Windows 7 / Security and Privacy

Auditing AppLocker Rules

The consequences of an incorrectly configured AppLocker rule can be severe, because you can prevent a user from running a critical application or even logging on to Windows. When adding AppLocker rules to GPOs that are applied throughout your organization, a single mistake could stop productivity for thousands of users.

To allow you to test rules before applying them, AppLocker rules can be either enforced or audited. You should always configure new AppLocker rules as Audit Only and monitor the auditing results for users in a production environment to ensure there are no unwanted side effects, such as preventing users from running legitimate applications.

By default, AppLocker rules are enforced. To configure AppLocker rules to be audited only, follow these steps:

  1. In the GPO Editor, right-click the Computer Configuration\Policies\Windows Settings\ Security Settings\Application Control Policies\AppLocker node and then click Properties.
  2. The AppLocker Properties dialog box appears. Select the Configured check box for each of the rule types that you have configured. Then, click the list and select Audit Only. If you have enabled DLL Rules, you will also see the option to audit or enforce dynamic-link library (DLL) rules on this tab.
  3. Click OK.

With auditing enabled, AppLocker will add events to the AppLocker event logs (located within Application And Services Logs\Microsoft\Windows\AppLocker). After verifying that your AppLocker rules have the desired effect, you can repeat the previous steps and select Enforce Rules. Table below lists the events that AppLocker might add during either auditing or full rule enforcement.

AppLocker Auditing Events

Event IDEvent LevelEvent TextText
8002Informational<Filename> was allowed to run.Specifies that the .exe or .dll file is allowed by an AppLocker rule.
8003Warning<Filename> was allowed to run but would have been prevented from running if the AppLocker policy were enforced.Specifies that the file would have been blocked if the Enforce Rules enforcement mode were enabled. You see this event level only when the enforcement mode is set to Audit Only.
8004Error<Filename> was not allowed to run.The file cannot run. You see this event level only when the enforcement mode is set directly or indirectly through Group Policy inheritance to Enforce Rules.
8005Information<Filename> was allowed to run.Specifies that the .msi file or script is allowed by an AppLocker rule.
[Previous] [Contents] [Next]