Forum Discussion
Deleted
Apr 30, 2020Deleted
Deleted
- fredi_wamsCopper Contributor
Deleted I found the origin of the offending string with the ampersand in German Windows, it's C:\Windows\System32\de-DE\msobjs.dll.mui.
If I disable the localization by taking ownership of the file, adding access rights, renaming it and rebooting, the error message in Policy Analyzer is gone.
You can also see the offending string by running auditpol /backup /file:backup.csv.
Of course it's still a bug in Policy Analyzer that it doesn't properly sanitize/escape the messages.
- fredi_wamsCopper Contributor
Deleted I've got the same problem on German Windows versions. Luckily, I managed to grab the offending file from the %tmp% directory. The problem is the unescaped ampersand (&) in the following line:
<AuditSubcategory><GUID>{0CCE9248-69AE-11D9-BED3-505054503030}</GUID><Name>Plug & Play-Ereignisse</Name><Setting>0</Setting><SourceFile>C:\Users\Administrator.DOMAIN\AppData\Local\Temp\tmp16F8.tmp</SourceFile><PolicyName>SERVER - auditpol /backup</PolicyName></AuditSubcategory>
This is the "Audit PNP Activity" policy, or "PNP-Überwachungsaktivität" in German.
However, I don't have any idea for a workaround yet. The %tmp% file seems to be created with a random name and exists only for the fraction of a second. And the localized string does not come from the .adml files.
- FLevenCopper Contributor
Deleted Good find, search for hardeningkitty and forget about the clunky old Policy analyzer.
- AaronMargosis_TaniumIron Contributor
FLeven - FWIW, I looked up hardeningkitty and it is more dependent on US-English than Policy Analyzer is.
Also FWIW, I'd really like to see these bugs fixed as well.
- TsitanCopper Contributor
I have russian Windows. Policy Analyzer - current version installed: v4.0.2004.13001.
When I load current state in Policy Analyzer or from LGPO`s backup I have error in PolicyRulesFileBuilder.exe "Unexpected format in Audit CSV file".
GUID {0CCE9228-69AE-11D9-BED3-505054503030} and GUID {0CCE9229-69AE-11D9-BED3-505054503030} have comma in subcategory column. Parcing is broken.
When I delete this GUIDs from "Audit.CSV" loading is normal.
- helo86Copper Contributor
Deleted
Dear all,
I have still the same problem with the Policy Analyzer and I have the current version installed: v4.0.2004.13001.
Is there something planned to fix the issue?
Here is a small overview of what is working and what not:
<AuditSubcategory>: not working, get the error and no results
<Computerconfig>: works
<Userconfig>: works
<SecurityTemplate>: get again that error, the registry values are getting checked but Privilege Rights not
As read in the other comments I also checked the %TEMP% folder for log files to get more information but could not find any.
- FLevenCopper Contributor
Deleted I have the exactly the same problem, might be a non US language problem ? I also run PA 4.0 on DE systems.
The reported line differs between client and server and I am missing the effective state of all audit policys if I ignore the error message.
- Deleted
FLeven and @bennn2806 : at what point does this happen? What are you doing when the error message appears?
- FLevenCopper Contributor
Deleted
It is a a problem with the GPOs on the local system, I managed to run "Compare to effective state" on a non domain joined machine, but it will not work on a domain joined machine in the "Computers" OU, where the Default Domain Policy is applied.
Also it will work if I choose a simple GPO without Sec or Autit policys.
I am using the "MSFT-Win10-WS-v1809-FINAL.PolicyRules" shipped with PA 4.
As you can see the effictive state of the Audit Policy entry's are empty, because it failed to compare them for whatever reason.
I did some cleanup of my local auditpols etc. but no dice.