Apr 30 2020 02:43 AM - edited Oct 08 2023 01:36 AM
Mar 17 2021 03:20 AM
Any chance, someone will take a look into fixing the problems, described by multiple individuals in this thread ? As the responsibility of the PA is to assist in security compliance reports, it should work in any environment, without flaws. If I have to question any result of this software, I cannot use it at all.
Maybe the security related tools, could be the tools Microsoft will open source and put on Github ?
Mar 18 2021 07:23 AM
Maybe you can open up a support request here
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-compliance-toolkit-10
I have an English OS but with "german" region. So for analyzing you might install Win10 in english until it is fixed.
Jan 19 2022 02:04 AM
Mar 31 2022 05:16 AM
@FLevenI think i have the solution to this problem and its really trivial. I think the problem is that the software can't read certain characters. I could solve this problem by going into an existing .policyrule file and editing out the unreadable character which was an '&'. However I still have problems using the effective state function because I get an error regarding secedit/auditpol and i can't find the 'EntityName' which causes the problem. I searched for files in %SystemRoot%\Security\Templates but there are multiple files and none of theme have have 'line 168 position 82' as stated in the error report. Even all lines combined don't reach 168 so I don't know which files policy analyzer is referring to. Anyone has an idea where auditpol/secedit files on a domain machine are stored and used by policy analyzer?
May 20 2022 02:59 AM
@Deleted I've got the same problem on German Windows versions. Luckily, I managed to grab the offending file from the %tmp% directory. The problem is the unescaped ampersand (&) in the following line:
<AuditSubcategory><GUID>{0CCE9248-69AE-11D9-BED3-505054503030}</GUID><Name>Plug & Play-Ereignisse</Name><Setting>0</Setting><SourceFile>C:\Users\Administrator.DOMAIN\AppData\Local\Temp\tmp16F8.tmp</SourceFile><PolicyName>SERVER - auditpol /backup</PolicyName></AuditSubcategory>
This is the "Audit PNP Activity" policy, or "PNP-Überwachungsaktivität" in German.
However, I don't have any idea for a workaround yet. The %tmp% file seems to be created with a random name and exists only for the fraction of a second. And the localized string does not come from the .adml files.
May 20 2022 03:35 AM
@Deleted Good find, search for hardeningkitty and forget about the clunky old Policy analyzer.
May 20 2022 11:59 AM
@FLeven - FWIW, I looked up hardeningkitty and it is more dependent on US-English than Policy Analyzer is.
Also FWIW, I'd really like to see these bugs fixed as well.
May 20 2022 05:55 PM
May 20 2022 09:18 PM
May 21 2022 05:37 AM
May 22 2022 11:29 PM
@FLeven Thanks for pointing me to hardeningkitty, didn't know about this before! Do you already have a German account name section you could share?
May 23 2022 12:59 AM - edited May 23 2022 01:00 AM
@Deleted I found the origin of the offending string with the ampersand in German Windows, it's C:\Windows\System32\de-DE\msobjs.dll.mui.
If I disable the localization by taking ownership of the file, adding access rights, renaming it and rebooting, the error message in Policy Analyzer is gone.
You can also see the offending string by running auditpol /backup /file:backup.csv.
Of course it's still a bug in Policy Analyzer that it doesn't properly sanitize/escape the messages.