Problem Updating VS Code - Blocked By AppLocker Due To Insufficient Information In Update Executable

[aakash-shah]

Issue Type: Bug

I am seeing an update for Visual Studio Code. In our environment, we have whitelisted the following:

Publisher: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Product Name: VISUAL STUDIO CODE
File name and File Version: *

However, when an update attempts to install, it appears to run a .tmp file as an EXE. However, this file has no product name associated with it and hence cannot run. Note that not all Microsoft signed products are allowed in this environment since there are some products we don't want users to be able to run/execute. Can we get these update files to also include a Product Name in the signature, ideally "VISUAL STUDIO CODE", or something static that doesn't change that we can whitelist?

Here is the error produced when attempting to run this update (I have removed the personal information):

Log Name:      Microsoft-Windows-AppLocker/EXE and DLL
Source:        Microsoft-Windows-AppLocker
Event ID:      8004
Task Category: None
Level:         Error
Keywords:      
Description:
%OSDRIVE%\USERS\USERNAME\APPDATA\LOCAL\TEMP\IS-PUPV1.TMP\CODESETUP-STABLE-51B0B28134D51361CF996D2F0A1C698247AEABD8.TMP was prevented from running.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-AppLocker" Guid="{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}" />
    <EventID>8004</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <EventRecordID>20593012</EventRecordID>
    <Correlation />
    <Execution ProcessID="22100" ThreadID="23936" />
    <Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel>
  </System>
  <UserData>
    <RuleAndFileData xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0">
      <PolicyNameLength>3</PolicyNameLength>
      <PolicyName>EXE</PolicyName>
      <RuleId>{00000000-0000-0000-0000-000000000000}</RuleId>
      <RuleNameLength>1</RuleNameLength>
      <RuleName>-</RuleName>
      <RuleSddlLength>1</RuleSddlLength>
      <RuleSddl>-</RuleSddl>
      <TargetProcessId>21196</TargetProcessId>
      <FilePathLength>116</FilePathLength>
      <FilePath>%OSDRIVE%\USERS\USERNAME\APPDATA\LOCAL\TEMP\IS-PUPV1.TMP\CODESETUP-STABLE-51B0B28134D51361CF996D2F0A1C698247AEABD8.TMP</FilePath>
      <FileHashLength>32</FileHashLength>
      <FileHash>5EF92093632A6169A704045D1925E0AC4382B311FDE22FAF8242454A24D7AFCB</FileHash>
      <FqbnLength>69</FqbnLength>
      <Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\\51.1052.0.00</Fqbn>
      <TargetLogonId>0x632748</TargetLogonId>
    </RuleAndFileData>
  </UserData>
</Event>

VS Code version: Code 1.31.1 (1b8e830, 2019-02-12T02:20:54.427Z)
OS version: Windows_NT x64 10.0.17134

System Info

Item	Value
CPUs	Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz (8 x 3600)
GPU Status	2d_canvas: enabled checker_imaging: disabled_off flash_3d: enabled flash_stage3d: enabled flash_stage3d_baseline: enabled gpu_compositing: enabled multiple_raster_threads: enabled_on native_gpu_memory_buffers: disabled_software rasterization: enabled surface_synchronization: enabled_on video_decode: enabled webgl: enabled webgl2: enabled
Memory (System)	31.89GB (17.54GB free)
Process Argv
Screen Reader	no
VM	0%

[aakash-shah]

If I can provide any other information, or if anything I wrote is unclear, please let me know and I'll be happy to provide more information.

Thanks!

[joaomoreno]

Can we get these update files to also include a Product Name in the signature, ideally "VISUAL STUDIO CODE", or something static that doesn't change that we can whitelist?

Can you tell me what values that TMP file has that you could already filter on?

[aakash-shah]

Can we get these update files to also include a Product Name in the signature, ideally "VISUAL STUDIO CODE", or something static that doesn't change that we can whitelist?

Can you tell me what values that TMP file has that you could already filter on?

Hello! Here is more information about the tmp file:

File Path: C:\USERS\USERNAME\APPDATA\LOCAL\TEMP\IS-PUPV1.TMP\CODESETUP-STABLE-51B0B28134D51361CF996D2F0A1C698247AEABD8.TMP

File Hash: 5EF92093632A6169A704045D1925E0AC4382B311FDE22FAF8242454A24D7AFCB

The signature logged by AppLocker shows "O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\51.1052.0.00", which implies that it's signed by MS and has a version number, but no product name registered in the signature with this file.

Usually the other VS Code EXE's I have encountered have the Product Name "Product Name: VISUAL STUDIO CODE" associated with it, but this tmp file does not unfortunately have this.

Please let me know if you need any other information that I can help provide.

Thanks!

