Windows 7 / Security and Privacy

Auditing AppLocker Rules

The consequences of an incorrectly configured AppLocker rule can be severe, because you can prevent a user from running a critical application or even logging on to Windows. When adding AppLocker rules to GPOs that are applied throughout your organization, a single mistake could stop productivity for thousands of users.

To allow you to test rules before applying them, AppLocker rules can be either enforced or audited. You should always configure new AppLocker rules as Audit Only and monitor the auditing results for users in a production environment to ensure there are no unwanted side effects, such as preventing users from running legitimate applications.

By default, AppLocker rules are enforced. To configure AppLocker rules to be audited only, follow these steps:

  1. In the GPO Editor, right-click the Computer Configuration\Policies\Windows Settings\ Security Settings\Application Control Policies\AppLocker node and then click Properties.
  2. The AppLocker Properties dialog box appears. Select the Configured check box for each of the rule types that you have configured. Then, click the list and select Audit Only. If you have enabled DLL Rules, you will also see the option to audit or enforce dynamic-link library (DLL) rules on this tab.
  3. Click OK.

With auditing enabled, AppLocker will add events to the AppLocker event logs (located within Application And Services Logs\Microsoft\Windows\AppLocker). After verifying that your AppLocker rules have the desired effect, you can repeat the previous steps and select Enforce Rules. Table below lists the events that AppLocker might add during either auditing or full rule enforcement.

AppLocker Auditing Events

Event IDEvent LevelEvent TextText
8002Informational<Filename> was allowed to run.Specifies that the .exe or .dll file is allowed by an AppLocker rule.
8003Warning<Filename> was allowed to run but would have been prevented from running if the AppLocker policy were enforced.Specifies that the file would have been blocked if the Enforce Rules enforcement mode were enabled. You see this event level only when the enforcement mode is set to Audit Only.
8004Error<Filename> was not allowed to run.The file cannot run. You see this event level only when the enforcement mode is set directly or indirectly through Group Policy inheritance to Enforce Rules.
8005Information<Filename> was allowed to run.Specifies that the .msi file or script is allowed by an AppLocker rule.
[Previous] [Contents] [Next]

In this tutorial:

  1. Windows 7 Client Protection
  2. Understanding the Risk of Malware
  3. User Account Control in Windows 7
  4. UAC for Standard Users
  5. UAC for Administrators
  6. UAC User Interface
  7. Secure Desktop
  8. How Windows Determines Whether an Application Needs Administrative Privileges
  9. How to Control UAC Using Application Properties
  10. How UAC Examines the Application Manifest
  11. UAC Heuristics
  12. UAC Virtualization
  13. UAC and Startup Programs
  14. Compatibility Problems with UAC
  15. How to Configure UAC
  16. Group Policy Settings
  17. Control Panel
  18. Msconfig.exe
  19. How to Configure Auditing for Privilege Elevation
  20. Other UAC Event Logs
  21. Best Practices for Using UAC
  22. AppLocker
  23. AppLocker Rule Types
  24. Auditing AppLocker Rules
  25. DLL Rules
  26. Custom Error Messages
  27. Using AppLocker with Windows PowerShell
  28. Using Windows 7 Defender
  29. Understanding Windows Defender
  30. Automatic Scanning
  31. Real-Time Protection
  32. Windows Defender Alert Levels
  33. Understanding Microsoft SpyNet
  34. Configuring Windows Defender Group Policy
  35. Configuring Windows Defender on a Single Computer
  36. How to Determine Whether a Computer Is Infected with Spyware
  37. Best Practices for Using Windows Defender
  38. How to Troubleshoot Problems with Unwanted Software
  39. Network Access Protection
  40. Forefront