Back in September, I posted a thread about a security hole in the "Software Restrictions" policy. Thru a simple work-around, non-administrators could circumvent policy restrictions created by system administrators. Juke Chou was very helpful in reproducing this problem and reporting it to the appropriate group at Microsoft. However, I have never heard anything back. I realize that with today's operating systems, fixes can't happen overnight. But 4+ months seems a long time to spend making a decision about what to do with a security violation/elevation. Either a "yes we're going to patch this for W7" or a "this will be addressed in W8" or even a "yes we see this security hole but we don't intend to repair it" would be appreciated.

Hi, I am sorry there is no response after reporting the issue. I have no idea whether the development team will release the hotfix for Windows 7 or just address the issue in Windows 8. I notice you have a workaround GPO in previous post, please set the following GPO instead for a test. User Account Control: Behavior of the elevation prompt for standard users http://technet.microsoft.com/en-us/library/dd851602.aspx Niki TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Niki Han TechNet Community Support

Likely a fix will not be made for Windows XP due to its age (i.e. being in extended support) nor Windows 7 (as SRP is replaced with AppLocker which is superior SRP).Blogging about Windows for IT pros at www.theexperienceblog.com

Hey Niki, thanks for the response. That page specifically states that: Applies To: Windows Server 2008 R2 Since my clients are running on W7 Pro, I wasn't optimistic. Still, I tried it: Changed the policy On the client: GPUpdate /force On the client: Reboot Run the test case As expected, it didn't help. Using RAA still allows the app to run. Good thought though.

Likely a fix will not be made for Windows XP Not an issue for me as I am currently (almost) all W7. Also, since UAC was a factor, I wouldn't expect to see this behavior in XP. nor Windows 7 (as SRP is replaced with AppLocker which is superior SRP). Whether SRP is superior can be debated. However, since it doesn't run on W7 Pro (which is what my client machines run), it's a moot point for me. Also, consider this: The fact that just clicking on the app produces the (expected) error message and RAA (for non-admins) does not means that there must be 2 separate code paths when launching EXEs. And clearly, one is deficient. Now, what ELSE uses that second code path? For example, will AppLocker have the exact same issue? Hmm...

Hi, Please ensure the GPO is set for "Automatically deny elevation requests". After applying the GPO, please check the policy on Windows 7 client to ensure the policy has been applied. If this workaround doesn't work, we can do nothing from forum side but wait for the hotfix or Windows 8 release. Or you can try AppLocker if you would like to. Thanks for your understanding. Niki TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Niki Han TechNet Community Support

Please ensure the GPO is set for "Automatically deny elevation requests". After applying the GPO, please check the policy on Windows 7 client to ensure the policy has been applied. Yes, I've done this. As I stated in my other reply (Saturday, January 28, 2012 1:57 AM), this attribute only appears to apply to Server 2008 R2. However, I did try setting it and it made no difference. Or you can try AppLocker if you would like to. Well, *I* can't try it. As I said in my other reply (Saturday, January 28, 2012 3:44 AM), AppLocker only works in W7 Enterprise, which I don't have. If this workaround doesn't work, we can do nothing from forum side but wait for the hotfix or Windows 8 release. I understand. Honestly, I never expected that someone would email an updated DLL from a post to this forum. But that said, it seems there are a few things you could do: 1) When these issues get reported to the product team, do they go into a database? Or do you just send an email? Because if this is in a database that you can access, I would be interested in seeing the text of the problem that was reported. A poor or unclear description could explain the lack of response. Also, some bug databases show responses/resolutions/status for reported issues. If a decision has been reached, perhaps the information is shown there. (Ok, so it's not too likely they put that info where anyone can see it. Still, thought I'd ask.) 2) As I mentioned in one of my other replies, it would be interesting to see if this issue also affects AppLocker. SR and AL perform similar functions, so it seems possible that they both have the same problem. As I've said, I don't have W7 Enterprise. That means I don't have what I need to try this. But someone who *does* have W7E could: Repro the SR problem (to make sure you are testing the right config). Change the GPO to use AL instead of SR. See if the problem is still there. If AppLocker is broken in the same way, it seems possible that a higher priority would be assigned to fixing this.

I fired up a test machine and can state that this issue is not reproducable with AppLocker.Blogging about Windows for IT pros at www.theexperienceblog.com

Darn. That was my best hope for getting this fixed. You are sure about the repro? Did you try the SR part first to confirm the config?

Yes I have reproduced your bug using SRP and also verified that AppLocker is working correctly and does not suffer from this bug.Blogging about Windows for IT pros at www.theexperienceblog.com

Well, that's a good thing. And at the same time: rats. Thanks for taking the time.