Skip to main content
Question

How to Block Snipping tool in BT

  • May 21, 2025
  • 1 reply
  • 107 views
J

Hi ,
I have set a rule to Block snipping tool in the Deny List.
With the criteria 

Publisher matches Microsoft Corporation
and Product Description matches snippingtool.exe

but it didnt work.
Is there any suggestions pls

 
    Pulitros144

    1 reply

    H
    BeyondTrust Employee
    • Howard
    • BeyondTrust Employee
    • May 23, 2025

    If you use a passive rule to audit the program and pull the event you will be able to see that this is actually a Window Store Application. 

     

     Host Domain Name NetBIOS: <None>
     Event ID: B58A5320-531A-4982-97C8-4890D0699365
     Process Start Time: 133924401027807608
     Process End Time: 0
     Event Time: 133924401027807608
     Authorizing User SID: <None>
     Authorizing User Name: <None>
     Authorizing User Domain SID: <None>
     Authorizing User Domain Name: <None>
     Authorizing User Domain Name NetBios: <None>
     Client IPV4: <None>
     Client Name:  <None>
     UAC Triggered: false
     File Owner SID: S-1-5-18
     File Owner Name: SYSTEM
     File Owner Domain SID: S-1-5
     File Owner Domain Name: NT AUTHORITY
     File Owner Domain Name NetBIOS: NT AUTHORITY
     Parent Process Unique ID: <None>
     Parent Process File Name: c:\windows\system32\svchost.exe
     COM CLSID: <None>
     COM AppID: <None>
     COM Display Name: <None>
     Source URL: <None>
     Authorization Challenge: <None>
     Windows Store App Name: Microsoft.ScreenSketch
     Windows Store App Publisher: <None>
     Windows Store App Version: 11.2409.25.0
     Drive Type: Fixed Disk
     Challenge Response Status: <None>
     PowerShell Command: <None>
     Application Workstyle Description: Snipping Tool
     Application Workstyle Id: c1f136d6-28ee-453f-bd95-fda62815fcea
     Message Type: Prompt
     IE Zone Tag: <None>
     MD5: 58F68A28F43AE748DB4B6CEAEB7A29E9
     Host Local SID: S-1-5-21-2867306486-2659972164-3988425936
     Trusted Application Name: <None>
     Trusted Application Version: <None>
     Uninstall Action: <None>
     Rule Script File Name: <None>
     Rule Script Name: <None>
     Rule Script Version: <None>
     Rule Script Publisher: <None>
     Rule Script Rule Affected: false
     Rule Script Result: <None>
     Rule Script Output: <None>
     Rule Script Status: <None>
     Auth Methods: <None>
     IdP Authentication User Name: <None>
     Configuration ID: a8712607-e4ba-413c-9a72-9eff35733db4
     Configuration Revision Number: 9
     SHA256: 8986DEF745FD6B7B2D39A1C39B7FA2A7958E5375F377EF18E1B0BB7575B7D8FF
     User Request Management Id: <None>

     

    So you need to create a rule to block the snipping tool using a Windows Store Application with a store package name as Microsoft.ScreenSketch

    Badge Earners

    Show all badges
    Terms & ConditionsCookie settingsAccessibility statement