A small console application that generates WDAC policy files from any installer.
The generated policy includes the installer itself and it's contents. Most known exe- and msi-based installers are supported.
Explore the docs »
Report Bug ·
Request Feature
A small console application that generates WDAC policy files from any installer. The generated policy includes the installer itself and it's contents. Most known exe- and msi-based installers are supported.
This project utilizes Universal Extractor 2 (UniExtract2) for extraction and the native New-CIPolicy command for policy generation.
The generated policy includes all executables and dll-files with level Publisher
and Hash
as fallback.
The values of FriendlyName
& ID
attributes will be changed for better readability.
To start using MakePolicyFromApp
as fast as possible, download the latest release from this project page.
You do not need any runtime enviroment because it's a self-contained applications and framework-independent.
- Windows 10 10.0.17763.0 Pro or higher
⚠️ WDAC is only supported on PRO or higher
Execute this application from the commandline. There is no GUI-support.
Description:
Usage:
MakePolicyFromApp [command] [options]
Options:
--version Show version information
-?, -h, --help Show help and usage information
Commands:
analyze Analyzes the installer and prints the content to stdout.
generate Analyzes the installer and generates a WDAC policy file.
Description:
Analyzes the installer and generates a WDAC policy file.
Usage:
MakePolicyFromApp generate [options]
Options:
-i, --input, --input-file <input-file> (REQUIRED) The installer that will be analyzed. []
-n, --context-name, --name <context-name> Friendly name for policy. If not set, the name will be derived from the installer. []
-o, --output, --output-file <output-file> The output file path to the policy file. If not set, the content will be printed to stdout. []
-e, --extractor <extractor> The extractor that is used to extract the input file. Options are 'universal' and 'innoextract'. If not
specified, 'universal' is used. [default: universal]
-?, -h, --help Show help and usage information
Generate policy for 7-zip 21.03:
.\MakePolicyFromApp.exe generate -i "%UserProfile%\Downloads\7z2103-x64.exe" -o "%UserProfile%\Downloads\7z2103-x64.xml"
That will generate the policy file:
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Audit Mode</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Required:Enforce Store Applications</Option>
</Rule>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
</Rules>
<!--EKUS-->
<EKUs />
<!--File Rules-->
<FileRules>
<Allow ID="ID_ALLOW_INSTALLER_7Z2103_X64_EXE_HASH_SHA1" FriendlyName="[7-Zip (21.03 beta)]/installer/7z2103-x64.exe Hash Sha1" Hash="3656BD07B69BAE0B139D8D7AE46A9550E1E678B5" />
<Allow ID="ID_ALLOW_INSTALLER_7Z2103_X64_EXE_HASH_SHA256" FriendlyName="[7-Zip (21.03 beta)]/installer/7z2103-x64.exe Hash Sha256" Hash="F4FF3236EF9FA0857B3411217AE3792CAB604DC8223AE5069A06E772A6ACBCF5" />
<Allow ID="ID_ALLOW_INSTALLER_7Z2103_X64_EXE_HASH_PAGE_SHA1" FriendlyName="[7-Zip (21.03 beta)]/installer/7z2103-x64.exe Hash Page Sha1" Hash="CB86E9406C5AB8976980CD5661FA9FCA5E19DB49" />
<Allow ID="ID_ALLOW_INSTALLER_7Z2103_X64_EXE_HASH_PAGE_SHA256" FriendlyName="[7-Zip (21.03 beta)]/installer/7z2103-x64.exe Hash Page Sha256" Hash="9EE089B041A2E38EC0B5D11611B11EDE5E95DF79D06AA6BB3FAC71A4631C9201" />
<Allow ID="ID_ALLOW_APP_7_ZIP_DLL_HASH_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7-zip.dll Hash Sha1" Hash="D2F64880AA0777D4D790E779E03CEBF063BF9D8C" />
<Allow ID="ID_ALLOW_APP_7_ZIP_DLL_HASH_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7-zip.dll Hash Sha256" Hash="6F5DB7517C28F7C1F9902B7CA87B8C801D951B4CDB1524F7BFC40BD6E4222FB1" />
<Allow ID="ID_ALLOW_APP_7_ZIP_DLL_HASH_PAGE_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7-zip.dll Hash Page Sha1" Hash="B8591FDBF3D9E55A5E510EB92CB68610F63EAC19" />
