• Is MS doing things less securely now?

    Home » Forums » AskWoody support » Windows » Windows 10 » Questions: Win10 » Is MS doing things less securely now?


    I’ve been using “Windows 10” since build 1809 and did extensive testing before I switched over to it. I realize not many people use “Protected Services” aka “LaunchProtected” aka “Protected Process Light” so I may end up talking to myself here or receiving the standard “it’s your fault for doing something MS didn’t intend” responses…but here I go anyway….

    One of the first things I did before I switched to Windows 10 was to test every single Windows Service that used “svchost” with “LaunchProtected” enabled. I found the ones that worked and the others that didn’t. A surprising number of them did work at that time and still do. Over the years however I’ve noticed a couple points where after a particular ‘update’ certain things that used to work alongside these protected services stopped working.

    In the past Remote Procedure Call (RPC) [RpcSS] & RPC Endpoint Mapper [RpcEptMapper] were fine as long as they were both set as “LaunchProtected” together as they require a shared svchost instance. After some update (sadly I didn’t write down the KB number but this can still be reproduced by using an original 1809 or earlier ISO with no updates and adding the latest) three issues started, all of them via GUI’s

    1. Attempting to edit rules in Windows Security >  App & browser control > Exploit protection settings >  Program settings > ‘name.exe’ fails with ‘Unexpected error. Sorry, we ran into a problem. Please try again’ and results in the rule not getting updated…altering the rule via registry updates it just fine
    2. A user or admin cannot start the Windows Scanddisk GUI aka “Check”. You click it and nothing happens…Options via cmd etc work without issue.
    3. A user or admin cannot open the Windows NTFS Security > Owner > Change interface showing an error of ‘Can’t open the access control editor. Access is denied.’ Options via cmd/ps etc work without issue

    Since that time I’ve updated to 21H2 and had no new issues until today! After installing KB5009543 I found a new issue with a service that’s worked fine for years, set as PPL, causing issues. This time it is the User Profile Service (ProfSvc). While set as “LaunchProtected” and attempting to run as a new user things like runas, psexec etc fail with ‘Not enough memory resources are available to process this command.’ While trying to login directly to a new user it pops up with ‘Windows couldn’t connect to the User Profile Service service. Please consult your system administrator’

    Yes it says ‘Service service’ due to the name of the service…and yes the service is running and yes I can login to existing users just fine.

    I realize not many people use a ‘locked down’ version of Windows services via the LaunchProtected flag but my understanding is that it’s designed to ‘protect’ a service against different things  (aka potential threats) such as access to said services memory or descriptors or threads or debugging or even terminating/killing. As such I’m left wondering if these ‘failures’ that I’ve seen creeping up via “updates” mean that certain aspects of Windows are actually doing things LESS securely now than they were originally. I mean if things used to work without such direct access being allowed to said service(s) how is it suddenly more secure to require such access in order to function normally [eg as it used to]?

    And so back to my topic question…Is MS doing things less securely now or am I missing something?

    • This topic was modified 1 year, 4 months ago by Susan Bradley.
    • This topic was modified 1 year, 4 months ago by btmp.
    • This topic was modified 1 year, 4 months ago by btmp.
    • This topic was modified 1 year, 4 months ago by btmp.
    Viewing 1 reply thread
    • #2415581

      From what I read, a service must have a trusted certificate and register with the system for LanuchProtected to be used. It does not appear to me that you can just designate a process as LanuchProtected and have that be effective.


      • #2416085

        The svchost is the generic “service host” used by most windows processes and is trusted and comes with a few instances that already use LaunchProtected, which is how the system knows to protect that service. You can also check the PsProtectedSignerWindows-Light status to verify that it is in fact running as protected after setting the LaunchProtected dword and a reboot. However that is actually all mostly unrelated to the issues I’ve noticed after KB Updates. Thanks though.

    • #2422920
    Viewing 1 reply thread
    Reply To: Is MS doing things less securely now?

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: