Jump to content
John L. Galt

FP: Windows 10 x64 Insider Preview Build 14328 FeedbackHub

Recommended Posts

OK, Short story, I was answering questions in the Windows 10 Feedback Hub for the latest IP build 14328 when MBARW popped up a warning that the application had been flagged as a Ransomware by Anti-Ransomware.  I grabbed all screenshots I could since I was worried (with good reason) that something might break, and then followed the instructions in https://forums.malwarebytes.org/topic/177810-how-to-report-a-false-positive/ to make an FP report.  Only now I cannot restore the file, so I have no Feedback Hub for this build anymore.

Program Data and Logs:

Malwarebytes Anti-Ransomware.zip 

logs.zip

 

Long Story:

Spoiler

 

So, I was answering questions and reading feedback for WinX in the Feedback Hub - Sorry, I cannot remember exactly which step I was performing when the warning came up, namely because the first thing I did was start capturing the following screenshots.  In order, here goes:

  1. Feedback Hub FP pop up:

    MBARW FP 2.PNG
     
  2. Anti-Ransomware confirmation of file in Quarantine:

    MBARW FP 3.PNG
     
  3. I then tried to open that path in Explorer.  Here is where things get interesting:
    1. I Opened explorer and went to C:\Program Files.  I tried to open WindowsApps. (Middle of the pic)
    2. I got the Permission denied dialog box to the top left.
    3. I clicked on the Security link.
    4. The Security tab of the folder's Properties page popped up with the warning that I needed permissions.
    5. I clicked the Advanced button.
    6. Advanced Security Settings for WindowsApps dialog pops up.  Permissions already exist there (just not the right ones), so I want to edit the existing Users permission.
    7. I click on the View button.
    8. The Permissions Entry for WindowsApps dialog appears.
    9. I cannot edit it because Windows thinks it is corrupt.  Furthermore, I cannot delete it because Step 7 shows both add and remove are grayed out (same thing happens for Administrators as well).

      MBARW FP 4.PNG
       
  4. I then try to restore the file - cannot because it is marked for deletion.

    MBARW FP 5.PNG
     
  5. So I try to add the file as an exclusion before I reboot since I'm being told that the file is about to be deleted.  No dice.

    MBARW FP 6.PNG
     
  6. I then start following the steps in the Report FP link above, so I reboot, then open Anti-Ransomware, and the file is still listed, but when I try to restore, I get this instead:

    MBARW FP 7.PNG
     
  7. And, now, I have no feedback hub, nor can I attach the .ZIP of the file to my post because it does not exist anymore.  Attempting to add an exclusion after reboot gives me the exact same error message as in the pic in step 5 above.

    MBARW FP 6.PNG
     
  8. I am going to try to find it either online or from the .ESD file that is downloaded or from my laptop (running the same build) and see if I can attach it in my next post.

 

Edited by John L. Galt
Added screenshot | Edited title

Share this post


Link to post
Share on other sites

I have had FP with MBARW  

But you have to reboot first 

after that you come back to the quarantine 

and select again the line and cliq restore 

than you find  again your file and put it in exlusions 

You can read my expirience here if you wish 

https://forums.malwarebytes.org/topic/177763-it-cost-me-some-patience-but-it-is-installed/

 

Share this post


Link to post
Share on other sites

That is why I said I followed the procedure in that post.  Because that is what that post says to do.

Furthermore, I specifically state in Step 6 that I rebooted.

Edited by John L. Galt
Fixed step #

Share this post


Link to post
Share on other sites
1 hour ago, John L. Galt said:

 

Furthermore, I specifically state in Step 6 that I rebooted.

Sorry, I overlooked that, so that is something to worry about. 

Does this happen to all files MBARW put into quarantine in this BETA version ? 

 

Share this post


Link to post
Share on other sites

Reference: https://www.virustotal.com/en/file/932E2AB0993DE787A3A4F026BD3906F58734B73C16DBD0110B4B7B56C1C1E975/analysis/ Unsigned

Hello John L. Galt:

Available data strongly suggests a false positive and, if it has not already been done, you may wish to make the following temporary full pathname file entry in MBARW GUI Dashboard -> Exclusions:

                      C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2.5.0_x64__8wekyb3d8bbwe\PilotshubApp.exe

At any time, a MBARW development team member, QA team member or Staffer may request the above temporary exclusion be altered/removed.

Thank you for beta testing MBARW and your valuable feedback.

Share this post


Link to post
Share on other sites

@Khadijah - I honestly do not know - this is the second file to ever hit the quarantine on Anti-Ransomware.  The first I was able ot restore and then add to the ignore list perfectly fine, as seen in one of the screen shots I made.  So, maybe?  I have too little data to make a determination one way or the other.

@1PW - I found a new, interesting detail.  I cannot add an exclusion if the file doesn't exist.  Furthermore, I cannot add my file from the other system to that location because of the issues in Step 3 sub-step 4 of my first post - the whole permissions issue.