<Allow ID="ID_ALLOW_APP_7_ZIP_DLL_HASH_PAGE_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7-zip.dll Hash Page Sha256" Hash="F71E5AC4A5223C5A35E82F6DDDE6E850BDEBE528BAD0068780ACBBEE29FABFA3" />
<Allow ID="ID_ALLOW_APP_7_ZIP32_DLL_HASH_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7-zip32.dll Hash Sha1" Hash="86E44F26AE05627688824D953D65707B98DC7C6B" />
<Allow ID="ID_ALLOW_APP_7_ZIP32_DLL_HASH_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7-zip32.dll Hash Sha256" Hash="AD6799C9B7075BAAE284C6DE932E34135C797750393759282D2ECC2CE66106B7" />
<Allow ID="ID_ALLOW_APP_7_ZIP32_DLL_HASH_PAGE_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7-zip32.dll Hash Page Sha1" Hash="D975B4A1C16DB7004F8D78CFC004739010D7042E" />
<Allow ID="ID_ALLOW_APP_7_ZIP32_DLL_HASH_PAGE_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7-zip32.dll Hash Page Sha256" Hash="6F9B47BDDF28660A0CB72977B629798544E1F6A378CA334B7ACE6558261A6A46" />
<Allow ID="ID_ALLOW_APP_7Z_DLL_HASH_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7z.dll Hash Sha1" Hash="3732F42E8BFE9F61EDD74A8538068B8CD3D52020" />
<Allow ID="ID_ALLOW_APP_7Z_DLL_HASH_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7z.dll Hash Sha256" Hash="13FD37D47A5D484BE81A8E7FF48EE381613F5E4A523D9319A49EBA48C6464446" />
<Allow ID="ID_ALLOW_APP_7Z_DLL_HASH_PAGE_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7z.dll Hash Page Sha1" Hash="32AB619A08FD6EF6ED6A2D8AF25221C898C64E44" />
<Allow ID="ID_ALLOW_APP_7Z_DLL_HASH_PAGE_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7z.dll Hash Page Sha256" Hash="A274117B0444362B9FAC837DE7BFCF0BD72ABD018BB42D6AA41A254C0453A4F7" />
<Allow ID="ID_ALLOW_APP_7Z_EXE_HASH_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7z.exe Hash Sha1" Hash="A52A499DA618C8718416B7FE501594084B5BF567" />
<Allow ID="ID_ALLOW_APP_7Z_EXE_HASH_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7z.exe Hash Sha256" Hash="6D6DCB50290182A27707B98C2BFE2C00B55125618BF349854D654A0060840775" />
<Allow ID="ID_ALLOW_APP_7Z_EXE_HASH_PAGE_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7z.exe Hash Page Sha1" Hash="B513DCBAB6F0F32E8704EBAEB374D8AD2BEB597A" />
<Allow ID="ID_ALLOW_APP_7Z_EXE_HASH_PAGE_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7z.exe Hash Page Sha256" Hash="5A47C5479DD86F4B0DCF43B936F5219D703427BFF4BD9628C6291DAA56D99B3B" />
<Allow ID="ID_ALLOW_APP_7Z_SFX_HASH_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7z.sfx Hash Sha1" Hash="F2468F7FE47659790F331CAF5BB4665A89E9E4B1" />
<Allow ID="ID_ALLOW_APP_7Z_SFX_HASH_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7z.sfx Hash Sha256" Hash="614D8154E1AD2155ACF732F809FBC8D93737DF88A05B182F1911BF297C4EE326" />
<Allow ID="ID_ALLOW_APP_7Z_SFX_HASH_PAGE_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7z.sfx Hash Page Sha1" Hash="0ED5F24AEBF7CC2C79F9CD8D228F2314FD88796B" />
<Allow ID="ID_ALLOW_APP_7Z_SFX_HASH_PAGE_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7z.sfx Hash Page Sha256" Hash="3DF452D729C9638238B8BA6ADC05794702E6B8416421BDDCF3B6E86B8BD2F56C" />
<Allow ID="ID_ALLOW_APP_7ZCON_SFX_HASH_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7zCon.sfx Hash Sha1" Hash="F2CCBFB2CD892343118BA794A2A22E5C6490BF00" />
<Allow ID="ID_ALLOW_APP_7ZCON_SFX_HASH_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7zCon.sfx Hash Sha256" Hash="93F7013C34F0EE56C5F993018B8E49E9771B838CDC0A13C3E7A337AD7F71126F" />
<Allow ID="ID_ALLOW_APP_7ZCON_SFX_HASH_PAGE_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7zCon.sfx Hash Page Sha1" Hash="083D96E6A7BAE84D0A22C7D77666790B88991700" />
<Allow ID="ID_ALLOW_APP_7ZCON_SFX_HASH_PAGE_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7zCon.sfx Hash Page Sha256" Hash="3BDA4F5FA1885AB763A12A9BD646AC41E4A87B7C755E425487254176F7A35935" />
