Auditing AppLocker Rules
The consequences of an incorrectly configured AppLocker rule can be severe, because you can prevent a user from running a critical application or even logging on to Windows. When adding AppLocker rules to GPOs that are applied throughout your organization, a single mistake could stop productivity for thousands of users.
To allow you to test rules before applying them, AppLocker rules can be either enforced or audited. You should always configure new AppLocker rules as Audit Only and monitor the auditing results for users in a production environment to ensure there are no unwanted side effects, such as preventing users from running legitimate applications.
By default, AppLocker rules are enforced. To configure AppLocker rules to be audited only, follow these steps:
- In the GPO Editor, right-click the Computer Configuration\Policies\Windows Settings\ Security Settings\Application Control Policies\AppLocker node and then click Properties.
- The AppLocker Properties dialog box appears. Select the Configured check box for each of the rule types that you have configured. Then, click the list and select Audit Only. If you have enabled DLL Rules, you will also see the option to audit or enforce dynamic-link library (DLL) rules on this tab.
- Click OK.
With auditing enabled, AppLocker will add events to the AppLocker event logs (located within Application And Services Logs\Microsoft\Windows\AppLocker). After verifying that your AppLocker rules have the desired effect, you can repeat the previous steps and select Enforce Rules. Table below lists the events that AppLocker might add during either auditing or full rule enforcement.
AppLocker Auditing Events
| Event ID | Event Level | Event Text | Text |
| 8002 | Informational | <Filename> was allowed to run. | Specifies that the .exe or .dll file is allowed by an AppLocker rule. |
| 8003 | Warning | <Filename> was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Specifies that the file would have been blocked if the Enforce Rules enforcement mode were enabled. You see this event level only when the enforcement mode is set to Audit Only. |
| 8004 | Error | <Filename> was not allowed to run. | The file cannot run. You see this event level only when the enforcement mode is set directly or indirectly through Group Policy inheritance to Enforce Rules. |
| 8005 | Information | <Filename> was allowed to run. | Specifies that the .msi file or script is allowed by an AppLocker rule. |
In this tutorial:
- Windows 7 Client Protection
- Understanding the Risk of Malware
- User Account Control in Windows 7
- UAC for Standard Users
- UAC for Administrators
- UAC User Interface
- Secure Desktop
- How Windows Determines Whether an Application Needs Administrative Privileges
- How to Control UAC Using Application Properties
- How UAC Examines the Application Manifest
- UAC Heuristics
- UAC Virtualization
- UAC and Startup Programs
- Compatibility Problems with UAC
- How to Configure UAC
- Group Policy Settings
- Control Panel
- Msconfig.exe
- How to Configure Auditing for Privilege Elevation
- Other UAC Event Logs
- Best Practices for Using UAC
- AppLocker
- AppLocker Rule Types
- Auditing AppLocker Rules
- DLL Rules
- Custom Error Messages
- Using AppLocker with Windows PowerShell
- Using Windows 7 Defender
- Understanding Windows Defender
- Automatic Scanning
- Real-Time Protection
- Windows Defender Alert Levels
- Understanding Microsoft SpyNet
- Configuring Windows Defender Group Policy
- Configuring Windows Defender on a Single Computer
- How to Determine Whether a Computer Is Infected with Spyware
- Best Practices for Using Windows Defender
- How to Troubleshoot Problems with Unwanted Software
- Network Access Protection
- Forefront