This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 35%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
I have some ASR rules activated (set to Block) for my clients, like "Block process creations originating from PSExec and WMI commands" or "Block JavaScript or VBScript from launching downloaded executable content".
While testing the rules it seems like, they work as intended but in the event viewer (as explained here) I only get an event (ID 1021) for some blocked ASR Rules . For examplem, the "Block JavaScript or VBScript from launching downloaded executable content". I used a simple script js to test it:
var xmlHttp = WScript.CreateObject("MSXML2.XMLHTTP");
xmlHttp.open("GET", "https://www.bing.com", false);
xmlHttp.send();
// SCPT:JSRunsFile
var shell = WScript.CreateObject("WScript.Shell");
shell.Run("notepad.exe");
I see an event in th Event Viewer with the ID 1021 and a reference to my script.
But while testing the Rule "Block process creations originating from PSExec and WMI commands" with running a simple vbs script the creation of the process is blocked (Return Value: 2) but no event in the event Log shows up? the vbs:
// SCPT:xmlHttpRequest
var xmlHttp = WScript.CreateObject("MSXML2.XMLHTTP");
xmlHttp.open("GET", "https://www.bing.com", false);
xmlHttp.send();
// SCPT:JSRunsFile
var shell = WScript.CreateObject("WScript.Shell");
shell.Run("notepad.exe");
Tested on a Win 10 and Win 11 Client with the same result. Is there something I am missing?
Just retested it with a fresh install of a fresh installed Windows Server 2022 Datacenter Azure Edition (21H2) in the Azure Cloud.
I configured just both rules mentioned above:
Rule 1: Block JavaScript or VBScript from launching downloaded executable content --> GUID: d3e037e1-3eb8-44c8-a917-57927947596d --> Value: 1
Rule 2: Block process creations originating from PSExec and WMI commands --> GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c --> Value: 1
I tested the same way as in the original question. Both rules "work" in the way that the execution is blocked but only Rule 1 is shown in the Event Viewer.
Can somebody reproduce this behavior?
Edit: I noticed another strange behavior: If I open the javascript the first time after a reboot, the ASR rule triggers and blocks the execution (and I can the the event in the Event Viewer). But if I run it a second time the scripts runs without a problem and opens notepad.exe (and no event is shown in Event Viewer). After a restart the script is blocked again for the first time but works fine the second time. This is not the supposed behavior is it?
Tested on the clean installed Windows Server 2022 Datacenter Azure Edition (21H2), a "real" Windows 10 Client (Win 10 Enterprise 21H2) and Windows 11 VM (Windows 11 Enterprise 22H2).
I wonder if that would be captures as a Diagnostic audit? Try something like this to see if table mod is there...
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SQL"
| where OperationName == "AuditEvent"
| summarize count() by action_name_s
Thanks for the reply.
I used the following query:
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.COMPUTE"
| where OperationName == "AuditEvent"
There are no AuditEvents in AzureDiagnostic.
What do you mean with "table mod is there..."?