Method Call from WMI - Write Filter UWF

gk_why 2022-02-02 22:37:42 UTC #1

Trying to inspect the status of Unified Write Filter to see what files and reg keys are in the filter and the best way via relevance seems to be WMI. I want to see what Exclusions are set. “You can use the UWF_RegistryFilter.GetExclusions or UWF_RegistryFilter.FindExclusion methods to retrieve UWF_ExcludedRegistryKey objects.”

Ive tried (selects “* from UWF_ExcludedFile” of wmi “root\standardcimv2\embedded”) as string but it returns nothing and multiple variations of what is listed in the docs. I cant seem to make a method call with Relevance to use UWF_RegistryFilter.GetExclusions

https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/uwf-excludedregistrykey

Any tips would be greatly appreciated!

JasonWalker 2022-02-02 22:48:32 UTC #2

Correct, in pure relevance we do not implement calling WMI Methods (only Selects are supported) to ensure Relevance remains a “read-only” capability.
You’ve need to issue an Action to call a WMI method, store the results, and read back the results in an Analysis. Gwmi or PowerShell or VBScript should all be able to do this.

gk_why 2022-04-28 15:41:17 UTC #3

As a follow up for future people I created a fixlet that runs the following every fifteen minutes.
Relevance:
(version of client >= "6.0.0.0") AND (exists true whose (if true then (exists (if (exists wmi) then (string value of select "Name from Win32_ComputerSystemProduct" of wmi) else ("N/A")) whose (it as string as lowercase contains "Thin Client" as lowercase)) else false))

Actionscript:

waithidden cmd /c "%systemdrive%\windows\sysnative\uwfmgr.exe file get-exclusions > %systemdrive%\ProgramData\uwffiles.txt"
waithidden cmd /c "%systemdrive%\windows\sysnative\uwfmgr.exe registry get-exclusions > %systemdrive%\ProgramData\uwfregistry.txt"

Analysis:
Write Filter Status
(select "CurrentEnabled from UWF_Filter" of wmi "root\StandardCimv2\Embedded") as string = "CurrentEnabled=True" as string

UWF Excluded Files

lines whose (it contains ":") of it of file "c:\ProgramData\uwffiles.txt" of encoding "UTF-16LE"

UWF Excluded Registry Keys

lines whose (it contains "\") of it of file "c:\ProgramData\uwfregistry.txt" of encoding "UTF-16LE"

Jared 2022-04-28 16:02:13 UTC #4

I started writing something (below) the file has %00 as every other character, and I have not had the time to get back to editing that. A way to do the same thing with the native command instead of WMI.

action uses wow64 redirection {not x64 of operating system}

if {not exists folder "c:\uwfdata"}
	folder create "c:\uwfdata"
endif

delete __appendfile
delete "c:\uwfdata\run.bat"
appendfile uwfmgr.exe get-config >> c:\uwfdata\uwf.txt
move __appendfile "c:\uwfdata\run.bat"
delete "c:\uwfdata\uwf.txt"
dos c:\uwfdata\run.bat