Windows 10: Need to Repair svchost.exe Security: Resending Rule Blocking Child Processes

I was experimenting on my own system with process hardening for launching files in Windows 10 Pro, under "App & browser control" -> "Exploit protection" -> "Program Settings".


I had added custom settings for svchost.exe, and enabled several rules, specifically the rule "Do not allow child processes" switched to "on", and to override the system setting.


I did this in an attempt to try a simple method to both block the oh-so-many frivolous background processes which clutter my system's resources, while also testing for mitigation methods against USB-exploits by self-executing code (firmware rootkit mitigation).


Unfortunately I can no longer edit administrative settings, as clicking "apply" or initializing any other system task requiring an unrestrained svchost process no longer works. My system is effectively now a 'very' secure 'dumb windows client' seemingly without any system-altering process access. UAC is non-invokable, do to inability to confirm actions; when attempted a dialog box does come up, but clicking "OK" does nothing, or spawns an Exception dialog box: "The process creation has been blocked".


The actual configuration ():

Code:

<AppConfig Executable="svchost.exe">
    <DEP Enable="true" EmulateAtlThunks="true" />
    <ASLR ForceRelocateImages="true" RequireInfo="true" BottomUp="true" HighEntropy="true" />
    <StrictHandle Enable="true" />
    <SystemCalls DisableWin32kSystemCalls="false" Audit="true" />
    <ExtensionPoints DisableExtensionPoints="true" />
    <DynamicCode BlockDynamicCode="true" AllowThreadsToOptOut="false" Audit="false" />
    <ControlFlowGuard Enable="true" SuppressExports="false" StrictControlFlowGuard="true" />
    <SignedBinaries MicrosoftSignedOnly="true" AllowStoreSignedBinaries="true" Audit="false" AuditStoreSigned="false" EnforceModuleDependencySigning="true" />
    <Fonts DisableNonSystemFonts="true" AuditOnly="false" Audit="false" />
    <ImageLoad BlockRemoteImageLoads="true" AuditRemoteImageLoads="false" BlockLowLabelImageLoads="true" AuditLowLabelImageLoads="false" />
    <Payload EnableExportAddressFilter="true" AuditEnableExportAddressFilter="false" EnableExportAddressFilterPlus="true" AuditEnableExportAddressFilterPlus="false" EnableImportAddressFilter="true" AuditEnableImportAddressFilter="false" EnableRopStackPivot="true" AuditEnableRopStackPivot="false" EnableRopCallerCheck="true" AuditEnableRopCallerCheck="false" EnableRopSimExec="true" AuditEnableRopSimExec="false" />
    <SEHOP Enable="true" TelemetryOnly="false" />
    <Heap TerminateOnError="true" />
    <ChildProcess DisallowChildProcessCreation="true" Audit="false" />
  </AppConfig>

Note that any problems mentioned here began immediately after 'locking-down' svchost.exe.


I would rather not reinstall the OS, nor use a system restore point, but may as a last resort; my goal is to undo this crippling action during runtime.


My Question: Assuming it is possible, how should I be able to mitigate this problem?


Thanks in advance for any advice or solutions! "Complicated" solutions or hints are welcome, if solely to restore workability.

:)

 

Analyzing Svchost processes in Windows

Here's how to track down detailed information about any Svchost.exe process running in Windows 7/8.

a) You can use the Tasklist command-line tool to learn which services are running in a Svchost.exe. Just run cmd (command prompt) and hit

Tasklist /svc /fo list

Scroll through the list and find what you need. It's not quite intuitive so you can use third party programs with gui. See below:

b) You can use svchost viewer. Best utility. Note: to run this under XP you need .Net framework 2.0





c) Svchost Process Analyzer is another app for that.





d) And another app called Svchost lookup tool





e) And it won't hurt if you use Process Explorer and System Explorer.


It's never bad to keep your system under control, plus all these apps are portable no installation is required.

kthbai

 

Block Google Chrome for Child

I have 5 kids to setup content restrictions for. Though I love that Microsoft gives the power to have the safety features it does, the process is RIDICULOUS if you are doing it for more than 1 child!!!

I attempted to setup my 3 younger kids to only have access to a couple of specific websites, but no other sites. During that process I removed Google Chrome from the blocked apps list. What I did not know was that I had to use Microsoft Edge (one of the
worst browsers ever) to use the feature that only allows certain sites. So now Google Chrome is no longer a blocked app, but yet the site has no way to just add it back.

I looked up how to block an app and was SHOCKED by the official info from Microsoft. See Below. Basically your kid has to use an app before you can add it to the blocked list. Doesn't that defy the purpose of having safety features for a child?

Besides... I used my child's account and opened Chrome, yet it still DID NOT show up in their activity list in order to block it. NOW WHAT?

FROM MICROSOFT

Blocking specific apps is possible with the Microsoft Account's Family Safety Feature. To block a specific application on your child's account, it is a requirement that the app must be used by your child, so that it will appear in under the Recent Activity
list. For your child's security, you can log in as the child and launch the app to satisfy this requirement.

Follow these steps to successfully block specific applications:

1. Visit the Microsoft Family website and then sign in your Microsoft Account.
2. Click the account of the child that you want to block from using an app.
3. Select Recent Activity.
4. Click to ensure that Activity Reporting is turned on.
5. Scroll down and look for Apps & Games.
6. Choose the apps that you want to block on your child's account.
7. Click Block to block usage of the app.

 

child in ms family - resend the invitation

Hi Sudibar,



Thank you for posting your query on Microsoft Community.



I understand that you are facing issues with Windows 10. Sorry for the inconvenience caused to you.

The issue could occur if there is issue while resending the child invitation.

In order to help you better, please provide the information:

1. Are you able to see the child account on family list in the family safety website?

2. Are you getting any error message when you try to resend the invitation to child's email address?



Refer to the below methods and check if it helps.



I suggest you to run the family safety troubleshooter and check if it helps.

http://go.microsoft.com/?linkid=9836307

Reply to us with the information, so that we can assist you better.

Get back to us if you need any further assistance on Windows related issues and we will be glad to help.