I have 2 systems running the same build, and my laptop does not have Anti-Ransomware on it, so I am perfectly fine with this being this way until the next build comes out.

However, all of this troubleshooting has led to an interesting problem.  While I understand why I cannot add an exclusion to the file itself since it does not exist (and I suspect that Anti-Ransomware needs to very the file and create a hash so that it knows which file it is supposed to ignore *and* that the file has not been altered), I noticed another problem that seems to be happening more often that needs addressing, as well as a feature / suggestion that may already be a part of the future plans of Anti-malware when the integration takes place.

The core functionality is working great - the feedback hub may have been downloading a large update of alerts or something like that, which may have triggered Anti-Ransomware in the first place.  But, when making my screenshots above, after following the steps, it was disabled, but the only way to know that is from the main dialog box - if you go to quarantine or exclusions, you have no indicator of the protection being disabled.  Again, realizing that this is going ot get integrated, I suspect that after integration there will be a better visual indicator regardless of which tab you happen to be in.

Once thing which should probably be done differently, though, is that the core should not lock the user out of preventing the automatic removal of a file upon reboot,  I know the FP steps are there for a reason, but why in the world was the item not saved in quarantine, and instead scheduled for deletion immediately, particularly at this early core-functionality βeta-testing stage?  As many staffers and probably more than a couple of developers here know, I'm savvy enough that I'm positive that I can get this working again, so that is why I was able to get such detailed information, with screenshots, because I had no reason to panic - I knew it was a FP from the minute the first pop-up came, and furthermore, I knew (and still know) that I can get this working on my system again without a problem.  But the average user being hit with a FP that targets a system app like this probably will not be up to the task of fixing this on his / her own.

So, what I'm saying is that I should have had a way to stop the automatic deletion so that I can take the required steps to restore and then add the exclusion.  Then, this situation would never have happened.

Share this post


Link to post
Share on other sites

Glad you could get it.  Let me know if you got it back in place or not and how (I cannot change the permission nor add new permissions on WindowsApss folder at all, so....)

Share this post


Link to post
Share on other sites
10 hours ago, John L. Galt said:

Glad you could get it.  Let me know if you got it back in place or not and how (I cannot change the permission nor add new permissions on WindowsApss folder at all, so....)

same here! Unable to get get in back in place.

Microsoft will be fuming that the Feedback of valued beta testers were killed ...........

Share this post


Link to post
Share on other sites

I've tried modifying the Security permissions on that WindowsApps folder too and it's way over my head and I'm 6'5".

Like Khadija says, "... its hard until its easy.

Peace Alan

                                        [Windows 10 Pro x64] Lenovo ThinkPad Twist
                                   
 WFWwAS+WFC4 | MBAMP | MBAEP | MBARW beta | WINDOWS DEFENDER
                               [Windows 10 Pro x64] Microsoft Surface Pro 2
                                   
 WFWwAS+WFC4 | MBAMP | MBAEP | MBARW beta | WINDOWS DEFENDER
                                    [Windows 10 Mobile Insider Preview, Threshold Branch] Microsoft Lumia ICON

                                                                              Peace. Alan

 

Edited by Shamshi-Adad
misstype

Share this post


Link to post
Share on other sites
38 minutes ago, Shamshi-Adad said:

I've tried modifying the Security permissions on that WindowsApps folder too and it's way over my head and I'm 6'5".

Like Khadija says, "... its hard until its easy.

Peace Alan

 

 

Quote

I just got into the WindowsApps folder using this youtube video for 8.1 x64 about 2.5 minutes

https://www.google.com/#q=access+windowsapps+folder+windows+10

 

Share this post


Link to post
Share on other sites

Just a word of caution, please be extra careful playing around in the WindowsApps folder or other related WinRT/Windows Store App folders as there are special unique permissions for each app package folder. Specifically, I would never touch the unique AppContainer SID permissions unless you want some broken Windows Apps.

With that being said, I would not recommend following that video at all. It's completely wrong. TrustedInstaller is the proper default user of that folder and is there to keep things locked down and secure.

If you need to view the contents of locked down areas like this, Command Prompt (dir) and PowerShell (gci) are your friends. If you need to copy files to secure folders like this, use RoboCopy to perform the operation as a Backup Operator.

If you still feel the need to modify the permissions so you can use File Explorer, just make sure to set things back to what they were when you are all done.