<Allow ID="ID_ALLOW_APP_7ZFM_EXE_HASH_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7zFM.exe Hash Sha1" Hash="A16B9E7E853777D0454A1FC20CF361B47A643FCF" />
<Allow ID="ID_ALLOW_APP_7ZFM_EXE_HASH_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7zFM.exe Hash Sha256" Hash="5AA58111C8C73CDAE2059D072FE31A8A5615D95AF834D9FEA39E0652F34EFC29" />
<Allow ID="ID_ALLOW_APP_7ZFM_EXE_HASH_PAGE_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7zFM.exe Hash Page Sha1" Hash="AA387FD2D5F8BBAD1447F7116241178545D13CAE" />
<Allow ID="ID_ALLOW_APP_7ZFM_EXE_HASH_PAGE_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7zFM.exe Hash Page Sha256" Hash="97B7BCACD9A2CD2012C73DBD47269FC6D60F973B07699888971A6249668F8B72" />
<Allow ID="ID_ALLOW_APP_7ZG_EXE_HASH_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7zG.exe Hash Sha1" Hash="AE88FF5A69C2210B00CB8D0678E55A0013CB9F7C" />
<Allow ID="ID_ALLOW_APP_7ZG_EXE_HASH_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7zG.exe Hash Sha256" Hash="29667EFFE2655D8C754540150BFE6FE9031F43469CF00909903B6839E7947837" />
<Allow ID="ID_ALLOW_APP_7ZG_EXE_HASH_PAGE_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/7zG.exe Hash Page Sha1" Hash="2E16B86E75DC1A58124F22DA0424CA4CE1A0D5BA" />
<Allow ID="ID_ALLOW_APP_7ZG_EXE_HASH_PAGE_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/7zG.exe Hash Page Sha256" Hash="3295F54CDC8417C2F0B5E2688F50CF197E6A1D1FAB3575817E5656E1E780ABF2" />
<Allow ID="ID_ALLOW_APP_UNINSTALL_EXE_HASH_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/Uninstall.exe Hash Sha1" Hash="2F2D12810BE397D2B1FD7442A183BCDEBEF6790B" />
<Allow ID="ID_ALLOW_APP_UNINSTALL_EXE_HASH_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/Uninstall.exe Hash Sha256" Hash="73EC8914F246B2E33B24292EE95781C55CA192ABC1ADC60DE049FCED611FF559" />
<Allow ID="ID_ALLOW_APP_UNINSTALL_EXE_HASH_PAGE_SHA1" FriendlyName="[7-Zip (21.03 beta)]/app/Uninstall.exe Hash Page Sha1" Hash="2B3EE40C6634E03FFFF683BE12A3AB631A1E2FC2" />
<Allow ID="ID_ALLOW_APP_UNINSTALL_EXE_HASH_PAGE_SHA256" FriendlyName="[7-Zip (21.03 beta)]/app/Uninstall.exe Hash Page Sha256" Hash="AEE67CD1E7A85AC2B07594AF26D42F88CB5908BCE2950BB1558E115167CE37F1" />
</FileRules>
<!--Signers-->
<Signers />
<!--Driver Signing Scenarios-->
<SigningScenarios>
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Generated policy for "7-Zip (21.03 beta)" (10.09.2021)">
<ProductSigners />
</SigningScenario>
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Generated policy for "7-Zip (21.03 beta)" (10.09.2021)">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_ALLOW_INSTALLER_7Z2103_X64_EXE_HASH_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_INSTALLER_7Z2103_X64_EXE_HASH_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_INSTALLER_7Z2103_X64_EXE_HASH_PAGE_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_INSTALLER_7Z2103_X64_EXE_HASH_PAGE_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7_ZIP_DLL_HASH_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7_ZIP_DLL_HASH_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7_ZIP_DLL_HASH_PAGE_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7_ZIP_DLL_HASH_PAGE_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7_ZIP32_DLL_HASH_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7_ZIP32_DLL_HASH_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7_ZIP32_DLL_HASH_PAGE_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7_ZIP32_DLL_HASH_PAGE_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7Z_DLL_HASH_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7Z_DLL_HASH_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7Z_DLL_HASH_PAGE_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7Z_DLL_HASH_PAGE_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7Z_EXE_HASH_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7Z_EXE_HASH_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7Z_EXE_HASH_PAGE_