I’ve been using “Windows 10” since build 1809 and did extensive testing before I switched over to it. I realize not many people use “Protected Services” aka “LaunchProtected” aka “Protected Process Light” so I may end up talking to myself here or receiving the standard “it’s your fault for doing something MS didn’t intend” responses…but here I go anyway….
One of the first things I did before I switched to Windows 10 was to test every single Windows Service that used “svchost” with “LaunchProtected” enabled. I found the ones that worked and the others that didn’t. A surprising number of them did work at that time and still do. Over the years however I’ve noticed a couple points where after a particular ‘update’ certain things that used to work alongside these protected services stopped working.
In the past Remote Procedure Call (RPC) [RpcSS] & RPC Endpoint Mapper [RpcEptMapper] were fine as long as they were both set as “LaunchProtected” together as they require a shared svchost instance. After some update (sadly I didn’t write down the KB number but this can still be reproduced by using an original 1809 or earlier ISO with no updates and adding the latest) three issues started, all of them via GUI’s
- Attempting to edit rules in Windows Security > App & browser control > Exploit protection settings > Program settings > ‘name.exe’ fails with ‘Unexpected error. Sorry, we ran into a problem. Please try again’ and results in the rule not getting updated…altering the rule via registry updates it just fine
- A user or admin cannot start the Windows Scanddisk GUI aka “Check”. You click it and nothing happens…Options via cmd etc work without issue.
- A user or admin cannot open the Windows NTFS Security > Owner > Change interface showing an error of ‘Can’t open the access control editor. Access is denied.’ Options via cmd/ps etc work without issue
Since that time I’ve updated to 21H2 and had no new issues until today! After installing KB5009543 I found a new issue with a service that’s worked fine for years, set as PPL, causing issues. This time it is the User Profile Service (ProfSvc). While set as “LaunchProtected” and attempting to run as a new user things like runas, psexec etc fail with ‘Not enough memory resources are available to process this command.’ While trying to login directly to a new user it pops up with ‘Windows couldn’t connect to the User Profile Service service. Please consult your system administrator’
Yes it says ‘Service service’ due to the name of the service…and yes the service is running and yes I can login to existing users just fine.
I realize not many people use a ‘locked down’ version of Windows services via the LaunchProtected flag but my understanding is that it’s designed to ‘protect’ a service against different things (aka potential threats) such as access to said services memory or descriptors or threads or debugging or even terminating/killing. As such I’m left wondering if these ‘failures’ that I’ve seen creeping up via “updates” mean that certain aspects of Windows are actually doing things LESS securely now than they were originally. I mean if things used to work without such direct access being allowed to said service(s) how is it suddenly more secure to require such access in order to function normally [eg as it used to]?
And so back to my topic question…Is MS doing things less securely now or am I missing something?