[joaomoreno]

Unfortunately I'm not sure we can customize the generated tmp file from Inno Setup... The product name is simply empty?

[vscodebot]

This issue has been closed automatically because it needs more information and has not had recent activity. See also our issue reporting guidelines.

Happy Coding!

[aakash-shah]

Unfortunately I'm not sure we can customize the generated tmp file from Inno Setup... The product name is simply empty?

Correct. Here are the file details of the file being blocked when attempting to run the update (it shows no Product Name:

PS C:\> (Get-Item 'C:\Users\username\AppData\Local\Temp\is-A07A3.tmp\CodeSetup-stable-a622c65b2c713c890fcf4fbf07cf34049d5fe758.tmp').VersionInfo | Format-List *

FileVersionRaw     : 51.1052.0.0
ProductVersionRaw  : 0.0.0.0
Comments           : 
CompanyName        : 
FileBuildPart      : 0
FileDescription    : Setup/Uninstall
FileMajorPart      : 51
FileMinorPart      : 1052
FileName           : C:\Users\username\AppData\Local\Temp\is-A07A3.tmp\CodeSetup-stable-a622c65b2c713c890fcf4fbf07cf34049d5fe758.tmp
FilePrivatePart    : 0
FileVersion        : 51.1052.0.0
InternalName       : 
IsDebug            : False
IsPatched          : False
IsPrivateBuild     : False
IsPreRelease       : False
IsSpecialBuild     : False
Language           : Language Neutral
LegalCopyright     : 
LegalTrademarks    : 
OriginalFilename   : 
PrivateBuild       : 
ProductBuildPart   : 0
ProductMajorPart   : 0
ProductMinorPart   : 0
ProductName        : 
ProductPrivatePart : 0
ProductVersion     : 
SpecialBuild       : 

Compare this to for instance to code.exe of VS Code that has a Product Name:

PS C:\> (Get-Item "C:\Program Files\Microsoft VS Code\Code.exe").VersionInfo | fl *

FileVersionRaw     : 1.31.1.0
ProductVersionRaw  : 1.31.1.0
Comments           : 
CompanyName        : Microsoft Corporation
FileBuildPart      : 1
FileDescription    : Visual Studio Code
FileMajorPart      : 1
FileMinorPart      : 31
FileName           : C:\Program Files\Microsoft VS Code\Code.exe
FilePrivatePart    : 0
FileVersion        : 1.31.1
InternalName       : electron.exe
IsDebug            : False
IsPatched          : False
IsPrivateBuild     : False
IsPreRelease       : False
IsSpecialBuild     : False
Language           : English (United States)
LegalCopyright     : Copyright (C) 2019 Microsoft. All rights reserved
LegalTrademarks    : 
OriginalFilename   : electron.exe
PrivateBuild       : 
ProductBuildPart   : 1
ProductMajorPart   : 1
ProductMinorPart   : 31
ProductName        : Visual Studio Code
ProductPrivatePart : 0
ProductVersion     : 1.31.1
SpecialBuild       : 

Here is the AppLocker information that is being read by the system for the failing .tmp file being read as a EXE:

PS C:\> (Get-AppLockerFileInformation 'C:\Users\username\AppData\Local\Temp\is-A07A3.tmp\CodeSetup-stable-a622c65b2c713c890fcf4fbf07cf34049d5fe758.tmp') | fl *

Path      : %OSDRIVE%\USERS\USERNAME\APPDATA\LOCAL\TEMP\IS-A07A3.TMP\CODESETUP-STABLE-A622C65B2C713C890FCF4FBF07CF34049D5FE758.TMP
Publisher : O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\,51.1052.0.0
Hash      : SHA256 0x5EF92093632A6169A704045D1925E0AC4382B311FDE22FAF8242454A24D7AFCB
AppX      : False

The text "\\" in the Publisher shows the lack of a product name (the product name would have been between the 2 slashes). For instance here is how code.exe that has a product name looks:

PS C:\> Get-AppLockerFileInformation 'C:\Program Files\Microsoft VS Code\Code.exe' | fl *

Path      : %PROGRAMFILES%\MICROSOFT VS CODE\CODE.EXE
Publisher : O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\VISUAL STUDIO CODE\ELECTRON.EXE,1.31.1.0
Hash      : SHA256 0x488A7C781B6E4BF11D45E4EC063CE6AFC81106FD7ACB0A41D3DCD2D440A7596B
AppX      : False

Note that whatever mechanism is producing this file, it is producing a digitally signed file. Hence, if it's able to sign the file, I would imagine it should be possible to add a product name to these setup EXE file.

I have attached the file in question as a Zip file (since .tmp files were not permitted) in case it helps troubleshoot this.
CodeSetup-stable-a622c65b2c713c890fcf4fbf07cf34049d5fe758.zip

Please let me know if I can provide any other information.

