Events: 8002, 8003, 8004.
Channel: Microsoft-Windows-AppLocker/MSI and Script.
Events: 8005, 8006, 8007.
Channel: Microsoft-Windows-AppLocker/Packaged app-Execution.
Events: 8020, 8021, 8022.
Channel: Microsoft-Windows-AppLocker/Packaged app-Deployment.
Events: 8023, 8024, 8025.
Overview
AppLocker is a native Windows feature introduced in Windows 7 Enterprise,
designed to replace Software Restriction Policies (SRP)
. AppLocker enables
the restriction and control of executable files that users can run.
AppLocker can control the process creation for the following file types, controlled through 5 sets of rules:
-
Executables Rules
for executables (.exe
and.dom
files). -
Scripts Rules
for scripts (.ps1
,.bat
,.cmd
,.vbs
and.js
files). -
Windows Installer Rules
for Windows Installers (.msi
,.msp
and.mst
files). -
Packaged Apps Rules
for Windows packaged applications (.appx
files). -
Shared Libraries and Controls Rules
forDynamic Link Library
(.dll
and.ocx
files).
AppLocker operates on the principle of whitelisting, where files are only allowed to execute or run if they are explicitly allowed by defined rules. Rule sets can be enforced (blocking the execution of files associated with specific types) or configured in audit mode (only generating ETW events).
A computer can implement one or more AppLocker rules that are defined
locally (in Local Security Policy
) or centrally via one or more Group Policy
Object (GPO)
. The effective rules that are actually implemented on the
computer is the sum of all rules defined in Local and Group policies.
Note: for AppLocker to be activated, the AppIDSvc
service must be enabled and
running.
Default AppLocker rules
AppLocker provides different default rules for each files type category:
-
Executables
The members of the local administrators group (SID
S-1-5-32-544
) can execute any binaries, while the other users can only execute binaries from the%PROGRAMFILES%
and%WINDIR%
folders. -
Scripts
Similarly, the default scripts rules allow the members of the local
Administrators group (SID S-1-5-32-544
) to execute any scripts, while the
other users can only execute scripts from the %PROGRAMFILES%
and %WINDIR%
folders.
- Windows Installer
The default Windows Installers rules allow the members of the local
Administrators group (SID S-1-5-32-544
) to execute any Windows Installer
files, while other users may only execute Windows Installer files that are
digitally signed, by any authority, or from the %WINDIR%\Installer\
folder.
- Packaged Apps
By default, any user (Everyone
) can execute digitally signed, by any
authority, packaged apps.
- Shared Libraries and Controls
The Dynamic Link Libraries (DLL)
rules must be enforced through advanced
configuration, as they can affect system performance. In a basic AppLocker
configuration, DLL rules may not be enforced.
If enforced, the default DLL rules work in the same fashion as the
executables and scripts rules. The members of the local administrators group
(SID S-1-5-32-544
) can load any DLL, while the other users can only load
DLLs from the %PROGRAMFILES%
and %WINDIR%
folders.
Extract AppLocker configuration
The effectively applied AppLocker rules can be retrieved using the
Get-AppLockerPolicy
PowerShell cmdlet.
An AppLocker rule is defined for an user or group, identified by the
UserOrGroupSid
attribute, and one or more conditions, which can be a
filesystem paths, publishers for digitally signed files, or Authenticode
hashes.
Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL"
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections
AppLocker ETW events
The AppLocker channels contain information about executions affected by AppLocker rules. By default no events are generated, as AppLocker events are linked to the state of the AppLocker security mechanism on the system.
The events in the AppLocker channels share a common set of logged properties:
-
Policy name and information about the rule that matched: rule identifier, rule name, and rule content in
SDDL
notation. -
Execution context of the process that triggered the event:
SID
of the user, sessionLogonId
, and processPID
. - For Executables (executables and
DLLs
), scripts, and Windows installers rules, information on the file:- Filepath.
Authenticode
file hash.Fully Qualified Binary Name
(FQBN
) (a string constructed asCompany\Product Suite\Product, Version
for signed Windows binary files).
- For Packaged Apps: the package app name.
