Finishing up work on AppControl Manager v.1.9.1.0 (#614)

Added Control Flow Guard support to the AppControl Manager. A great security feature that prevents certain exploits.

Set Intel's Control-flow Enforcement Technology to explicitly enabled in the project.

The Native Ahead-Of-Time compilation now favors execution speed and performance over package size. (Will be monitoring this one as the app gets bigger when more features are implemented in the future. For now, it only increases the package size by 1MB)

Enabled a new code analyzer to enforce more code best practices: dotnet_diagnostic.CA1724. (Type names should not match namespaces)

Updated the AppControl Manager document.

Formatted all XAML codes for better readability.

Adjusted the App Control Simulation code based on the custom serialization/deserialization logic introduced in the previous update.

Updated Microsoft.IdentityModel.Abstractions NuGet dependency.

Aligned some columns in the new ListViews.

AppControl Manager/.editorconfig

@@ -1102,3 +1102,6 @@ dotnet_diagnostic.IDE0130.severity = error
 
 # IDE0320: Make anonymous function static
 dotnet_diagnostic.IDE0320.severity = error
+
+# CA1724: Type names should not match namespaces
+dotnet_diagnostic.CA1724.severity = error

AppControl Manager/AppControl Manager.csproj

@@ -55,6 +55,9 @@
     <PackageTags>App Control,WDAC,AppControl For Business, AppControl Manager</PackageTags>
     <PackageReleaseNotes>https://github.com/HotCakeX/Harden-Windows-Security/releases</PackageReleaseNotes>
 
+    <!-- https://learn.microsoft.com/en-us/dotnet/core/project-sdk/msbuild-props#rollforward -->
+    <RollForward>LatestMajor</RollForward>
+
     <!-- Automatically created for packing -->
     <!-- https://learn.microsoft.com/en-us/windows/msix/app-installer/create-appinstallerfile-vs -->
     <GenerateAppInstallerFile>False</GenerateAppInstallerFile>
@@ -74,6 +77,7 @@
     <AssemblyName>AppControlManager</AssemblyName>
     <!-- https://learn.microsoft.com/en-us/dotnet/core/deploying/native-aot/optimizing -->
     <PublishAot>True</PublishAot>
+    <OptimizationPreference>Speed</OptimizationPreference>
     <ErrorReport>send</ErrorReport>
     <FileVersion>1.9.1.0</FileVersion>
     <AssemblyVersion>$(FileVersion)</AssemblyVersion>
@@ -85,6 +89,12 @@
     <!-- https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/unsafe-code -->
     <AllowUnsafeBlocks>True</AllowUnsafeBlocks>
 
+    <!-- https://learn.microsoft.com/en-us/dotnet/core/deploying/native-aot/security#control-flow-guard -->
+    <ControlFlowGuard>Guard</ControlFlowGuard>
+
+    <!-- https://learn.microsoft.com/en-us/dotnet/core/deploying/native-aot/security#control-flow-enforcement-technology-shadow-stack-net-9 -->
+    <CetCompat>true</CetCompat>
+
     <Version>$(FileVersion)</Version>
     <Copyright>© 2024-Present</Copyright>
     <Title>AppControl Manager</Title>
@@ -98,6 +108,7 @@
     <!-- https://learn.microsoft.com/en-us/dotnet/core/deploying/trimming/trimming-options -->
     <PublishTrimmed>True</PublishTrimmed>
     <TrimMode>full</TrimMode>
+    <EnableTrimAnalyzer>true</EnableTrimAnalyzer>
     <SuppressTrimAnalysisWarnings>false</SuppressTrimAnalysisWarnings>
     <ILLinkTreatWarningsAsErrors>true</ILLinkTreatWarningsAsErrors>
     <TrimmerSingleWarn>false</TrimmerSingleWarn>
@@ -148,7 +159,7 @@
     <PackageReference Include="CommunityToolkit.WinUI.Triggers" Version="8.2.250129-preview2" />
     <PackageReference Include="Microsoft.Graphics.Win2D" Version="1.3.2" />
     <PackageReference Include="Microsoft.Identity.Client" Version="4.68.0" />
-    <PackageReference Include="Microsoft.IdentityModel.Abstractions" Version="8.5.0" />
+    <PackageReference Include="Microsoft.IdentityModel.Abstractions" Version="8.6.0" />
     <PackageReference Include="Microsoft.Web.WebView2" Version="1.0.3065.39" />
     <PackageReference Include="Microsoft.Windows.CsWin32" Version="0.3.183">
       <PrivateAssets>all</PrivateAssets>
@@ -214,7 +225,6 @@
     <None Remove="Pages\CreateDenyPolicyFilesAndFoldersScanResults.xaml" />
     <None Remove="Pages\CreateSupplementalPolicy.xaml" />
     <None Remove="Pages\CreateSupplementalPolicyFilesAndFoldersScanResults.xaml" />
-    <None Remove="Pages\Deployment.xaml" />
     <None Remove="Pages\EventLogsPolicyCreation.xaml" />
     <None Remove="Pages\GetCIHashes.xaml" />
     <None Remove="Pages\GetSecurePolicySettings.xaml" />
@@ -228,7 +238,6 @@
     <None Remove="Pages\StrictKernelPolicyScanResults.xaml" />
     <None Remove="Pages\SystemInformation\CodeIntegrityInfo.xaml" />
     <None Remove="Pages\SystemInformation\SystemInformation.xaml" />
-    <None Remove="Pages\Update.xaml" />
     <None Remove="Pages\ValidatePolicy.xaml" />
     <None Remove="Pages\ViewCurrentPolicies.xaml" />
     <None Remove="Pages\ViewFileCertificates.xaml" />
@@ -337,12 +346,12 @@
     </Page>
   </ItemGroup>
   <ItemGroup>
-    <Page Update="Pages\Deployment.xaml">
+    <Page Update="Pages\DeploymentPage.xaml">
       <Generator>MSBuild:Compile</Generator>
     </Page>
   </ItemGroup>
   <ItemGroup>
-    <Page Update="Pages\Update.xaml">
+    <Page Update="Pages\UpdatePage.xaml">
       <Generator>MSBuild:Compile</Generator>
     </Page>
   </ItemGroup>