Thanks!

[buckley310]

I am also getting this issue at work, and am available for testing / more information.

[aakash-shah]

Hello! Just a friendly check in to see if we can provide any other information that can help add a Product Name to this signed update file?

Thanks!

[fluidum]

The TMP file is a regular executable and it is digitally signed and it is not the case here.

The problem here is that Visual Studio doesn't have background updating functionality as Google Chrome has as an example. This process currently requires administrative rights to make changes in VSCode Program Files path.

AppLocker is meant to work without admin rights. The application installation path must not contain writing permissions for the normal user. Otherwise it opens a door for the attackers to bypass AppLocker application whitelisting.

Expected feature would be having an updating service to run on background that does all the updating magic in the background.

It is very annoying that software users have to use admin rights for updating their software all the time. It would be acceptable if Windows had a sudo feature built-in.

[buckley310]

It is a perfectly valid applocker configuration to whitelist applications by digital signature and allow them to be run from writable folders. The signature ensures they have not been modified. (I'm not saying this is good or bad. I'm just saying it's valid.)

Unless someone working on vscode found and fixed the bug separately from this github issue, one of the temp files is actually being incorrectly signed. That should be fixed, regardless of whether the updates are handled by background services or by the user.

[joaomoreno]

@aakash-shah Thanks for the very detailed explanation. I'll take a shot at this in July: https://stackoverflow.com/questions/47397961/inno-setup-uninstaller-versioninfo

[joaomoreno]

@martijnlaan I noticed this was addressed on Inno Setup 6: jrsoftware/issrc@29757d7

Any chance we could backport that to a hypothetical 5.6.2?

Meanwhile I'll run some tests to see if we can update to 6 without big trouble.

[martijnlaan]

@joaomoreno No sorry, Inno Setup 5 used (really) old compilers and I can no longer build it.

Let me know if you need help updating to version 6 but I think it shouldn't be too much of a problem. The compiler will recommend some changes but you could ignore those.

Note that version 6 contains changes specifically made because of the vscode script which enables you to simplify it:

• You can use {autopf} instead of using ISPP to switch between {pf} and {userpf}.
• You can use HKA instead of using ISPP to switch between HKCU and HKLM.
• You can use a single AppId instead of having two. This allows to user to choose the install mode at runtime and allows you to get rid of the conflicting architectures checks in the vscode script. Although I suppose it's some work to switch to this while still being backward compatible with existing installations. If you choose to keep having two AppId's you can still use {autopf} and HKA.
• ISPP array variables declared with #dim can now be initialized directly, like #dim MyArray[3] {1, 2, 3}. You can use this to replace the massive amount of lines related to extensions to use an array and a #sub. I actually started preparing a pull request for this a while ago but was unsuccesfull because there's many inconsistenties in the way the various extensions are currectly registered by the vscode script.

There's other reasons why you should update as well, like a more modern look, the use of more user friendly TaskDialog prompts in some places and improved protection against DLL hijacking, and more. After all, 5.6.1 is over two years old ;)

BTW I also noticed your IsNotUpdate and WizardNotSilent functions. You can get rid of those since you can for example just write: Check: not WizardSilent.

[joaomoreno]

Great, many thanks for the write up. I already have builds running to give it a try.

One additional question: did the uninst*.dat file format change between the major versions? As you may or may not know we depend on inno-updater patching that file to accommodate for the file movements it does.

[martijnlaan]

The uninst*.dat format hasn't changed since a very long time. Also, you don't get an extra .dat file if you update an existing installation which was made by a Non Unicode Inno Setup (which was supported by version 5 - don't know which one you were using) using a Unicode Inno Setup (like version 6). It does upgrade the version number of the file when you do that (from 48 to 1048) and I don't know if your inno-updater can handle that? I'm not familiar with it nor why it needs to look at the uninstalll log.

[joaomoreno]

Great, good to know. We were already on Unicode, so we'll be fine. We should also be good on the version number.

In order to minimize downtime during an update, we let Inno Setup place files in a temporary folder. We then shutdown VS Code and use inno-updater to move the files to their correct location, which is pretty fast. VS Code can then come up really quickly. Since Inno Setup records in uninst*.dat the temporary file locations, inno-updater updates the file locations in the uninstall log as well.

[joaomoreno]

Fixed by 0ff8647

[Raviuppa]

Thank you Joao for the update and the fix.

[github-actions]

Unable to locate closing commit in issue timeline. You can manually reference a commit by commenting \closedWith someCommitSha.

[joaomoreno]

\closedWith 0ff8647

[joaomoreno]

Actually... verification steps:

1. Install VS Code on Windows
2. Go to the installation directory
3. Right click unins000.exe, Properties, Details

Make sure product name and product version have values.

---

Before:

After: