Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not honoring the text file #29

Closed
TaraMHammond opened this issue Oct 23, 2024 · 10 comments
Closed

Not honoring the text file #29

TaraMHammond opened this issue Oct 23, 2024 · 10 comments

Comments

@TaraMHammond
Copy link

I've tried 2 different versions of this. I'm running 2012 r2. The 2 files are in windows\system32. The registry entry is in place. The DC has been rebooted. I tried changing a password to one that is exactly in the file and it let me. Do all domain controllers have to be updated before it works? I'm not seeing any errors in the event log. Is there anything I can check?
@ryanries
Copy link
Owner

ryanries commented Oct 28, 2024
edited
Loading

Generally speaking yes, all DCs should be updated. You shouldn't have some DCs with the filter and some without. There is ETW logging documented in the readme, and there is also the test program you can use to test the filter with, you can run the test program on any PC, it doesn't even have to be a domain controller.

@ryanries
Copy link
Owner

@TaraMHammond I also just released a new version, 1.3.21 TODAY that adds a couple of new things. Please try the new release and let me know the results. You might also try the new text file debug log if you need it.

@ConnorAJ
Copy link

ConnorAJ commented Oct 30, 2024
edited
Loading

I have tried 2 different versions of this file (1.2.20 and 1.3.231.2). I am using 2012 r2 and 2022. 2 files are located in the windows\system32 folder. There is an entry in the Lsa and HKLM\SOFTWARE\PassFiltEx registry. Three domain controllers have been rebooted. But there is no DLL entry in the task list output and there were no problems entering the password (AdminAdmin1234). Can you tell me where and what the problems may be?
Thank you.

@ryanries
Copy link
Owner

@ConnorAJ If there is nothing found in the tasklist /m PassFiltEx.dll output, that means the password filter is not loaded. This could be for a couple different reasons. First check your System event log and see if there is an error message from LSA that might indicate a reason for the attempted module loading failure. Make sure you are not using RunAsPPL (since the DLL is not signed, LSA will not load an unsigned module if RunAsPPL is turned on.)

@ConnorAJ
Copy link

@ryanries An interesting idea, I'll check it out and let you know
Thanks

@ConnorAJ
Copy link

@ryanries Yes, this option helped solve the problem, but the data is still not displayed in the tasklist
Thanks

@ryanries
Copy link
Owner

ryanries commented Nov 1, 2024

@ConnorAJ So the problem is fixed?

@ConnorAJ
Copy link

ConnorAJ commented Nov 1, 2024

@ryanries Yes, of course
but the tasklist still does not show the load of the DLL

@TaraMHammond
Copy link
Author

I had to manually add the registry entries for it to load. I'll add the registry and reboot the other DC's this weekend and let you know.

@ryanries ryanries closed this as completed Dec 5, 2024
@degni20
Copy link

degni20 commented Dec 5, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ryanries @TaraMHammond @degni20 @ConnorAJ