Forum Discussion

Deleted's avatar
Deleted
Apr 30, 2020

Deleted

Deleted

  • fredi_wams's avatar
    fredi_wams
    Copper Contributor

    Deleted I found the origin of the offending string with the ampersand in German Windows, it's C:\Windows\System32\de-DE\msobjs.dll.mui.

     

    If I disable the localization by taking ownership of the file, adding access rights, renaming it and rebooting, the error message in Policy Analyzer is gone.

     

    You can also see the offending string by running auditpol /backup /file:backup.csv.

     

    Of course it's still a bug in Policy Analyzer that it doesn't properly sanitize/escape the messages.

  • fredi_wams's avatar
    fredi_wams
    Copper Contributor

    Deleted I've got the same problem on German Windows versions. Luckily, I managed to grab the offending file from the %tmp% directory. The problem is the unescaped ampersand (&) in the following line:

    <AuditSubcategory><GUID>{0CCE9248-69AE-11D9-BED3-505054503030}</GUID><Name>Plug & Play-Ereignisse</Name><Setting>0</Setting><SourceFile>C:\Users\Administrator.DOMAIN\AppData\Local\Temp\tmp16F8.tmp</SourceFile><PolicyName>SERVER - auditpol /backup</PolicyName></AuditSubcategory>

    This is the "Audit PNP Activity" policy, or "PNP-Überwachungsaktivität" in German. 

    However, I don't have any idea for a workaround yet. The %tmp% file seems to be created with a random name and exists only for the fraction of a second. And the localized string does not come from the .adml files.

    • FLeven's avatar
      FLeven
      Copper Contributor

      Deleted Good find, search for hardeningkitty and forget about the clunky old Policy analyzer.

      • AaronMargosis_Tanium's avatar
        AaronMargosis_Tanium
        Iron Contributor

        FLeven - FWIW, I looked up hardeningkitty and it is more dependent on US-English than Policy Analyzer is.

        Also FWIW, I'd really like to see these bugs fixed as well.

  • Tsitan's avatar
    Tsitan
    Copper Contributor

     

    I have russian Windows. Policy Analyzer - current version installed: v4.0.2004.13001.

    When I load current state in Policy Analyzer or from LGPO`s backup I have error in PolicyRulesFileBuilder.exe "Unexpected format in Audit CSV file".

    GUID {0CCE9228-69AE-11D9-BED3-505054503030} and GUID {0CCE9229-69AE-11D9-BED3-505054503030} have comma in subcategory column. Parcing is broken.

    When I delete this GUIDs from "Audit.CSV" loading is normal.

    • Deleted's avatar
      Deleted

      Tsitan - could you please send an audit.csv that triggers the problem?

      auditpol.exe /backup /file:pathtofile

      Thanks.

  • helo86's avatar
    helo86
    Copper Contributor

    Deleted 

    Dear all,

     

    I have still the same problem with the Policy Analyzer and I have the current version installed: v4.0.2004.13001.

    Is there something planned to fix the issue?

     

    Here is a small overview of what is working and what not:

    <AuditSubcategory>: not working, get the error and no results

    <Computerconfig>: works

    <Userconfig>: works 

    <SecurityTemplate>: get again that error, the registry values are getting checked but Privilege Rights not

     

    As read in the other comments I also checked the %TEMP% folder for log files to get more information but could not find any. 

  • FLeven's avatar
    FLeven
    Copper Contributor

    Deleted I have the exactly the same problem, might be a non US language problem ? I also run PA 4.0 on DE systems.

    The reported line differs between client and server and I am missing the effective state of all audit policys if I ignore the error message.

    • Deleted's avatar
      Deleted

      FLeven and @bennn2806 : at what point does this happen? What are you doing when the error message appears?  

      • FLeven's avatar
        FLeven
        Copper Contributor

        Deleted 

         

        It is a a problem with the GPOs on the local system, I managed to run "Compare to effective state" on a non domain joined machine, but it will not work on a domain joined machine in the "Computers" OU, where the Default Domain Policy is applied.

        Also it will work if I choose a simple GPO without Sec or Autit policys.

        I am using the "MSFT-Win10-WS-v1809-FINAL.PolicyRules" shipped with PA 4.

         

        As you can see the effictive state of the Audit Policy entry's are empty, because it failed to compare them for whatever reason.

         

        I did some cleanup of my local auditpols etc. but no dice.

         

         

Resources