The Men who stare at the AppLocker event log

The Men who stare at the AppLocker event log

This short blog will be about the curious cage of AppLocker, MSI, Intune and the event log.

I will divide this blog into multiple parts

  1. Introduction to Applocker
  2. Opening an blocked EXE file.
  3. Running a blocked MSI

1. Introduction to Applocker

As you probably already know you can deploy your AppLocker baseline with PowerShell within a few minutes.

Let’s take a look at AppLocker before we continue… When deploying AppLocker you can check your configuration in the file system or registry (without Intune).

File System:

Take a look at c:\windows\system32\AppLocker. You’ll find all AppLocker policies in it. When using Intune all AppLocker policies will be placed inside the MDM folder.

Registry (without Intune!):

Of course, when not using Intune, the Applocker policies would also be stored in the registry

HKLM\Software\Policies\Microsoft\Windows\SrpV2

Did you notice the last characters? SRPV2: Software Restriction Policy V2.

A quick tip: When you have locked yourself out with AppLocker, you can do a lot with these registry settings from a remote computer.

2. Opening a blocked EXE file

So, before we cant test Applocker, we still need to configure some basic rules to block CMD and PowerShell.

Now we have configured our Security Applocker Baseline, try to open CMD, it’ll be blocked as shown by the AppLocker notification below with the error: “This app has been blocked by the administrator”

Now we have generated a nice error, let’s open the Event viewer and take a look at the EXE and DLL event log.

As shown above, a nice event 8004 will be logged. So you can set up your AppLocker monitoring through Solarwinds as I did. But what about the MSI and scripts?

3. Running a blocked MSI

AppLocker has an MSI and script event log… but when AppLocker is deployed through Intune you can forget about the whole MSI and Script AppLocker component!

Because MSI and script is not AppLocker (SRPV2) but it makes use of the legacy Software Restriction policies! It’s a little bit weird that I couldn’t find any information about this in my opinion!.

So, I tried to run an MSI (which I blocked). The first thing I noticed was the lack of AppLocker warning when executing the MSI. When I opened the event log and looked at the MSI and Script AppLocker log it’s silent of the AppLocker log. There is no log, really no log at all.

Okay? Now go look at your Application log instead! 

Event 1007? Does that event certainly look like SRP to me?

Yes, it definitely looks like the old school software restriction policy Microsoft is using to block MSI.

Conclusion:

Deploying AppLocker to protect your endpoints is a very wise option. But understanding how AppLocker works is definitely something else. Like the quick tip I mentioned about recovering from an AppLocker misconfiguration, I still don’t quite know how you can do the same when using Intune.

Leave a Reply

Your email address will not be published. Required fields are marked *

8  +  2  =