AppControl Manager/MainWindow.xaml.cs

@@ -113,20 +113,20 @@ internal sealed class PageTitleMap
 			Titles = [GlobalVars.Rizz.GetString("SimulationNavItem/Content")],
 			Pages = [typeof(Pages.Simulation)]
 		},
-		[typeof(Pages.Update)] = new PageTitleMap
+		[typeof(Pages.UpdatePage)] = new PageTitleMap
 		{
 			Titles = [GlobalVars.Rizz.GetString("Update"), "Custom MSIXBundle Path"],
-			Pages = [typeof(Pages.Update), typeof(Pages.UpdatePageCustomMSIXPath)]
+			Pages = [typeof(Pages.UpdatePage), typeof(Pages.UpdatePageCustomMSIXPath)]
 		},
 		[typeof(Pages.UpdatePageCustomMSIXPath)] = new PageTitleMap // sub-page
 		{
 			Titles = [GlobalVars.Rizz.GetString("Update"), "Custom MSIXBundle Path"],
-			Pages = [typeof(Pages.Update), typeof(Pages.UpdatePageCustomMSIXPath)]
+			Pages = [typeof(Pages.UpdatePage), typeof(Pages.UpdatePageCustomMSIXPath)]
 		},
-		[typeof(Pages.Deployment)] = new PageTitleMap
+		[typeof(Pages.DeploymentPage)] = new PageTitleMap
 		{
 			Titles = [GlobalVars.Rizz.GetString("DeploymentNavItem/Content")],
-			Pages = [typeof(Pages.Deployment)]
+			Pages = [typeof(Pages.DeploymentPage)]
 		},
 		[typeof(Pages.EventLogsPolicyCreation)] = new PageTitleMap
 		{
@@ -222,8 +222,8 @@ private void BreadcrumbBar_ItemClicked(BreadcrumbBar sender, BreadcrumbBarItemCl
 		{ "Configure Policy Rule Options", typeof(Pages.ConfigurePolicyRuleOptions) },
 		{ "Logs", typeof(Pages.Logs) },
 		{ "Simulation", typeof(Pages.Simulation) },
-		{ "Update", typeof(Pages.Update) },
-		{ "Deploy App Control Policy", typeof(Pages.Deployment) },
+		{ "Update", typeof(Pages.UpdatePage) },
+		{ "Deploy App Control Policy", typeof(Pages.DeploymentPage) },
 		{ "Create policy from Event Logs", typeof(Pages.EventLogsPolicyCreation) },
 		{ "MDE Advanced Hunting", typeof(Pages.MDEAHPolicyCreation) },
 		{ "Allow New Apps", typeof(Pages.AllowNewApps) },

AppControl Manager/Others/GlobalVars.cs

@@ -77,8 +77,12 @@ internal static class GlobalVars
 	// Determine whether the current OS is older than 24H2
 	internal static bool IsOlderThan24H2 => CurrentOSVersion < VersionFor24H2;
 
