behavior. Probably some application tries to run a script. Did you look at the SWH Blocked events?