Skip to main content

Hi ,
I have set a rule to Block snipping tool in the Deny List.
With the criteria 

Publisher matches Microsoft Corporation
and Product Description matches snippingtool.exe

but it didnt work.
Is there any suggestions pls

 

If you use a passive rule to audit the program and pull the event you will be able to see that this is actually a Window Store Application. 

 

 Host Domain Name NetBIOS: <None>
 Event ID: B58A5320-531A-4982-97C8-4890D0699365
 Process Start Time: 133924401027807608
 Process End Time: 0
 Event Time: 133924401027807608
 Authorizing User SID: <None>
 Authorizing User Name: <None>
 Authorizing User Domain SID: <None>
 Authorizing User Domain Name: <None>
 Authorizing User Domain Name NetBios: <None>
 Client IPV4: <None>
 Client Name:  <None>
 UAC Triggered: false
 File Owner SID: S-1-5-18
 File Owner Name: SYSTEM
 File Owner Domain SID: S-1-5
 File Owner Domain Name: NT AUTHORITY
 File Owner Domain Name NetBIOS: NT AUTHORITY
 Parent Process Unique ID: <None>
 Parent Process File Name: c:\windows\system32\svchost.exe
 COM CLSID: <None>
 COM AppID: <None>
 COM Display Name: <None>
 Source URL: <None>
 Authorization Challenge: <None>
 Windows Store App Name: Microsoft.ScreenSketch
 Windows Store App Publisher: <None>
 Windows Store App Version: 11.2409.25.0
 Drive Type: Fixed Disk
 Challenge Response Status: <None>
 PowerShell Command: <None>
 Application Workstyle Description: Snipping Tool
 Application Workstyle Id: c1f136d6-28ee-453f-bd95-fda62815fcea
 Message Type: Prompt
 IE Zone Tag: <None>
 MD5: 58F68A28F43AE748DB4B6CEAEB7A29E9
 Host Local SID: S-1-5-21-2867306486-2659972164-3988425936
 Trusted Application Name: <None>
 Trusted Application Version: <None>
 Uninstall Action: <None>
 Rule Script File Name: <None>
 Rule Script Name: <None>
 Rule Script Version: <None>
 Rule Script Publisher: <None>
 Rule Script Rule Affected: false
 Rule Script Result: <None>
 Rule Script Output: <None>
 Rule Script Status: <None>
 Auth Methods: <None>
 IdP Authentication User Name: <None>
 Configuration ID: a8712607-e4ba-413c-9a72-9eff35733db4
 Configuration Revision Number: 9
 SHA256: 8986DEF745FD6B7B2D39A1C39B7FA2A7958E5375F377EF18E1B0BB7575B7D8FF
 User Request Management Id: <None>

 

So you need to create a rule to block the snipping tool using a Windows Store Application with a store package name as Microsoft.ScreenSketch


Reply