+	// The namespace of the App Control policies
 	internal const string SiPolicyNamespace = "urn:schemas-microsoft-com:sipolicy";
 
+	// When the the list of installed packaged apps is retrieved, this URI is used whenever an installed app doesn't have a valid URI logo path
+	internal const string FallBackAppLogoURI = "ms-appx:///Assets/StoreLogo.backup.png";
+
 	static GlobalVars()
 	{
 		// Ensure the directory exists

AppControl Manager/Pages/CreateDenyPolicy.xaml.cs

@@ -451,12 +451,8 @@ private void FilesAndFoldersPolicyNameTextBox_TextChanged(object sender, TextCha
 	// Event handler for RadialGauge ValueChanged
 	private void ScalabilityRadialGauge_ValueChanged(object sender, RangeBaseValueChangedEventArgs e)
 	{
-		if (sender is RadialGauge gauge)
-		{
-			// Update the button content with the current value of the gauge
-			ScalabilityButton.Content = GlobalVars.Rizz.GetString("Scalability") + gauge.Value;
-
-		}
+		// Update the button content with the current value of the gauge
+		ScalabilityButton.Content = GlobalVars.Rizz.GetString("Scalability") + ((RadialGauge)sender).Value;
 	}
 
 	private void FilesAndFoldersViewFileDetailsSettingsCard_Click(object sender, RoutedEventArgs e)
@@ -565,7 +561,7 @@ internal async Task<List<PackagedAppView>> GetAppsList()
 				if (!Uri.TryCreate(logoStr, UriKind.Absolute, out _))
 				{
 					// If invalid, assign a fallback logo
-					logoStr = "ms-appx:///Assets/StoreLogo.backup.png";
+					logoStr = GlobalVars.FallBackAppLogoURI;
 				}
 
 				// Create a new instance of the class that displays each app in the ListView

AppControl Manager/Pages/CreateDenyPolicyFilesAndFoldersScanResults.xaml

@@ -103,10 +103,10 @@
                 </Button>
 
                 <TextBox x:Uid="TotalLogsTextBlock"
-            x:Name="TotalCountOfTheFilesTextBox"
-            IsReadOnly="True"
-            VerticalAlignment="Center"
-            VerticalContentAlignment="Center"/>
+                x:Name="TotalCountOfTheFilesTextBox"
+                IsReadOnly="True"
+                VerticalAlignment="Center"
+                VerticalContentAlignment="Center"/>
 
                 <TextBox x:Name="SearchBox" Width="300" x:Uid="SearchBoxTextBox" TextChanged="SearchBox_TextChanged" VerticalAlignment="Center" VerticalContentAlignment="Center" />
 
@@ -355,5 +355,4 @@
         </ListView>
 
     </Grid>
-
 </Page>

AppControl Manager/Pages/CreateSupplementalPolicy.xaml.cs

@@ -750,11 +750,8 @@ await DispatcherQueue.EnqueueAsync(() =>
 	// Event handler for RadialGauge ValueChanged
 	private void ScalabilityRadialGauge_ValueChanged(object sender, RangeBaseValueChangedEventArgs e)
 	{
-		if (sender is RadialGauge gauge)
-		{
-			// Update the button content with the current value of the gauge
-			ScalabilityButton.Content = $"Scalability: {gauge.Value:N0}";
-		}
+		// Update the button content with the current value of the gauge
+		ScalabilityButton.Content = $"Scalability: {((RadialGauge)sender).Value:N0}";
 	}
 
 
@@ -1847,7 +1844,7 @@ internal async Task<List<PackagedAppView>> GetAppsList()
 				if (!Uri.TryCreate(logoStr, UriKind.Absolute, out _))
 				{
 					// If invalid, assign a fallback logo
-					logoStr = "ms-appx:///Assets/StoreLogo.backup.png";
+					logoStr = GlobalVars.FallBackAppLogoURI;
 				}
 
 				// Create a new instance of the class that displays each app in the ListView

AppControl Manager/Pages/CreateSupplementalPolicyFilesAndFoldersScanResults.xaml

@@ -103,10 +103,10 @@
                 </Button>
 
                 <TextBox x:Uid="TotalLogsTextBlock"
-            x:Name="TotalCountOfTheFilesTextBox"
-            IsReadOnly="True"
-            VerticalAlignment="Center"
-            VerticalContentAlignment="Center"/>
+                x:Name="TotalCountOfTheFilesTextBox"
+                IsReadOnly="True"
+                VerticalAlignment="Center"
+                VerticalContentAlignment="Center"/>
 