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7Z_EXE_HASH_PAGE_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7Z_SFX_HASH_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7Z_SFX_HASH_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7Z_SFX_HASH_PAGE_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7Z_SFX_HASH_PAGE_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7ZCON_SFX_HASH_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7ZCON_SFX_HASH_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7ZCON_SFX_HASH_PAGE_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7ZCON_SFX_HASH_PAGE_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7ZFM_EXE_HASH_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7ZFM_EXE_HASH_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7ZFM_EXE_HASH_PAGE_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7ZFM_EXE_HASH_PAGE_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7ZG_EXE_HASH_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7ZG_EXE_HASH_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_7ZG_EXE_HASH_PAGE_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_7ZG_EXE_HASH_PAGE_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_UNINSTALL_EXE_HASH_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_UNINSTALL_EXE_HASH_SHA256" />
<FileRuleRef RuleID="ID_ALLOW_APP_UNINSTALL_EXE_HASH_PAGE_SHA1" />
<FileRuleRef RuleID="ID_ALLOW_APP_UNINSTALL_EXE_HASH_PAGE_SHA256" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners />
<CiSigners />
<HvciOptions>0</HvciOptions>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
</SiPolicy>
Description:
Analyzes the installer and prints the content to stdout.
Usage:
MakePolicyFromApp analyze [options]
Options:
-i, --input, --input-file <input-file> (REQUIRED) The installer that will be analyzed. []
-e, --extractor <extractor> The extractor that is used to extract the input file. Options are 'universal' and 'innoextract'. If not
specified, 'universal' is used. [default: universal]
-?, -h, --help Show help and usage information
Analyze the installer of 7-zip 21.03:
.\MakePolicyFromApp.exe analyze -i "%UserProfile%\Downloads\7z2103-x64.exe"
That will generate the output (on stdout):
--------------------------------------------
| Result | FileName |
--------------------------------------------
| FileNotSigned | app\7-zip.dll |
--------------------------------------------
| FileNotSigned | app\7-zip32.dll |
--------------------------------------------
| FileNotSigned | app\7z.dll |
--------------------------------------------
| FileNotSigned | app\7z.exe |
--------------------------------------------
| FileNotSigned | app\7zFM.exe |
--------------------------------------------
| FileNotSigned | app\7zG.exe |
--------------------------------------------
| FileNotSigned | app\Uninstall.exe |
--------------------------------------------
| FileNotSigned | installer\7z2103-x64.exe |
--------------------------------------------
Count: 8
DONE
Main feature: Generation of policies
OPEN
Quality of life: Logging level
See the open issues for a list of proposed features (and known issues).
To get a local copy up and running follow these simple steps.
This is an example of how to list things you need to use the software and how to install them.
- Download and install .Net SDK (which includes dotnet-cli)
- Visual Studio 2022 (Preview)
- Clone the repo
git clone https://github.com/Gitii/MakePolicyFromApp.git
- Install nuget packages (optional, Visual Studio will do that for you)
dotnet restore
Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature
) - Commit your Changes (
git commit -m 'Add some AmazingFeature'
) - Push to the Branch (
git push origin feature/AmazingFeature
) - Open a Pull Request
Distributed under the MIT License. See LICENSE
for more information.
Project Link: https://github.com/Gitii/MakePolicyFromApp