Windows – How to find out which programs were blocked by the group policy

group-policywindows 7

I have to lock down a company computer so that it becomes reasonably difficult to perform anything but the intended tasks with it. As one of the steps, I have restricted the programs that are allowed to be run via a group policy object. However, at times (for example when I plug in a USB device), a window pops up informing me that my group policy has blocked the execution of a program. How do I track down which program that was?

When I have the Task Manager enabled, I notice that something seems to run when plugging in a device, but it disappears so quickly that I am unable to catch its name. I also don't seem to find anything in the event logs. How can I track that program(s) down?

Best Answer

It sounds like you didnt start the Application Identity Service on the target computers.

  1. Click Start, type services.msc , and then press ENTER.
  2. In the Services snap-in console, right-click Application Identity, and then click Properties.
  3. On the Start type menu, click Automatic, and then click OK
  4. In the Services snap-in console, right-click Application Identity, and then click Start to start the service for the first time.

You might want to consider using Group Policy to start the service automatically on all computers where you plan to deploy AppLocker.

The AppLocker log contains information about all of the applications that are affected by AppLocker rules. You can use the log to determine which applications are affected by a rule. Each event in the AppLocker operational log contains detailed information about:

  • Which file is affected and the path of that file.
  • Whether the file is allowed or blocked.
  • The rule type (path, file hash, or publisher).
  • The rule name.
  • The security identifier (SID) for the targeted user or group.

To review the AppLocker log in Event Viewer

  1. Click Start, type eventvwr.msc, and then press ENTER.
  2. In the Event Viewer console tree, double-click Application and Services Logs, double-click Microsoft, double-click Windows, double-click AppLocker, and then click EXE and DLL.
  3. Review the entries in the results pane to determine if any applications are not included in the rules that you automatically generated. For instance, some line-of-business applications are installed to non-standard locations, such as the root of the active drive (C:).
Related Question