Problem Updating VS Code - Blocked By AppLocker Due To Insufficient Information In Update Executable

[aakash-shah]

Issue Type: Bug

I am seeing an update for Visual Studio Code. In our environment, we have whitelisted the following:

Publisher: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Product Name: VISUAL STUDIO CODE
File name and File Version: *

However, when an update attempts to install, it appears to run a .tmp file as an EXE. However, this file has no product name associated with it and hence cannot run. Note that not all Microsoft signed products are allowed in this environment since there are some products we don't want users to be able to run/execute. Can we get these update files to also include a Product Name in the signature, ideally "VISUAL STUDIO CODE", or something static that doesn't change that we can whitelist?

Here is the error produced when attempting to run this update (I have removed the personal information):

Log Name:      Microsoft-Windows-AppLocker/EXE and DLL
Source:        Microsoft-Windows-AppLocker
Event ID:      8004
Task Category: None
Level:         Error
Keywords:      
Description:
%OSDRIVE%\USERS\USERNAME\APPDATA\LOCAL\TEMP\IS-PUPV1.TMP\CODESETUP-STABLE-51B0B28134D51361CF996D2F0A1C698247AEABD8.TMP was prevented from running.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-AppLocker" Guid="{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}" />
    <EventID>8004</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <EventRecordID>20593012</EventRecordID>
    <Correlation />
    <Execution ProcessID="22100" ThreadID="23936" />
    <Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel>
  </System>
  <UserData>
    <RuleAndFileData xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0">
      <PolicyNameLength>3</PolicyNameLength>
      <PolicyName>EXE</PolicyName>
      <RuleId>{00000000-0000-0000-0000-000000000000}</RuleId>
      <RuleNameLength>1</RuleNameLength>
      <RuleName>-</RuleName>
      <RuleSddlLength>1</RuleSddlLength>
      <RuleSddl>-</RuleSddl>
      <TargetProcessId>21196</TargetProcessId>
      <FilePathLength>116</FilePathLength>
      <FilePath>%OSDRIVE%\USERS\USERNAME\APPDATA\LOCAL\TEMP\IS-PUPV1.TMP\CODESETUP-STABLE-51B0B28134D51361CF996D2F0A1C698247AEABD8.TMP</FilePath>
      <FileHashLength>32</FileHashLength>
      <FileHash>5EF92093632A6169A704045D1925E0AC4382B311FDE22FAF8242454A24D7AFCB</FileHash>
      <FqbnLength>69</FqbnLength>
      <Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\\51.1052.0.00</Fqbn>
      <TargetLogonId>0x632748</TargetLogonId>
    </RuleAndFileData>
  </UserData>
</Event>

VS Code version: Code 1.31.1 (1b8e830, 2019-02-12T02:20:54.427Z)
OS version: Windows_NT x64 10.0.17134

System Info

Item	Value
CPUs	Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz (8 x 3600)
GPU Status	2d_canvas: enabled checker_imaging: disabled_off flash_3d: enabled flash_stage3d: enabled flash_stage3d_baseline: enabled gpu_compositing: enabled multiple_raster_threads: enabled_on native_gpu_memory_buffers: disabled_software rasterization: enabled surface_synchronization: enabled_on video_decode: enabled webgl: enabled webgl2: enabled
Memory (System)	31.89GB (17.54GB free)
Process Argv
Screen Reader	no
VM	0%

[aakash-shah]

If I can provide any other information, or if anything I wrote is unclear, please let me know and I'll be happy to provide more information.

Thanks!

[joaomoreno]

Can we get these update files to also include a Product Name in the signature, ideally "VISUAL STUDIO CODE", or something static that doesn't change that we can whitelist?

Can you tell me what values that TMP file has that you could already filter on?

[aakash-shah]

Can we get these update files to also include a Product Name in the signature, ideally "VISUAL STUDIO CODE", or something static that doesn't change that we can whitelist?

Can you tell me what values that TMP file has that you could already filter on?

Hello! Here is more information about the tmp file:

File Path: C:\USERS\USERNAME\APPDATA\LOCAL\TEMP\IS-PUPV1.TMP\CODESETUP-STABLE-51B0B28134D51361CF996D2F0A1C698247AEABD8.TMP

File Hash: 5EF92093632A6169A704045D1925E0AC4382B311FDE22FAF8242454A24D7AFCB

The signature logged by AppLocker shows "O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\51.1052.0.00", which implies that it's signed by MS and has a version number, but no product name registered in the signature with this file.

Usually the other VS Code EXE's I have encountered have the Product Name "Product Name: VISUAL STUDIO CODE" associated with it, but this tmp file does not unfortunately have this.

Please let me know if you need any other information that I can help provide.

Thanks!

