KloinerFeigling83

My feedback

  1. 1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  General Feedback » Interoperability & Integration  ·  Flag idea as inappropriate…  ·  Admin →
    KloinerFeigling83 shared this idea  · 
  2. 3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  General Feedback » Bug  ·  Flag idea as inappropriate…  ·  Admin →
    KloinerFeigling83 shared this idea  · 
    KloinerFeigling83 commented  · 

    The File was visible in Explorer, but empty except the header. Rebooting and reapplying the policy didn´t work.

    Now i did something i usually wouldn´t do. I added "Authenticated Users" wit Full Permissions.

    And then it instantly started logging:

    21:21:16,7661387 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 2.831, Length: 114, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:16,7663507 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 2.945, Length: 722, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:18,2505349 System 4 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 0, Length: 4.096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal NT AUTHORITY\SYSTEM
    21:21:18,2515695 System 4 SetEndOfFileInformationFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS EndOfFile: 3.667 NT AUTHORITY\SYSTEM
    21:21:26,5941882 System 4 FASTIO_ACQUIRE_FOR_CC_FLUSH C:\Windows\System32\LogFiles\Firewall SUCCESS NT AUTHORITY\SYSTEM
    21:21:26,5942149 System 4 WriteFile C:\Windows\System32\LogFiles\Firewall SUCCESS Offset: 0, Length: 4.096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal NT AUTHORITY\SYSTEM
    21:21:26,5951630 System 4 FASTIO_RELEASE_FOR_CC_FLUSH C:\Windows\System32\LogFiles\Firewall SUCCESS NT AUTHORITY\SYSTEM
    21:21:29,8911002 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 3.667, Length: 69, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8913203 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 3.736, Length: 913, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8916986 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 4.649, Length: 81, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8919285 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 4.730, Length: 612, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8921255 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 5.342, Length: 84, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8923141 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 5.426, Length: 963, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8927561 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 6.389, Length: 72, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8928512 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 6.461, Length: 222, Priority: Normal NT AUTHORITY\LOCAL SERVICE
    21:21:29,8930073 svchost.exe 1640 WriteFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Offset: 6.683, Length: 84, Priority: Normal NT AUTHORITY\LOCAL SERVICE

    And yeah I reproduced it 3 times.
    I wonder if that´s a Bug...

    KloinerFeigling83 commented  · 

    So i took a look with procmon
    svchost.exe tries to createFile, but throws no error:

    21:19:57,9985237 svchost.exe 1640 QueryOpen C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log FAST IO DISALLOWED NT AUTHORITY\LOCAL SERVICE
    21:19:57,9986597 svchost.exe 1640 CreateFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS Desired Access: Read Attributes, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened NT AUTHORITY\LOCAL SERVICE
    21:19:57,9987095 svchost.exe 1640 QueryBasicInformationFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS CreationTime: 19.06.2019 20:50:30, LastAccessTime: 19.06.2019 20:50:30, LastWriteTime: 19.06.2019 20:50:30, ChangeTime: 19.06.2019 21:05:59, FileAttributes: A NT AUTHORITY\LOCAL SERVICE
    21:19:57,9987315 svchost.exe 1640 CloseFile C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS NT AUTHORITY\LOCAL SERVICE
    21:19:57,9987626 svchost.exe 1640 IRP_MJ_CLOSE C:\Windows\System32\LogFiles\Firewall\pfirewall-domain.log SUCCESS NT AUTHORITY\LOCAL SERVICE
    21:19:57,9989181 svchost.exe 1640 QueryOpen C:\Windows\System32\LogFiles\Firewall FAST IO DISALLOWED NT AUTHORITY\LOCAL SERVICE
    21:19:57,9990346 svchost.exe 1640 CreateFile C:\Windows\System32\LogFiles\Firewall SUCCESS Desired Access: Read Attributes, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened NT AUTHORITY\LOCAL SERVICE
    21:19:57,9990746 svchost.exe 1640 QueryBasicInformationFile C:\Windows\System32\LogFiles\Firewall SUCCESS CreationTime: 16.07.2016 15:23:22, LastAccessTime: 19.06.2019 20:50:30, LastWriteTime: 19.06.2019 20:50:30, ChangeTime: 19.06.2019 21:18:38, FileAttributes: D NT AUTHORITY\LOCAL SERVICE
    21:19:57,9992285 svchost.exe 1640 CloseFile C:\Windows\System32\LogFiles\Firewall SUCCESS NT AUTHORITY\LOCAL SERVICE
    21:19:57,9992520 svchost.exe 1640 IRP_MJ_CLOSE C:\Windows\System32\LogFiles\Firewall SUCCESS NT AUTHORITY\LOCAL SERVICE

    KloinerFeigling83 commented  · 

    Created the GPO and applied it, even rebooted.No Log-File was created, so i opened the Firewall and took a look. And right when i opened the Logfile showed up, but only the Header was written. Nothing more.

    The ACLs on pfirewall-domain.log file.

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\SYSTEM
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Administrators
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Network Configuration Operators
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : NT SERVICE\MpsSvc
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

    KloinerFeigling83 commented  · 

    After Configuring Domaincontroller:
    c:\Windows\System32\LogFiles\Firewall

    FileSystemRights : ReadAndExecute, Synchronize
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\Authenticated Users
    IsInherited : True
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : -1610612736
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\Authenticated Users
    IsInherited : True
    InheritanceFlags : ContainerInherit, ObjectInherit
    PropagationFlags : InheritOnly

    FileSystemRights : ReadAndExecute, Synchronize
    AccessControlType : Allow
    IdentityReference : BUILTIN\Server Operators
    IsInherited : True
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : -1610612736
    AccessControlType : Allow
    IdentityReference : BUILTIN\Server Operators
    IsInherited : True
    InheritanceFlags : ContainerInherit, ObjectInherit
    PropagationFlags : InheritOnly

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Administrators
    IsInherited : True
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : 268435456
    AccessControlType : Allow
    IdentityReference : BUILTIN\Administrators
    IsInherited : True
    InheritanceFlags : ContainerInherit, ObjectInherit
    PropagationFlags : InheritOnly

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\SYSTEM
    IsInherited : True
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : 268435456
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\SYSTEM
    IsInherited : True
    InheritanceFlags : ContainerInherit, ObjectInherit
    PropagationFlags : InheritOnly

    FileSystemRights : 268435456
    AccessControlType : Allow
    IdentityReference : CREATOR OWNER
    IsInherited : True
    InheritanceFlags : ContainerInherit, ObjectInherit
    PropagationFlags : InheritOnly

    KloinerFeigling83 commented  · 

    How do the Permissions on the Filesystem look like?

    Get-ACL After Plain OS Installation & also after CU instalaltion:

    c:\Windows\System32\LogFiles\Firewall

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\SYSTEM
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Administrators
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Network Configuration Operators
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

    FileSystemRights : FullControl
    AccessControlType : Allow
    IdentityReference : NT SERVICE\MpsSvc
    IsInherited : False
    InheritanceFlags : None
    PropagationFlags : None

Feedback and Knowledge Base