Using Auditing to Track Which Applications Are Used

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

The Audit only enforcement setting helps you determine which applications are used in an organization. When the AppLocker policy for a rule collection is set to Audit only, rules for that rule collection are not enforced. When a user runs an application that would have been affected by an AppLocker rule, information about that application is added to the AppLocker event log.

Note

This scenario assumes that you completed Automatically Generating Executable Rules from a Reference Computer. However, you can complete the procedures in this scenario to test any rules that you already defined on the reference computer. If you are working with a predefined AppLocker rule set, ensure that the default rules were created.
If you did not create the default rules and are prevented from performing administrative tasks, restart the computer in Safe Mode, add the default rules, delete any deny rules that are preventing access, and then restart the computer in normal mode.

This scenario includes the following steps:

  • Step 1: Configure the audit enforcement setting

  • Step 2: Start the Application Identity service

  • Step 3: Refresh Group Policy settings on the computer

  • Step 4: Review the AppLocker log in Event Viewer

Step 1: Configure the audit enforcement setting

There are three AppLocker enforcement modes. When AppLocker policies are merged, both the rules and the enforcement modes are merged. The closest GPO setting is used for the enforcement mode while all rules from linked GPOs are applied, except for the Not configured setting, which is overwritten by any other linked setting.

The following table details the enforcement modes.

Enforcement mode Description

Not configured

Default. If linked GPOs contain a different setting, that setting is used. Otherwise, if any rules are present in the corresponding rule collection, they are enforced.

Enforce rules

Rules are enforced.

Audit only

Rules are audited but not enforced.

Before turning on rule enforcement, test the rules first by using the Audit only enforcement setting.

To configure the enforcement setting for the Executable Rules collection to Audit only

  1. To open the Local Security Policy MMC snap-in, click Start, type secpol.msc, and then press ENTER.

  2. In the console tree, double-click Application Control Policies, and then double-click AppLocker.

  3. In the details pane, scroll down to the Configure Rule Enforcement heading, and then click Configure rule enforcement.

  4. In the AppLocker Properties dialog box, under Executable Rules, click Audit only, and then click OK.

After creating the default rules and enabling the auditing mode, deploy the test policy to test the GPO and determine which applications are being used.

Step 2: Start the Application Identity service

The Application Identity service performs all of the rule conversion for the AppLocker policy. For AppLocker policy to be evaluated on a computer, the Application Identity service must be started.

To start the Application Identity service

  1. Click Start, type services.msc , and then press ENTER.

  2. In the Services snap-in console, right-click Application Identity, and then click Properties.

  3. On the Start type menu, click Automatic, and then click OK.

  4. In the Services snap-in console, right-click Application Identity, and then click Start to start the service for the first time.

Note

Consider using Group Policy to start the service automatically on all computers where you plan to deploy AppLocker. For information about configuring Group Policies, see How to Configure Group Policies to Set Security for System Services.

Step 3: Refresh Group Policy settings on the computer

After you create new AppLocker rules, you must refresh the Group Policy settings on the computer to ensure that the AppLocker rules are applied.

To refresh Group Policy settings

  1. At the command prompt, type gpupdate /force, and then press ENTER.

  2. Wait for the messages confirming that the user and computer policies are updated, and then close the window.

Step 4: Review the AppLocker log in Event Viewer

The AppLocker log contains information about all of the applications that are affected by AppLocker rules. You can use the log to determine which applications are affected by a rule. Each event in the AppLocker operational log contains detailed information about:

  • Which file is affected and the path of that file.

  • Whether the file is allowed or blocked.

  • The rule type (path, file hash, or publisher).

  • The rule name.

  • The security identifier (SID) for the targeted user or group.

To review the AppLocker log in Event Viewer

  1. Click Start, type eventvwr.msc, and then press ENTER.

  2. In the Event Viewer console tree, double-click Application and Services Logs, double-click Microsoft, double-click Windows, double-click AppLocker, and then click EXE and DLL.

  3. Review the entries in the results pane to determine if any applications are not included in the rules that you automatically generated. For instance, some line-of-business applications are installed to non-standard locations, such as the root of the active drive (C:\).

The following table describes the event levels that you may find in the log.

Note

New logs and new events have been added in Windows Server 2012 and Windows 8. For more information, see Using Event Viewer with AppLocker.

Event ID Event level Event text Description

8000

Error

Application Identity Policy conversion failed. Status <%1>

The policy was not applied correctly to the computer. The Status message is provided for troubleshooting purposes.

8001

Informational

The AppLocker policy was applied successfully to this computer.

The AppLocker policy was applied successfully to this computer.

8002

Informational

<File name> was allowed to run.

Specifies that the .exe or .dll file is allowed by an AppLocker rule.

8003

Warning

<File name> was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Specifies that the file would have been blocked if the Enforce rules enforcement mode were enabled. You see this event level only when the enforcement mode is set to Audit only.

8004

Error

<File name> was not allowed to run.

The file cannot run. You see this event level only when the enforcement mode is set directly or indirectly through Group Policy inheritance to Enforce rules.

8005

Information

<File name> was allowed to run.

Specifies that the .msi file or script is allowed by an AppLocker rule.

See Also

Concepts

AppLocker Step-by-Step Scenarios