Channel | Conditions | Events |
---|---|---|
Channel: Microsoft-Windows-AppLocker/EXE and DLL EVTX file: Microsoft-Windows-AppLocker%4EXE and DLL.evtx |
Requires a matching AppLocker rule (from Executables Rules or DLL Rules ) that allowed the execution. |
Event 8002: <PE_FILE> was allowed to run . If the default AppLocker rules are enabled, this event is logged for every executions by members of the local administrators group and for executions from the %PROGRAMFILES% and %WINDIR% folders for every other users. Other execution attempts would raise events 8004 (if AppLocker Executables Rules are enforced) or 8003 . |
Channel: Microsoft-Windows-AppLocker/EXE and DLL EVTX file: Microsoft-Windows-AppLocker%4EXE and DLL.evtx |
Requires a matching AppLocker rule (from Executables Rules or DLL Rules ) that would have blocked the execution if the rule set was in enforce mode. |
Event 8003: <PE_FILE> was allowed to run but would have been prevented from running if the AppLocker policy were enforced . Logged when an executable or DLL file matching a rule was allowed to execute but would have been blocked by an AppLocker rule if the rule was enforced. |
Channel: Microsoft-Windows-AppLocker/EXE and DLL EVTX file: Microsoft-Windows-AppLocker%4EXE and DLL.evtx |
Requires a matching AppLocker rule (from Executables Rules or DLL Rules ) that blocked the execution. |
Event 8004: <PE_FILE> was prevented from running . Logged when an executable or DLL was prevented from executing by a matching enforced AppLocker rule. |
Channel: Microsoft-Windows-AppLocker/MSI and Script EVTX file: Microsoft-Windows-AppLocker%4MSI and Script.evtx |
Requires a matching AppLocker rule (from Scripts Rules or Windows Installer Rules ) that allowed the execution. |
Event 8006: <SCRIPT_FILE | MSI FILE> was allowed to run . Similarly to EXE and DLL events, logged for every scripts / MSI executions by members of the local administrators group and for scripts / MSI executions from the %PROGRAMFILES% and %WINDIR% folders for every other users. Other execution attempts would raise events 8007 (if AppLocker Scripts Rules or Windows Installer Rules rules are enforced) or 8006 . |
Channel: Microsoft-Windows-AppLocker/MSI and Script EVTX file: Microsoft-Windows-AppLocker%4MSI and Script.evtx |
Requires a matching AppLocker rule (from Scripts Rules or Windows Installer Rules ) that would have blocked the execution if the rule set was in enforce mode. |
Event 8007: <SCRIPT_FILE | MSI FILE> was allowed to run but would have been prevented from running if the AppLocker policy were enforced . |
Channel: Microsoft-Windows-AppLocker/MSI and Script EVTX file: Microsoft-Windows-AppLocker%4MSI and Script.evtx |
Requires a matching AppLocker rule (from Scripts Rules or Windows Installer Rules ) that blocked the execution. |
Event 8008: <SCRIPT_FILE | MSI FILE> was prevented from running . |
Channel: Microsoft-Windows-AppLocker/Packaged app-Execution EVTX file: Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx |
Introduced in Windows Server 2012 and Windows 8 . Requires a matching AppLocker rule (from Packaged app Rules ) that allowed the app execution. |
Event 8020: <PACKAGED_APP> was allowed to run . |
Channel: Microsoft-Windows-AppLocker/Packaged app-Execution EVTX file: Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx |
Introduced in Windows Server 2012 and Windows 8 . Requires a matching AppLocker rule (from Packaged app Rules ) that would have blocked the app execution if the rule set was in enforce mode. |
Event 8021: <PACKAGED_APP> was allowed to run but would have been prevented from running if the AppLocker policy were enforced . |
Channel: Microsoft-Windows-AppLocker/Packaged app-Execution EVTX file: Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx |
Introduced in Windows Server 2012 and Windows 8 . Requires a matching AppLocker rule (from Packaged app Rules ) that blocked the app execution. |
Event 8022: <PACKAGED_APP> was prevented from running . |
Channel: Microsoft-Windows-AppLocker/Packaged app-Deployment EVTX file: Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx |
Introduced in Windows Server 2012 and Windows 8 . Requires a matching AppLocker rule (from Packaged app Rules ) that allowed the app installation. |
Event 8023: <PACKAGED_APP> was allowed to be installed . |
Channel: Microsoft-Windows-AppLocker/Packaged app-Deployment EVTX file: Microsoft-Windows-AppLocker%Packaged app-Deployment.evtx |
Introduced in Windows Server 2012 and Windows 8 . Requires a matching AppLocker rule (from Packaged app Rules ) that that would have blocked the app installation if the rule set was in enforce mode. |
Event 8024: <PACKAGED_APP> was allowed to run but would have been prevented from running if the AppLocker policy were enforced . |
Channel: Microsoft-Windows-AppLocker/Packaged app-Deployment EVTX file: Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx |
Introduced in Windows Server 2012 and Windows 8 . Requires a matching AppLocker rule (from Packaged app Rules ) that blocked the app installation. |
Event 8025: <PACKAGED_APP> was prevented from running . |
References
View on GitHub