[joaomoreno]

Unfortunately I'm not sure we can customize the generated tmp file from Inno Setup... The product name is simply empty?

[vscodebot]

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!

[aakash-shah]

Unfortunately I'm not sure we can customize the generated tmp file from Inno Setup... The product name is simply empty?

Correct. Here are the file details of the file being blocked when attempting to run the update (it shows no Product Name:

PS C:\> (Get-Item 'C:\Users\username\AppData\Local\Temp\is-A07A3.tmp\CodeSetup-stable-a622c65b2c713c890fcf4fbf07cf34049d5fe758.tmp').VersionInfo | Format-List *

FileVersionRaw     : 51.1052.0.0
ProductVersionRaw  : 0.0.0.0
Comments           : 
CompanyName        : 
FileBuildPart      : 0
FileDescription    : Setup/Uninstall
FileMajorPart      : 51
FileMinorPart      : 1052
FileName           : C:\Users\username\AppData\Local\Temp\is-A07A3.tmp\CodeSetup-stable-a622c65b2c713c890fcf4fbf07cf34049d5fe758.tmp
FilePrivatePart    : 0
FileVersion        : 51.1052.0.0
InternalName       : 
IsDebug            : False
IsPatched          : False
IsPrivateBuild     : False
IsPreRelease       : False
IsSpecialBuild     : False
Language           : Language Neutral
LegalCopyright     : 
LegalTrademarks    : 
OriginalFilename   : 
PrivateBuild       : 
ProductBuildPart   : 0
ProductMajorPart   : 0
ProductMinorPart   : 0
ProductName        : 
ProductPrivatePart : 0
ProductVersion     : 
SpecialBuild       : 

Compare this to for instance to code.exe of VS Code that has a Product Name:

PS C:\> (Get-Item "C:\Program Files\Microsoft VS Code\Code.exe").VersionInfo | fl *

FileVersionRaw     : 1.31.1.0
ProductVersionRaw  : 1.31.1.0
Comments           : 
CompanyName        : Microsoft Corporation
FileBuildPart      : 1
FileDescription    : Visual Studio Code
FileMajorPart      : 1
FileMinorPart      : 31
FileName           : C:\Program Files\Microsoft VS Code\Code.exe
FilePrivatePart    : 0
FileVersion        : 1.31.1
InternalName       : electron.exe
IsDebug            : False
IsPatched          : False
IsPrivateBuild     : False
IsPreRelease       : False
IsSpecialBuild     : False
Language           : English (United States)
LegalCopyright     : Copyright (C) 2019 Microsoft. All rights reserved
LegalTrademarks    : 
OriginalFilename   : electron.exe
PrivateBuild       : 
ProductBuildPart   : 1
ProductMajorPart   : 1
ProductMinorPart   : 31
ProductName        : Visual Studio Code
ProductPrivatePart : 0
ProductVersion     : 1.31.1
SpecialBuild       : 

Here is the AppLocker information that is being read by the system for the failing .tmp file being read as a EXE:

PS C:\> (Get-AppLockerFileInformation 'C:\Users\username\AppData\Local\Temp\is-A07A3.tmp\CodeSetup-stable-a622c65b2c713c890fcf4fbf07cf34049d5fe758.tmp') | fl *

Path      : %OSDRIVE%\USERS\USERNAME\APPDATA\LOCAL\TEMP\IS-A07A3.TMP\CODESETUP-STABLE-A622C65B2C713C890FCF4FBF07CF34049D5FE758.TMP
Publisher : O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\,51.1052.0.0
Hash      : SHA256 0x5EF92093632A6169A704045D1925E0AC4382B311FDE22FAF8242454A24D7AFCB
AppX      : False

The text "\\" in the Publisher shows the lack of a product name (the product name would have been between the 2 slashes). For instance here is how code.exe that has a product name looks:

PS C:\> Get-AppLockerFileInformation 'C:\Program Files\Microsoft VS Code\Code.exe' | fl *

Path      : %PROGRAMFILES%\MICROSOFT VS CODE\CODE.EXE
Publisher : O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\VISUAL STUDIO CODE\ELECTRON.EXE,1.31.1.0
Hash      : SHA256 0x488A7C781B6E4BF11D45E4EC063CE6AFC81106FD7ACB0A41D3DCD2D440A7596B
AppX      : False

Note that whatever mechanism is producing this file, it is producing a digitally signed file. Hence, if it's able to sign the file, I would imagine it should be possible to add a product name to these setup EXE file.

I have attached the file in question as a Zip file (since .tmp files were not permitted) in case it helps troubleshoot this.
CodeSetup-stable-a622c65b2c713c890fcf4fbf07cf34049d5fe758.zip

Please let me know if I can provide any other information.

Thanks!