Edited by AlexSmith

Share this post


Link to post
Share on other sites

Hi Alex. Understood. I think like that every time I raise the hood on my truck and every time I mod my computer. btw, I started on WIndows 3.1 and have probably raised the hood a million times. Not that I haven't had some heartbreaks, though. lol

Peace. Alan

 

 [Windows 10 Pro x64] Lenovo ThinkPad Twist  WFWwAS+WFC4 | MBAMP | MBAEP | MBARW beta | WINDOWS DEFENDER

 [Windows 10 Pro x64] Microsoft Surface Pro 2  WFWwAS+WFC4 | MBAMP | MBAEP | MBARW beta | WINDOWS DEFENDER

 [Windows 10 Mobile Insider Preview, Threshold Branch] Microsoft Lumia ICON

 Peace. Alan

Share this post


Link to post
Share on other sites
1 hour ago, AlexSmith said:

Just a word of caution, please be extra careful playing around in the WindowsApps folder or other related WinRT/Windows Store App folders as there are special unique permissions for each app package folder. Specifically, I would never touch the unique AppContainer SID permissions unless you want some broken Windows Apps.

With that being said, I would not recommend following that video at all. It's completely wrong. TrustedInstaller is the proper default user of that folder and is there to keep things locked down and secure.

If you need to view the contents of locked down areas like this, Command Prompt (dir) and PowerShell (gci) are your friends. If you need to copy files to secure folders like this, use RoboCopy to perform the operation as a Backup Operator.

If you still feel the need to modify the permissions so you can use File Explorer, just make sure to set things back to what they were when you are all done.

Considering that the file was removed by Anti-Ransomware with no way to restore it, I have no choice but to try some of these methods.  Your idea for using RoboCopy may be spot on - I'm going to try it myself and see fi I can re-populate that PilotshubApp.exe back into the folder using RoboCopy.  I suspect not, though, as the permissions show as being messed up after Anti-Ransomware nailed that file.  My other system without Anti-Ransomware also have perfectly fine permissions.

Edited by John L. Galt

Share this post


Link to post
Share on other sites

John,

Thanks for this detailed post about this defect. This will help us tremendously.

We are currently working on this issue, and need to go about Windows 10 Apps in a different approach than normal apps.

We will absolutely keep the community updated on this.

Share this post


Link to post
Share on other sites

Thanks for the reply.  Even though I use this as a daily driver, nothing mission critical is on it.  And Beta testing is in my blood lol.

I'm going to try Alex's suggestion for RoboCopy to restore that file - if I can get it working, that will go a long way to being able to solve my problem.  Still not sure about the broken permissions, though.  I'm still reading up on that.

Share this post


Link to post
Share on other sites

I did a little digging and that Windows App, Feedback Hub, is a default app that comes pre-staged with this build which in turn means a backup of the original version lives in c:\windows\infusedapps\packages\<PackageName>. The awesome thing about the InfusedApps folder is that it also includes the proper default permissions. This means you can use it to rebuild the broken permissions AND replace the missing file/files.

In theory, you would execute the following command from an Administrator level Command Prompt window.

robocopy "c:\windows\infusedapps\packages\Microsoft.WindowsFeedbackHub_1.2.5.0_x64__8wekyb3d8bbwe" "c:\program files\windowsapps\Microsoft.WindowsFeedbackHub_1.2.5.0_x64__8wekyb3d8bbwe" /e /b /copyall

That should copy everything using the Backup Operator context and preserve the permissions.

Share this post


Link to post
Share on other sites
5 hours ago, AlexSmith said:

I did a little digging and that Windows App, Feedback Hub, is a default app that comes pre-staged with this build which in turn means a backup of the original version lives in c:\windows\infusedapps\packages\<PackageName>. The awesome thing about the InfusedApps folder is that it also includes the proper default permissions. This means you can use it to rebuild the broken permissions AND replace the missing file/files.

In theory, you would execute the following command from an Administrator level Command Prompt window.


robocopy "c:\windows\infusedapps\packages\Microsoft.WindowsFeedbackHub_1.2.5.0_x64__8wekyb3d8bbwe" "c:\program files\windowsapps\Microsoft.WindowsFeedbackHub_1.2.5.0_x64__8wekyb3d8bbwe" /e /b /copyall

That should copy everything using the Backup Operator context and preserve the permissions.

Hi,

It doesn't work at all. These directories are not accessible even in an admin command prompt window.

I've tried in a TrustedInstaller window and it doesn't work also

Share this post


Link to post
Share on other sites

Hello Tof_SLRCORP:

Please expand your description of the robocopy failure by posting a screen grab (preferred) and/or the exact error message following the attempt.

Thank you.

Share this post


Link to post
Share on other sites
43 minutes ago, 1PW said:

Hello Tof_SLRCORP:

Please expand your description of the robocopy failure by posting a screen grab (preferred) and/or the exact error message following the attempt.

Thank you.

znnatf.jpg

Share this post


Link to post
Share on other sites

Hello Tof_SLRCORP:

Perfect!

Thank you.

Share this post


Link to post
Share on other sites

I think I know a way around that access denied error. I will test it within the next couple of hours to be sure, but my theory is to delete the destination folder first since it already exists then perform the robocopy operation.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.