Fixed bug with processing SafePathsToAllow

Author: jsuther1974

AaronLocker/Create-Policies-AppLocker.ps1

@@ -277,6 +277,23 @@ $xRuleCollections = $xDocument.SelectNodes("//RuleCollection[@Type='Exe' or @Typ
 foreach($xRuleCollection in $xRuleCollections)
 {
     $PathsToAllow | foreach {
+        # If path is an existing directory and doesn't have trailing "\*" appended, fix it so that it does.
+        # If path is a file, don't append \*. If the path ends with \*, no need for further validation.
+        # If it doesn't end with \* but Get-Item can't identify it as a file or a directory, write a warning and accept it as is.
+        $pathToAllow = $_
+        if (!$pathToAllow.EndsWith("\*"))
+        {
+            $pathItem = Get-Item $pathToAllow -Force -ErrorAction SilentlyContinue
+            if ($pathItem -eq $null)
+            {
+                Write-Warning "Cannot verify path $pathItem; adding to rule set as is."
+            }
+            elseif ($pathItem -is [System.IO.DirectoryInfo])
+            {
+                Write-Warning "Appending `"\*`" to rule for $pathToAllow"
+                $pathToAllow = [System.IO.Path]::Combine($pathToAllow, "*")
+            }
+        }
         $elemRule = $xDocument.CreateElement("FilePathRule")
         $elemRule.SetAttribute("Action", "Allow")
         $elemRule.SetAttribute("UserOrGroupSid", "S-1-1-0")

AaronLocker/Create-Policies-WDAC.ps1

@@ -57,7 +57,23 @@ $WDACPathsToAllow += $env:ProgramFiles+"\*"
 if ($null -ne ${env:ProgramFiles(x86)}) {$WDACPathsToAllow += (${env:ProgramFiles(x86)}+"\*")}
 
 $WDACPathsToAllow | foreach {
+    # If path is an existing directory and doesn't have trailing "\*" appended, fix it so that it does.
+    # If path is a file, don't append \*. If the path ends with \*, no need for further validation.
+    # If it doesn't end with \* but Get-Item can't identify it as a file or a directory, write a warning and accept it as is.
     $pathToAllow = $_
+    if (!$pathToAllow.EndsWith("\*"))
+    {
+        $pathItem = Get-Item $pathToAllow -Force -ErrorAction SilentlyContinue
+        if ($pathItem -eq $null)
+        {
+            Write-Warning "Cannot verify path $pathToAllow; adding to rule set as is."
+        }
+        elseif ($pathItem -is [System.IO.DirectoryInfo])
+        {
+            Write-Warning "Appending `"\*`" to rule for $pathToAllow"
+            $pathToAllow = [System.IO.Path]::Combine($pathToAllow, "*")
+        }
+    }
     $WDACAllowRules += & New-CIPolicyRule -FilePathRule $pathToAllow -AllowFileNameFallbacks
 }
 

AaronLocker/Create-Policies.ps1

@@ -228,25 +228,6 @@ if ( $Rescan -or ( ($AppLockerOrWDAC -in "Both","AppLocker") -and !(Test-Path($E
 # Get additional authorized safe paths from the script that produces that list 
 Write-Host "Get authorized safe paths for later processing..." -ForegroundColor Cyan
 $PathsToAllow = (& $ps1_GetSafePathsToAllow)
-$PathsToAllow | foreach {
-    # If path is an existing directory and doesn't have trailing "\*" appended, fix it so that it does.
-    # If path is a file, don't append \*. If the path ends with \*, no need for further validation.
-    # If it doesn't end with \* but Get-Item can't identify it as a file or a directory, write a warning and accept it as is.
-    $pathToAllow = $_
-    if (!$pathToAllow.EndsWith("\*"))
-    {
-        $pathItem = Get-Item $pathToAllow -Force -ErrorAction SilentlyContinue
-        if ($pathItem -eq $null)
-        {
-            Write-Warning "Cannot verify path $pathItem; adding to rule set as is."
-        }
-        elseif ($pathItem -is [System.IO.DirectoryInfo])
-        {
-            Write-Warning "Appending `"\*`" to rule for $pathToAllow"
-            $pathToAllow = [System.IO.Path]::Combine($pathToAllow, "*")
-        }
-    }
-}
 
 # Run the script that gets "unsafe" user-writable paths for later processing. Should come in as a sequence of hashtables.
 if ( !(Test-Path($ps1_UnsafePathsToBuildRulesFor)) )