                 <TextBox x:Name="SearchBox" Width="300" x:Uid="SearchBoxTextBox" TextChanged="SearchBox_TextChanged" VerticalAlignment="Center" VerticalContentAlignment="Center" />
 

AppControl Manager/Pages/Deployment.xaml → AppControl Manager/Pages/DeploymentPage.xaml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Page
-    x:Class="AppControlManager.Pages.Deployment"
+    x:Class="AppControlManager.Pages.DeploymentPage"
     xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
     xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
     xmlns:local="using:AppControlManager.Pages"
@@ -56,7 +56,7 @@
                 <controls:SettingsExpander x:Name="IntuneDeploymentSettingsExpander"
                      Description="Deploy the policies remotely to the Intune instead of the local system"
                      Header="Use Intune Deployment"
-           HeaderIcon="{ui:FontIcon Glyph=&#xEA91;}">
+                     HeaderIcon="{ui:FontIcon Glyph=&#xEA91;}">
 
                     <TextBlock x:Name="LocalIntuneStatusTextBox" Text="Local Deployment is Currently Active" TextWrapping="Wrap" />
 
@@ -80,9 +80,9 @@
                         </controls:SettingsCard>
 
                         <controls:SettingsCard
-                    Description="Select one of the security groups to assign to the policy in Intune"
-                    Header="Group Assignment (Optional)"
-                    HeaderIcon="{ui:FontIcon Glyph=&#xF0B9;}" IsClickEnabled="False" IsActionIconVisible="False">
+                        Description="Select one of the security groups to assign to the policy in Intune"
+                        Header="Group Assignment (Optional)"
+                        HeaderIcon="{ui:FontIcon Glyph=&#xF0B9;}" IsClickEnabled="False" IsActionIconVisible="False">
 
                             <controls:WrapPanel Orientation="Horizontal" HorizontalSpacing="15" VerticalSpacing="15">
 
@@ -165,9 +165,9 @@
 
 
                 <controls:SettingsCard
-            Description="Browse for XML policy file(s) to Sign and deploy on the system"
-            Header="Select signed XML policy file(s)"
-            HeaderIcon="{ui:FontIcon Glyph=&#xEF3F;}" IsClickEnabled="False" IsActionIconVisible="False">
+                Description="Browse for XML policy file(s) to Sign and deploy on the system"
+                Header="Select signed XML policy file(s)"
+                HeaderIcon="{ui:FontIcon Glyph=&#xEF3F;}" IsClickEnabled="False" IsActionIconVisible="False">
 
                     <controls:WrapPanel HorizontalSpacing="15" VerticalSpacing="15">
 
@@ -221,9 +221,9 @@
                         </Button>
 
                         <TeachingTip x:Name="DeploySignedXMLButtonTeachingTip"
-    Target="{x:Bind DeploySignedXMLButton}"
-    Title="No File was selected"
-    Subtitle="You need to select Signed XML files to deploy first.">
+                        Target="{x:Bind DeploySignedXMLButton}"
+                        Title="No File was selected"
+                        Subtitle="You need to select Signed XML files to deploy first.">
                         </TeachingTip>
 
                     </controls:WrapPanel>

AppControl Manager/Pages/Deployment.xaml.cs → AppControl Manager/Pages/DeploymentPage.xaml.cs

@@ -18,7 +18,7 @@
 
 namespace AppControlManager.Pages;
 
-public sealed partial class Deployment : Page, Sidebar.IAnimatedIconsManager
+public sealed partial class DeploymentPage : Page, Sidebar.IAnimatedIconsManager
 {
 	// HashSets to store user input selected files
 	private readonly HashSet<string> XMLFiles = [];
@@ -28,7 +28,7 @@ public sealed partial class Deployment : Page, Sidebar.IAnimatedIconsManager
 	// When true, policies will be deployed to Intune instead of locally
 	private bool deployToIntune;
 
-	public Deployment()
+	public DeploymentPage()
 	{
 		this.InitializeComponent();
 
@@ -329,7 +329,7 @@ await Task.Run(async () =>
 					SiPolicy.SiPolicy policyObject = AddSigningDetails.Add(file, CertPath);
 
 					// Remove the unsigned policy rule option from the policy
-					CiRuleOptions.Set(filePath: file, rulesToRemove: [SiPolicy.OptionType.EnabledUnsignedSystemIntegrityPolicy]);
+					CiRuleOptions.Set(filePath: file, rulesToRemove: [OptionType.EnabledUnsignedSystemIntegrityPolicy]);
 
 					// Define the path for the CIP file
 					string randomString = GUIDGenerator.GenerateUniqueGUID();