Application Manager Elevation adds an extra SID into process tokens and can cause script exceptions

Version 1

    Verified Product Versions

    Application Control 8.9Application Control 8.8Application Control 8.7Application Control 8.6Application Control 8.5Application Control 8.4

    Introduction

    An application being elevated with AM can generate

    System.Security.Principal.IdentityNotMappedException
    exceptions (Some or all identity references could not be translated) which if unhandled will cause application crashes.

    The following PowerShell command will generate an exception when executed in a URM elevated PowerShell process but not for a standard user or a UAC elevated PowerShell process:

    foreach ($ref in [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups)
    {
        (new-object System.Security.Principal.SecurityIdentifier $ref.Value).Translate([System.Security.Principal.NTAccount]).ToString()
    }

    Detail

    Application Manager adds a SID to the token of the process as a tag to indicate it has been elevated by AM.

    This token doesn’t show in Process Explorer on un-elevated processes or UAC elevated processes and cannot be resolved to a local / builtin / domain group name.

    Any script enumerating SIDs in this scenario need to have a catch which will catch the exception and moves onto the next SID if one cannot be resolved.

    EXAMPLE: If the machine is booted up offline, any domain based SIDs will also not be resolvable.

    To workaround this issue, add a custom User Rights Policy to add the ‘BUILTIN\Administrators’ group and set the system privileges in the same way as the builtin elevate policy does.