Jump to content
Welcome to our new Citrix community!
  • 0

WEM priviledge elevation stopped working.


Sergio Masone1709161115

Question

Hi,

 

We have been using WEM for some time now, we use the WEM service in the cloud, and we have a couple privilege elevation rules in place. they all worked fine untill recently, without any apparent changes done on our end of things, I already have a call with Citrix on this, but curious if anyone else has this behavior...

the rules are downloaded fine to the agent and we can see this in the logs, when running a process that should be elevated, nothing seems to happen, the process launches but not elevated... so I decided id try and see the self elevation portion, this one behaves a lil differently, as I enabled a self elevation allow rule for cmd.exe, so i go ahead on my endpoint for which this policy is assigned to my user, right click "Run With Administrator Priveledges" then the pop up window for justification appears, i write the justification then press continue, i then get the pop up message stating "The executable is running with Administrator privileges" , but the executable never runs.. the log shows this:

 

3:05:40 PM Event ->  .a  () : Get Elevation Settings: 4, Elevation Rules: 3
3:08:36 PM Event ->  .() :          21: Start Server Waiting for connection ...
3:08:36 PM Event ->  .() :          21: StartNewPipeServerInstance Pipe Servers. Total: 6
3:08:36 PM Event ->  .() :           6: Pipe Client Thread started processing...
3:08:36 PM Event ->  .() :           6: Incoming message type:SelfElevationRequest
3:08:36 PM Event ->  .() :           6: Received Process Elevation Request for C:\WINDOWS\system32\cmd.exe from SelfElevation.exe with 
3:08:36 PM Event ->  .() :           6: Find matching self elevation rule:20
3:08:36 PM Event ->  .() :           6: Sent 1 Process Elevation Response for C:\WINDOWS\system32\cmd.exe from SelfElevation.exe
3:08:36 PM Event ->  .() : CreateProcessAsUser succeed, l_Token[1976], strApppPath[ElevationEngineBootstrapper32.exe "C:\WINDOWS\system32\cmd.exe" "0 0 0 0 0 0 0 0 1" "WEMSELFELEVATION" "Winsta0\Default" "" "" "80942a4b-a96c-4d7c-b5f2-15295ac7ed2b"]
3:08:37 PM Event ->  .() : Bootstrapper exited: 23

this is happening on different environments (physical laptops, VDI master images). It decided to just stop working, not sure why.

Link to comment

4 answers to this question

Recommended Posts

  • 0

If anyone else experiences this, It will be fixed in the next version of WEM agent... workaround for now is to add this registry key
Please add a Dword registry value called "SkipInjectSignatureCheck" under "HKLM:\SYSTEM\CurrentControlSet\Control\Norskale\Agent Host", then set the value as 1 to bypass the issue as follows:
heres their response
We use the certificate to protect the elevation process from utilizing by other malicious software and when the certificate expires, the elevation will not work.
The expiration time of the certificate is calculated from when the certificate is issued. It was not calculated from when we use the certificate to sign the elevation dll.
Basically, the certificate expiration time is about 2 or 3 years. We will try to optimize this lately.
We plan to rollout the next release after Feb 16th. 

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...